#### DMCA

## Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer (1997)

### Cached

### Download Links

- [www.tcs.ifi.lmu.de]
- [www.hep.princeton.edu]
- [www.csee.wvu.edu]
- [www.csee.wvu.edu]
- [arxiv.org]
- [www.signallake.com]
- [www.math.unl.edu]
- [cs.simons-rock.edu]
- [arxiv.org]
- [www.math.unl.edu]
- [www.matha.mathematik.uni-dortmund.de]
- [www.cs.dartmouth.edu]
- [www.ennui.net]
- [www.codiciel.fr]
- [www.cs.fsu.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | SIAM J. on Computing |

Citations: | 1254 - 4 self |

### Citations

3811 | A Method for obtaining Digital Signatures and Public Key Cryptosystems - Rivest, Shamir, et al. - 1978 |

1090 | Algorithms for quantum computation: discrete logarithms and factoring."
- Shor
- 1994
(Show Context)
Citation Context ...ndard fast Fourier transform (FFT) algorithm [Knuth 1981] adapted for a quantum computer; the following description of it follows that of Ekert and Jozsa [1996]. In the earlier version of this paper [=-=Shor 1994-=-], we gave a construction for Aq when q was in the special class of smooth numbers having only small prime power factors. In fact, Cleve [1994] has shown how to construct Aq for all smooth numbers q w... |

935 |
Quantum Theory: Concepts and methods
- Peres
- 1995
(Show Context)
Citation Context ...|Si〉. Thus, looking at the machine during the computation will invalidate the rest of the computation. General quantum mechanical measurements, i.e., POVMs (positive operator valued measurement, see [=-=Peres 1993-=-]), can be considerably more complicated than the case of projection onto the canonical basis to which we restrict ourselves in this paper. This does not greatly restrict our model of computation, sin... |

845 | Quantum theory, the Church-Turing principle and the universal quantum computer
- Deutsch
- 1985
(Show Context)
Citation Context ...nally studied by Yao [1993] and is closely related to the quantum computational networks discussed by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [=-=Deutsch 1985-=-; Bernstein and Vazirani 1993; Yao 1993] and quantum cellular automata [Feynman 1986; Margolus 1986, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing m... |

632 |
Logical reversibility of computation
- Bennett
- 1973
(Show Context)
Citation Context ..., a deterministic computation is performable on a quantum computer only if it is reversible. Luckily, it has already been shown that any deterministic computation can be made reversible [Lecerf 1963; =-=Bennett 1973-=-]. In fact, reversible classical gate arrays (or reversible acyclic circuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there are also univer... |

590 | Simulating physics with computers - Feynman - 1982 |

570 | Quantum complexity theory
- Bernstein, Vazirani
- 1997
(Show Context)
Citation Context ...by Yao [1993] and is closely related to the quantum computational networks discussed by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [Deutsch 1985; =-=Bernstein and Vazirani 1993-=-; Yao 1993] and quantum cellular automata [Feynman 1986; Margolus 1986, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing machines and quantum gate arra... |

473 |
An Introduction to the Theory of
- Hardy, Wright
- 1954
(Show Context)
Citation Context ...ey are all 1, then r is odd and r/2 does not exist; if they are all equal and larger than 1, then xr/2 ≡−1 (mod p αi i ) for every i, soxr/2 ≡−1 (mod n). By the Chinese remainder theorem [Knuth 1981; =-=Hardy and Wright 1979-=-, Theorem 121], choosing an x (mod n) at random is the same as choosing for each i anumberxi(mod p αi i ) at random, where x ≡ xi (mod p αi i ). The multiplicative group (mod pα ) for any odd prime po... |

439 | Rapid solution of problems by quantum computation - Deutsch - 1992 |

427 | On the power of quantum computation - Simon - 1994 |

377 | Strengths and weaknesses of quantum computing
- Bennett, Bernstein, et al.
- 1997
(Show Context)
Citation Context ...gorithms for solving these problems on a quantum computer would be a momentous discovery. There are some weak indications that quantum computers are not powerful enough to solve NP-complete problems [=-=Bennett et al. 1997-=-], but I do not believe that this potentiality should be ruled out as yet. Acknowledgments. I would like to thank Jeff Lagarias for finding and fixing a critical error in the first version of the disc... |

367 | An unsolvable problem of elementary number theory - Church - 1936 |

322 |
Scheme for reducing decoherence in quantum computer memory
- Shor
- 1995
(Show Context)
Citation Context ...e out more complicated ways of reducing inaccuracy or decoherence using software. In fact, some progress in the direction of reducing inaccuracy [Berthiaume, Deutsch, and Jozsa 1994] and decoherence [=-=Shor 1995-=-] has already been made. The result of Bennett et al. [1996] that quantum bits can be faithfully transmitted over a noisy quantum channel gives further hope that quantum computations can similarly be ... |

320 |
Conservative logic
- Fredkin, Toffoli
- 1982
(Show Context)
Citation Context ...ike the result that any classical computation can be done using NAND gates, there are also universal gates for reversible computation. Two of these are Toffoli gates [Toffoli 1980] and Fredkin gates [=-=Fredkin and Toffoli 1982-=-]; these are illustrated in Table 3.1. The Toffoli gate is just a doubly controlled NOT, i.e., the last bit is negated if and only if the first two bits are 1. In a Toffoli gate, if the third input bi... |

286 | Quantum computational networks - Deutsch - 1989 |

274 | Elementary gates for quantum computation - Barenco, Bennett, et al. - 1995 |

250 |
Riemann’s hypothesis and tests for primality.
- Miller
- 1976
(Show Context)
Citation Context ...nt x in the multiplicative group (mod n); that is, the least integer r such that xr ≡ 1 (mod n). It is known that using randomization, factorization can be reduced to finding the order of an element [=-=Miller 1976-=-]; we now briefly give this reduction. To find a factor of an odd number n, given a method for computing the order r of x, choose a random x (mod n), find its order r, and compute gcd(xr/2 − 1,n). Her... |

245 | Introduction to the theory of numbers - Fifth edition - Hardy, Wright - 1984 |

215 | New lower-bound techniques for robot motion-planning problems - Canny, Reif - 1987 |

213 | Quantum computations with cold trapped ions - Cirac, Zoller - 1995 |

206 |
Multiplication of multidigit numbers on automata, Soviet Phys
- Karatsuba, Ofman
- 1963
(Show Context)
Citation Context ...hoice for small numbers. There are also multiplication algorithms which have asymptotic efficiencies between these two algorithms and which are superior for intermediate length numbers [Karatsuba and =-=Ofman 1962-=-; Knuth 1981; Schönhage, Grotefeld, and Vetter 1994]. It is not clear which algorithms are best for which size numbers. While this is known toPRIME FACTORIZATION ON A QUANTUM COMPUTER 1495 some exten... |

192 |
Reversible computing
- Toffoli
- 1980
(Show Context)
Citation Context ...rcuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there are also universal gates for reversible computation. Two of these are Toffoli gates [=-=Toffoli 1980-=-] and Fredkin gates [Fredkin and Toffoli 1982]; these are illustrated in Table 3.1. The Toffoli gate is just a doubly controlled NOT, i.e., the last bit is negated if and only if the first two bits ar... |

179 | Two-bit gates are universal for quantum computation
- DiVincenzo
- 1995
(Show Context)
Citation Context ...e possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; =-=DiVincenzo 1995-=-; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; ... |

169 |
Elementary gates for quantum computation,” Phys
- Barenco, Bennett, et al.
- 1995
(Show Context)
Citation Context ...s. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; =-=Barenco et al. 1995-=-b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficu... |

151 | Purification of noisy entanglement and faithful teleportation via noisy channels - Bennett, Brassard, et al. - 1996 |

138 | The computer as a physical system: A microscopic quantum mechanical Hamiltonian model of computers as represented by Turing machines - Benioff - 1980 |

120 | V.STRASSEN: Schnelle Multiplikation grosser Zahlen - SCHÖNHAGE - 1971 |

115 | Oracle quantum computing - Berthiaume, Brassard - 1994 |

97 |
Time/space trade-offs for reversible computation
- Bennett
- 1989
(Show Context)
Citation Context ...e, then making it reversible in this manner will result in a large increase in the space required. There are methods that do not use as much space, but use more time, to make computations reversible [=-=Bennett 1989-=-, Levine and Sherman 1990]. While there is no general method that does not cause an increase in either space or time, specific algorithms can sometimes be made reversible without paying a large penalt... |

94 | An approximate Fourier transform useful in quantum factoring - Coppersmith - 1964 |

91 | Universality in quantum computation - Deutsch, Barenco, et al. - 1995 |

88 | Quantum mechanical hamiltonian models of turing machines - Benioff - 1982 |

86 | Discrete logarithms in GF(p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...number theory problems which have been studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [Pomerance 1987, =-=Gordon 1993-=-, Lenstra and Lenstra 1993, Adleman and McCurley 1994]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including the widely u... |

82 |
A potentially realizable quantum computer
- Lloyd
- 1993
(Show Context)
Citation Context ...r, although it seems as though it might be possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; =-=Lloyd 1993-=-, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landaue... |

78 | The number field sieve
- Lenstra, Manasse, et al.
- 1993
(Show Context)
Citation Context ...eman 1994]. This has resulted in a great improvement in the efficiency of factoring algorithms. Currently the best factoring algorithm, both asymptotically and in practice, is the number field sieve [=-=Lenstra et al. 1990-=-, Lenstra and Lenstra 1993], which in order to factor an integer n takes asymptotic running time exp(c(log n) 1/3 (log log n) 2/3 ) for some constant c. Since the input n is only log n bits in length,... |

74 | Quantum cryptanalysis of hidden linear functions - Boneh, Lipton - 1995 |

59 |
Quantum computations with cold trapped ions,” Phys
- Cirac, Zoller
- 1995
(Show Context)
Citation Context ...ms as though it might be possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; =-=Cirac and Zoller 1995-=-; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chu... |

53 | The quantum challenge to structural complexity theory - Berthiaume, Brassard - 1992 |

51 | Parallel quantum computation - Margolus - 1990 |

51 | Mainraining coherence in quantum computers - Unruh - 1995 |

41 | The complexity of analog computation - Vergis, Steiglitz, et al. - 1986 |

40 | Fast Algorithms: A Multitape Turing Machine Implementation - Schönhage, Grotefeld, et al. - 1994 |

37 | Is quantum mechanically coherent computation useful - Landauer - 1995 |

33 |
Maintaining coherence in quantum computers”, Phys
- Unruh
- 1995
(Show Context)
Citation Context ...and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; =-=Unruh 1995-=-; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficult obstacles appear to involve the decoherence of quantum superpositions through the interaction of the computer with the enviro... |

31 | Machine models and simulations - Boas - 1990 |

30 | Open problems in number-theoretic complexity ii
- Adleman, McCurley
- 1994
(Show Context)
Citation Context ...studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [Pomerance 1987, Gordon 1993, Lenstra and Lenstra 1993, =-=Adleman and McCurley 1994-=-]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including the widely used RSA public key cryptosystem developed by Rivest, ... |

30 | An Approximate Fourier Transform Useful - Coppersmith - 1994 |

29 |
Conditional Quantum Dynamics and Logic
- Barenco, Deutsch, et al.
- 1995
(Show Context)
Citation Context ...s. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; =-=Barenco et al. 1995-=-b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficu... |

29 |
A note on Bennett's time-space tradeoff for reversible computation
- Levine, Sherman
- 1990
(Show Context)
Citation Context ... it reversible in this manner will result in a large increase in the space required. There are methods that do not use as much space, but use more time, to make computations reversible [Bennett 1989, =-=Levine and Sherman 1990-=-]. While there is no general method that does not cause an increase in either space or time, specific algorithms can sometimes be made reversible without paying a large penalty in either space or time... |

25 | Precision-sensitive Euclidean shortest path in 3-space - Choi, Sellen, et al. - 1995 |

25 |
Asymptotically fast algorithms for the numerical multiplication and division of polynomials with complex coefficients
- Schönhage
- 1982
(Show Context)
Citation Context ...nd multiplications of l-bit numbers (mod n). Asymptotically, the best classical result for gate arrays for multiplication is the Schönhage–Strassen algorithm [Schönhage and Strassen 1971, Knuth 1981, =-=Schönhage 1982-=-]. This gives a gate array for integer multiplication that uses O(l log l log log l) gates to multiply two l-bit numbers. Thus, asymptotically, modular exponentiation requires O(l2 log l log log l) ti... |

24 |
rigorous factorization and discrete logarithm algorithms
- Pomerance
- 1987
(Show Context)
Citation Context ...this paper. Two number theory problems which have been studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [=-=Pomerance 1987-=-, Gordon 1993, Lenstra and Lenstra 1993, Adleman and McCurley 1994]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including... |

23 |
Machines de Turing r'eversibles. R'ecursive insolubilit'e en n 2 N de l"equation u
- Lecerf
- 1963
(Show Context)
Citation Context ...m computation, a deterministic computation is performable on a quantum computer only if it is reversible. Luckily, it has already been shown that any deterministic computation can be made reversible [=-=Lecerf 1963-=-; Bennett 1973]. In fact, reversible classical gate arrays (or reversible acyclic circuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there a... |

22 | Quantum computers, factoring and decoherence
- Chuang, Laflamme, et al.
- 1995
(Show Context)
Citation Context ...995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; =-=Chuang et al. 1995-=-; Palma, Suominen, and Ekert 1996]. The most difficult obstacles appear to involve the decoherence of quantum superpositions through the interaction of the computer with the environment, and the imple... |

22 | On the power of multiplication in random access machines - Hartmanis, Simon - 1974 |

21 | Efficient networks for quantum factoring, Phys - Beckman, Chari, et al. - 1996 |

20 | Digital simulation of analog computation and Church's thesis - Rubel - 1989 |

20 | Conditional quantum dynamics and logic gates - Barenco, Deutsch, et al. - 1995 |

19 | Simulating physics with computers,” Internat - Feynman - 1982 |

18 | Simple quantum computer,” Phys - Chuang, Yamamoto - 1995 |

17 | K A and Ekert A K - Palma, Suominen - 1996 |

17 | Realizable universal quantum logic gates - Sleator, Weinfurter - 1995 |

15 |
Schnelle Multiplikation grosser
- Schönhage, Strassen
- 1971
(Show Context)
Citation Context ...t numbers, this requires O(l) squarings and multiplications of l-bit numbers (mod n). Asymptotically, the best classical result for gate arrays for multiplication is the Schönhage–Strassen algorithm [=-=Schönhage and Strassen 1971-=-, Knuth 1981, Schönhage 1982]. This gives a gate array for integer multiplication that uses O(l log l log log l) gates to multiply two l-bit numbers. Thus, asymptotically, modular exponentiation requi... |

14 | personal communication - Odlyzko - 1995 |

13 | A note on computing Fourier transforms by quantum programs," preprint - Cleve - 1994 |

13 |
Quantum mechanical computers, Found
- Feynman
- 1986
(Show Context)
Citation Context ...orks discussed by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [Deutsch 1985; Bernstein and Vazirani 1993; Yao 1993] and quantum cellular automata [=-=Feynman 1986-=-; Margolus 1986, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing machines and quantum gate arrays can compute the same functions in polynomial time [Y... |

13 |
Almost any quantum logic gate is universal”, preprint
- Lloyd
- 1994
(Show Context)
Citation Context ...nzo 1995; Sleator and Weinfurter 1995; Chuang and Yamomoto 1995]. While general n-bit transformations can always be built out of two-bit transformations [DiVincenzo 1995; Sleator and Weinfurter 1995; =-=Lloyd 1995-=-; Deutsch, Barenco, and Ekert 1995], the number required will often be exponential in n [Barenco et al. 1995a]. Thus, the set of two-bit transformations form a set of building blocks for quantum circu... |

12 | The stabilisation of quantum computations - Berthiaume, Deutsch, et al. - 1994 |

12 |
Shor’s quantum algorithm for factorising numbers
- Ekert, Jozsa
- 1996
(Show Context)
Citation Context ...done in time polynomial in the number of bits of q. In this paper, we give a simple construction for Aq when q is a power of 2 that was discovered independently by Coppersmith [1994] and Deutsch [see =-=Ekert and Jozsa 1996-=-]. This construction is essentially the standard fast Fourier transform (FFT) algorithm [Knuth 1981] adapted for a quantum computer; the following description of it follows that of Ekert and Jozsa [19... |

12 | Structural basis of multistationary quantum systems II: Effective few-particle dynamics," Phys - Teich, Obermayer, et al. - 1988 |

9 | Envisioning a quantum supercomputer - Lloyd - 1994 |

8 |
Can quantum computers have simple Hamiltonians
- Biafore
- 1994
(Show Context)
Citation Context ...els of quantum computers, see references on quantum Turing machines [Deutsch 1985; Bernstein and Vazirani 1993; Yao 1993] and quantum cellular automata [Feynman 1986; Margolus 1986, 1990; Lloyd 1993; =-=Biafore 1994-=-]. If they are allowed a small probability of error, quantum Turing machines and quantum gate arrays can compute the same functions in polynomial time [Yao 1993]. This may also be true for the various... |

8 | Finite combinatory processes - Post - 1936 |

8 | Turing (1936), On computable numbers, with an application to the Entscheidungsproblem - M |

7 |
Realizable universal quantum logic gates”, preprint
- Sleator, Weinfurter
- 1994
(Show Context)
Citation Context ... the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; DiVincenzo 1995; =-=Sleator and Weinfurter 1995-=-; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; Palma, Suominen, and Ekert 19... |

5 |
Algorithmic number theory—The complexity contribution
- Adleman
- 1994
(Show Context)
Citation Context ... long. It was only in the 1970’s, however, that researchers applied the paradigms of theoretical computer science to number theory, and looked at the asymptotic running times of factoring algorithms [=-=Adleman 1994-=-]. This has resulted in a great improvement in the efficiency of factoring algorithms. The best factoring algorithm asymptotically is currently the number field sieve [Lenstra et al. 1990, Lenstra and... |

4 | Is quantum mechanics useful?, Philos - Landauer - 1995 |

4 | Two non-standard paradigms for computation: Analog machines and cellular automata - Steiglitz - 1988 |

3 | Algorithmic number theory --- The complexity contribution - Adleman - 1994 |

2 | Almost any quantum logic gate is universal," Los Alamos National Laboratory preprint - Lloyd - 1994 |

1 | Semiclassical Fourier tranform for quantum computation - Griffiths, Niu - 1996 |

1 |
Quantum computation, Ann
- Margolus
- 1986
(Show Context)
Citation Context ... by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [Deutsch 1985; Bernstein and Vazirani 1993; Yao 1993] and quantum cellular automata [Feynman 1986; =-=Margolus 1986-=-, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing machines and quantum gate arrays can compute the same functions in polynomial time [Yao 1993]. This ... |

1 | 1982b) "Quantum mechanical Hamiltonian models of Turing machines that dissipate no energy - Benioff |

1 | 1992b) "Oracle quantum computing - Berthiaume, Brassard |

1 | A simple quantum computer," preprint - Chuang, Yamamoto - 1995 |

1 | Quantum mechanical computers," Found. Phys. 16, 507--531; originally appeared - Feynman - 1986 |

1 | est un isomorphisme de codes," Comptes Rendues de l'Acad'emie Fran��caise des Sciences 257 - o`u |

1 | Quantum computers and dissipation, " preprint - Palma, Suominen, et al. - 1995 |

1 | Turing (1936) "On computable numbers, with an application to the Entscheidungsproblem - M - 1937 |