Desurvire E. Classical and Quantum Information Theory: An Introduction for the Telecom Scientist

Подождите немного. Документ загружается.

20.6 Factorizing

= 15 and other nontrivial composites 417

tion. As applicable, Shor’s algorithm may otherwise be called upon again to factorize

M, and so on until we obtain the full prime-factor decomposition N = p

... p

20.6 Factorizing

= 15 and other nontrivial composites

In this section, I shall consider illustrative examples of Shor’s factorization algorithm,

using nontrivial composite cases (the notion of trivial composites will be speciﬁed

further down). This will also show how one can simplify the inverse Fourier transform

operation (FT

) in the quantum phase-estimation circuit, and estimate the probability

distribution function of the phase measurement.

Assume, for instance, the composite number N = 15. We must set L =log

N =4

for the size of the second or target register, and for an error probability of at most

ε = 0.25, we must also set K = 2L + 1 +log

[2 + 1/(2ε)]=11 for the size of the

ﬁrst or control register. Thus, M = 2

= 2

= 2048. We then select “at random” from

the interval [2, N − 2] the value x = 8, which meets the requirement of being co-prime

to N . The qubit tensor input to the phase-estimation circuit in Fig. 20.3 is |ψ

=

|0

⊗K

⊗|1,Eq.(20.18). After passing through the Hadamard gate, it is transformed

into (Eq. (20.19)):



√

M−1



j=0

|j⊗|1

√

(

|0+|1+|2+···+

M − 1



)

(20.30)

After application of the controlled-U

gate, we obtain the state (Eq. (20.20)):

|ψ

=

√

M−1



j=0

|j⊗|x

mod N 

√

M−1



j=0

|j⊗|8

mod 15

√







|0|1+|1|8+|2|4+|3|2

+|4|1+|5|8+|6|4+|7|2

+|8|1+|9|8+|10|4+|11|2+···







√







(

|0+



+···

)

|1

(

|1+



+···

)



(

|2+



+···

)



(

|3+



+···

)

|2







(20.31)

The state



in Eq. (20.31) can also be put in the form:



⊗|1+



⊗



⊗



⊗|2, (20.32)

418 Shor’s factorization algorithm

512

1024

1536

2048 =

2047 =

− 1

(

)

0.25

Figure 20.5 Plot of the distribution p(k) =|α

in the deﬁnition interval k ∈ [0, M − 1].

with













√

(

|0+



+···

)



√

(

|1+



+···

)



√

(

|2+



+···

)



√

(|3+



+···).

(20.33)

If at this stage (➂ in Fig. 20.3) we perform a measurement of the second register, which

is no longer used, Eq. (20.32) shows that we may obtain at random any of the values

z = 1, 8, 4, or 2, with a uniform probability of 1/4. Such a measurement causes the

ﬁrst register to collapse into the corresponding state



,or



withanew

normalization factor of 1/

√

4. We could also make the same measurement at ➃, namely,

after the ﬁrst register has been submitted to the inverse Fourier transform, FT

, and even

further down in the circuit, i.e., after the ﬁrst register has been measured. Intuitively, the

measurement statistics of the second register are not affected by the transformation and

measurement of the ﬁrst register, and the reverse. This principle can be stated as “any

quantum wires whose qubits are not measured at the end of a quantum circuit may yet

be assumed to be also measured, without affecting any other measurement statistics.”

It remains a ﬁne point to analyze this principle academically, but here we shall take

its validity for granted. Assume, then, that our measurement of the second register

would be z = 8 (any other value giving identical results as the conclusion). Thus, in

the ﬁrst register, the input to the inverse Fourier transform circuit would be



.After

transformation, the ﬁrst register output is



M−1



k=0

|k, (20.34)

where p(k) =

represents the probability distribution of the ﬁnal measurement of the

ﬁrst register. The detailed computation of the distribution p(k) is given in Appendix S.

The resulting distribution is plotted in Fig. 20.5. As we see from the ﬁgure, the

distribution exhibits four equiprobable peaks (p

max

= 0.25) at the register locations

k = 0, 512, 1024, 1536, with any other measurement probabilities being zero. This

20.6 Factorizing

= 15 and other nontrivial composites 419

probability distribution represents the ideal measurement conditions with zero failure.

As we have learnt, the actual measurement is successful only within some error proba-

bility ε, which is a function of the register size K , and which has been set in this example

to ε = 0.25. To recall, this failure probability can be made as small as desired, hence

making the measurement reality closer to the ideal probability distribution shown in Fig.

20.5. The existence of four equiprobable probability peaks betrays the periodicity of the

function x

mod N , which is of the order r = 4. But the experimentalist has no precon-

ceived idea of this, and is allowed to make only a few measurement attempts. Then it is

equally likely for each of the measurements to hit the values k

= 0, 512, 1024, or 1536.

To recall, these measurements correspond to the phase ˜ϕ ≈ ϕ = s/r, with 0 ≤ ϕ ≤ 1

being deﬁned in K bits. The measurement, thus, corresponds to the rational numbers

/M = k

= k

/2048, corresponding to the four possible determinations

˜ϕ:

2048

512

2048

=512

1024

2048

=1024

1536

2048

=1536

The ﬁrst determination, k

= 0, does not give any clue as to the order r. Measur-

ing it is, therefore, a failed attempt. Consider the next two other determinations, i.e.,

= 512, 1024. We have k

= 512/2048 = 1/4 and k

= 1024/2048 = 1/2. These two

rational numbers do not meet the condition in Eq. (20.25) since (1, 4) and (1, 2) are not

co-prime. Therefore, they cannot be convergent on ϕ. The last possible measurement,

= 1536 lends itself to the continued fraction expansion:

1536

2048

1 +

which, according to the algorithm (see Appendix R) gives the series of fractions p

0/1, p

= 1/1, and p

= 3/4. Since (3, 4) are co-prime, the fraction 3/4 is a

convergent of ϕ and thus r = q

= 4 is of the order of x. Luckily, r = 4 is even,

and, furthermore, we have x

r/2

mod N = 8

mod 15 = 4 mod 15 =±1 mod 15, which

shows that the solution x

r/2

= 8

= 64 is valid (it can also be checked that x

= 8

1 mod 15, but this test does not need to be made). Therefore, two factors N



, N



N = 15 are



= GCD(x

r/2

− 1, N ) = GCD(63, 15) ≡ 3,



= GCD(x

r/2

+ 1, N ) = GCD(65, 15) ≡ 5,

which concludes Shor’s factorization algorithm. Since both factors N



, N



are prime,

the factorization of N is also complete! As we have seen, however, the algorithm

succeeded in this example because (a) one of the four possible measurements yielded

a valid convergent of ϕ, (b) the order r turned out to be even, and (c) the condition

r/2

=−1 mod 15 was satisﬁed. In the case where any of these prerequisites is not met,

the algorithm would have failed. Provided we obtained a convergent of ϕ, it turned out

that the random selection x = 8 was a “lucky” one. Then what are the other alternatives

420 Shor’s factorization algorithm

Table 20.4 Possibilities of selecting x towards the factorization

of N = 15 through Shor’s algorithm, with corresponding order

r,testx

r/2

=±1modN, and number m of convergents.

xrx

r/2

mod Nm

24 4 1

42 4 0

74 4 1

84 4 1

11211 0

13 4 4 1

and chances of failure under any other random selection for x? The answer is provided

in the following discussion.

Discussion

To factorize N = 15, we must randomly select x in the interval x ∈ [2, N − 2], with

the condition that (x, N ) be co-prime. This leaves x = 2, 4, 7, 8, 11, 13 as the only six

possibilities of fully implementing the algorithm. We then use a computer spread-

sheet to obtain the order r “classically” (this being not part of Shor’s algorithm,

but just a computing means for the purpose of the analysis). The results are listed

in Table 20.4, along with the test x

r/2

mod N and the number m of convergents.

It is seen from the table that the order of x is either r = 2(x = 4, 11) or r = 4

(x = 2, 7, 8, 13), and that both pass the test x

r/2

=±1modN . Consider the case

r = 4, and assume the register size K = 2

= 2048 (L = 4 bits). This case is wholly

identical to the previously described example where x = 8 was assumed. Then if we

implement Shor’s algorithm (namely without any prior knowledge of r), we have equal

probabilities of measuring k = 0, 512, 1024, 1536, corresponding to the determinations

˜ϕ = 0/2048, 512/2048, 1024/2048, 1536/2048. As we have seen, only the fourth one,

˜ϕ = 1536/2048 = 3/4, is a convergent of ϕ. Thus, only one measurement in four pos-

sibilities leads to a successful answer. If, on the other hand, our random selection is

x = 4, 11, the probability distribution has only two peaks corresponding to the determi-

nations ˜ϕ = 0/2048 and ˜ϕ = 1024/2048 = 1/2. Since none is a convergent of ϕ,the

algorithm fails, and we must try it again with a different value of x. To summarize,

the chances of randomly selecting the lucky values x = 2, 7, 8, 13 out of N − 3 = 12

possibilities in the interval x = [2, N − 2] are p

(1)

= 4/12 = 1/3, and the chances that

the output measurement leads to a convergent are p

(1)

= 1/4. On the other hand, the

chances of randomly selecting the “unlucky” values x = 4, 11 are p

(1)

= 2/12 = 1/6,

and the chances that the output measurement leads to a convergent are p

(1)

= 0. Over-

all, the chances of the algorithm concluding successfully in a single run, based on any

random selection of x are given by the probability indicator

 =



i=1

(i)

= p

(1)

+ p

(2)

, (20.35)

20.6 Factorizing

= 15 and other nontrivial composites 421

Table 20.5 First group of composite numbers

(

= 3, 5, 7, . . . , 37) eligible for factorization,

up to

= 1147, eliminating

(as shaded).

35711131719232931 37

3 9152133395157698793111

25 35 55 65 85 95 115 145 155 185

49 77 91 119 133 161 203 217 259

121 143 187 209 253 319 341 407

169 221 247 299 377 403 481

289 323 391 493 527 629

361 437 551 589 703

529 667 713 851

841 899 1073

961 1147

1369

which gives here  = (1/3) ×(1/4) +0 ≡ 1/12 = 8.3%. But the discussion does not

end here. Indeed, this result actually assumes that the initial phase estimation ˜ϕ is

inﬁnitely accurate (ε  1). As we chose K = 2L + 1 +log

[2 + 1/(2ε)]=11, cor-

responding to an estimation success of at least p = 1 −ε = 3/4, the overall success

chances in these global conditions are ﬁnally p = (3/4) ×(1/12) = 1/16 = 6.2%.

As the register size K is increased, the chances of success asymptotically reach the

limit . The key conclusion of this discussion is that, regardless of register size, the

implementation of Shor’s algorithm is a trial and error process: some values of x do not

work out, and in the best case, some register measurements fail to yield any convergent,

as we have seen with the N = 15 factorization example.

This discussion leads to another question: are some composites easier to factorize

than others under Shor’s algorithm, corresponding to higher values of the  indi-

cator? In an attempt to address this question, we may analyze the periods of the

ﬁrst composite numbers and see which ones may present the least factoring difﬁ-

culty or the highest . Consider, then, the composites of the type N = pq (with

p, q primes), which satisfy the two conditions: (a) N is not even, and (b) there are

no integers a, b (a, b ≥ 2), such that N = a

. With a list of the ﬁrst primes limited

to p, q ={3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37}, excluding p, q = 2, the set of eligible

composites comes to 55 numbers ranging from N = 15 to N = 1147, as illustrated

in Table 20.5. The selection listed in the table, thus, justiﬁes that N = 15 is the ﬁrst

composite candidate to implement Shor’s algorithm. Considering the highest number

of the selection, N = 1147, determining the period would require one to compute

the successive powers of 1145

, which scale as 10

p×ln(1145)/ ln(10)

≈ 10

and, thus,

rapidly leads to an overﬂow. If, on the other hand, we limit the scope to N ≤ 100, i.e.,

max(N ) = 91, the computation remains tractable (89

≈ 10

1.9p

), at least with a personal

computer. A period-ﬁnding computer program can easily be implemented,

yielding a

tabulation of r for each value x ∈ [2, N − 2], along with the validation tests {x

r/2

even

A free executable for period ﬁnding (FINDPRIM.EXE) can also be downloaded from: http://users.

pandora.be/nicvroom/progrm19.htm.

422 Shor’s factorization algorithm

2345678910111213

2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Figure 20.6 Va lu es r of the order of x modulo N (x, N co-prime) for composites

N = 15, 21, 33, 35, 39. The hashed bars correspond to odd values of r, the shaded bars

correspond to r values for which x

r/2

=−1 mod N.

and x

r/2

=±1modN }. The results for N = 15, 21, 33, 35, 39 are shown in Fig. 20.6.

The darkened data correspond to odd values of r, while the shaded data correspond to r

values for which x

r/2

=−1modN . The graph, thus, makes it possible to calculate the

probabilities p

(i)

, p

(i)

for each subset of x satisfying the algorithm requirements, and the

indicator  =



(i)

. In the case N = 21, for instance, we ﬁnd x ={2, 10, 11, 19}

for r = 6 and x ={8, 13} for r = 2, corresponding to p

(1)

= 4/18 = 2/9 and p

(1)

2/18 = 1/9, respectively. The associated values of r give p

(1)

= 1/3 and p

(2)

= 0,

respectively, yielding  =(2/9) ×(1/3) + 0 ≡ 2/27 = 7.4% .

Considering next the case N = 33, we ﬁnd x =

{

5, 7, 13, 14, 19, 20, 26, 28

}

for r =

10, x =

{

10, 21, 23

}

for r = 2, corresponding to p

(1)

= 8/30 = 4/15 and p

(2)

= 3/30 =

1/10, respectively. For r = 10, the probability distribution exhibits 10 peaks at the k

locations:

corresponding to the irreducible fractions p/q

in which only six have p, q as co-prime numbers. We, thus, have p

(1)

= 6/10 = 3/5

and also p

(2)

= 0, yielding  = (4/15) ×(3/5) +0 ≡ 4/25 = 16.0%.

20.6 Factorizing

= 15 and other nontrivial composites 423

0.0

0.1

0.2

0.3

0.4

0.5

020406080100

Composite

(

)

Figure 20.7 Indicator function (N ), corresponding to the probability of successfully factoring

N in a single run of Shor’s algorithm.

Similar analysis of the other N values leads to the indicator function (N ). To

recall, such a function represents the probability of successfully factorizing N based

on a single random selection of x ∈

[

2, N − 2

]

. The function (N) is plotted in

Fig. 20.7 for N ≤ 100. We observe from the plot that (N) increases with N accord-

ing to a logarithmic ﬁt, along with some scattering. Such scattering is explained by

either “lucky” or “unlucky” composites. For instance, N = 15 and N = 51 are lucky

in the sense that all periods r satisfy the two conditions of being even and such that

r/2

= 1modN for any x ∈

[

2, N − 1

]

. This property maximizes the probability p

(i)

In contrast, for N = 93 (next to last point at right in Fig. 20.7) these conditions are not

met for 1/3 of all the possible r values, which explains the drop from the global trend.

Given an eligible r , and independently of N , the second “luck” factor comes from the

number of associated convergents, as measured by the probability p

(i)

. For instance,

r = 2 has no associated convergent, r = 4 has only one convergent with probabil-

ity p

(i)

= 1/4 = 25%, r = 10 has 6 convergents with probability p

(i)

= 6/10 = 60%,

and r = 28 has 24 convergents with probability p

(i)

= 24/28 = 85.7%. The product

(i)

, thus, determines the weight taken by a given period r out of the possibili-

ties indexed by i in the sum in Eq. (20.35) yielding (N ). For N ≤ 100, Fig. 20.7

shows that the maximum is found at N = 85 with (85) = 41.4%. The logarithmic ﬁt

shown in the ﬁgure (y = 0.14 ln ×−0.306) suggests that a probability of  = 50%

would be reached for x = 316, in the vicinity of the composites N = 319 = 11 ×29

and N = 323 = 17 ×19. As I am not aware that any plot similar to that shown in

Fig. 20.7 has ever been published. It remains a reasonable conjecture that for com-

posites larger than N = 100, (N ) asymptotically reaches 100%, with some scatter

due to the aforementioned effects, with the contribution of p

(i)

becoming negligi-

ble as N increases, as s, r in the phase estimate ϕ = s/r become more likely to be

co-prime.

424 Shor’s factorization algorithm

20.7 Public-key cryptography

This concluding section is about public-key cryptography (PKC). Such a topic is not

completely out of place in this chapter on Shor’s factorization algorithm because, as

I shall describe, the secrecy involved in PKC heavily relies on the fact that factoriz-

ing large numbers is a task that is essentially intractable, which is true according to

the best computing means and algorithms currently available. Since PKC is widely

used for different applications in the Internet, and since its principle is relatively sim-

ple to understand, it is worthwhile to describe it brieﬂy here in the context of this

chapter.

Public-key cryptography was invented and developed by R. Rivest, A. Shamir and L.

Adleman, a trio of people who gave the name to the RSA standard. The RSA principle

feeds on the current fact that it is extremely difﬁcult, if not completely intractable, to

factorize large composite numbers, or decompose them into a product of primes. Given

N , factorization (or prime decomposition) consists of ﬁnding the unique set of prime

numbers p

, p

,..., p

and powers α

,α

,...,α

such that p

... p

= N .For

instance, N = 1000 accepts the unique factorization or decomposition 2

× 5

= 1000.

For the purpose of PKC, we may just use two sufﬁciently large (and assumedly dif-

ferent!) prime numbers p, q to generate a “big” composite number N = pq,rest-

ing on the conﬁdence that if anyone in the public domain knows N, that a person

or entity would have a hard time or ﬁnd it impossible to ﬁgure out the two primes

p, q.

For instance, consider the number N = 62 615 533. To ﬁnd its factorization, we need

to divide it by prime numbers, trying them out one after another. In this example, the

answer is p = 7919 and q = 7907, which are the highest two primes to be found at the

top of a list of the ﬁrst thousands.

This unfortunate choice made the factorization easy,

since anyone can ﬁgure it out from such a list as representing the biggest product. What

about n = 15 773 077? The answer ( p = 2383, q = 6619) is less immediate, since it

takes 200 division tests to ﬁnd q starting from the top of this ﬁrst-thousand-prime list.

Assume next that p, q are selected from a huge list of known primes, for instance up to

, yielding composites N = pq up to the order of 10

.Evenatarateof10

division

tests per second (a state-class computing power that only a few may afford), this would

leave about 10

seconds or 31.7 years to ﬁnd the prime factors!

I shall now focus on the RSA standard and algorithm speciﬁcs, after recalling the basic

underlying principle of cryptography. The principle of cryptography is to encode (or

encrypt) a given “open-text” message, called plaintext, into a “secret” message, called

ciphertext. Such words come from cryptology, the science, and history of cryptography,

For various lists of prime numbers, see, for instance: http://primes.utm.edu/lists/small/1000.txt, http://

en.wikipedia.org/wiki/List_of_prime_numbers; http://primes.utm.edu/; www.prime-numbers.org/; www.

rsok.com/∼jrm/printprimes.html.

For riveting and historical accounts of cryptology, see S. Singh, The Code Book (New York: Anchor Books,

1999), S. Levy, Crypto (Harmondsworth: Penguin Books, 2001), and D. Kahn, The Codebreakers, the

Story of Secret Writing (New York: Scribner, 1967). For an easy but detailed overview of crypto-algorithms

20.7 Public-key cryptography 425

whereby text messages were encrypted for the purposes of military, state, security, trade,

or simply private communications. In the computer age, however, any “text” to be so

encrypted may be anything from email to computer ﬁles, sensitive data, up to the payload

of Internet frames (as used in the so-called IPv6 standard or other secure-communication

protocols). Note that the word “cipher” indifferently designates the algorithm speciﬁcally

used for encryption, or the ciphertext material itself.

The destinee of the ciphertext (and only this person or entity), should be able to

make sense of it and translate it back into readable plaintext, an operation which is

called decryption. For this, he or she must use a secret key. By deﬁnition, the secret

key must be difﬁcult to ﬁnd or ﬁgure out, just like the combination of a bank safe, or a

“good” computer or network password.

Traditional cryptography, thus, requires that

the sender does communicate, by some indirect means, his or her key to the destinee,

so that the latter may be able to complete the decryption. In contrast, PKC came as a

revolution to this age-long principle by offering the possibility that the sender does not

know or use any secret key. Indeed, PKC is based on the “asymmetric” principle of using

two different cipher keys, one for encryption (public sender, call him Bob) and one for

decryption (individual destinee, call her Alice). I shall now describe how this puzzling

approach can make sense.

Deﬁne the two following keys:

For encryption: a number e, such that it is relatively prime with φ(N ) = (p − 1)

(q − 1);

For decryption: the number d, which satisﬁes ed = 1modφ,ord = e

−1

mod φ.

We shall call e the public key and d the private key. As its name indicates, the public

key should be available to anyone (Bob) who wants to send an encrypted message to

Alice. On the other side, Alice keeps her “private” key in absolute secrecy. The number

N = pq (also called the RSA modulus) is known or accessible to the general public,

Bob, or anyone else.

The operation of encryption with the public key e consists ﬁrst of decomposing the

plaintext message into as many numerical blocks smaller than N . In the binary system,

a 64-bit block represents a maximum number of 1.8 ×10

, therefore, it is an eligible

block size if N ≥ 2 ×10

. For messages of arbitrary or random length, it is always

possible to “pad” the blocks with zeros on the left (called “nulls” in crypto jargon), so

that they ﬁt a convenient standard size. Encryption of each of these blocks with number

value m is performed by calculating the (cipher) number

c = m

mod N . (20.36)

used from history to now, see E. Desurvire, Global Telecommunications, Broadband Access, Optical

Components and Networks, and Cryptography (New York: J. Wiley and Sons, 2004), Ch. 3, pp. 345–478,

from which this section on PKC is partially inspired. For an advanced description, see, for instance, B.

Schneier, Applied Cryptography (New York: J. Wiley and Sons, 2006).

If the key is easy or likely to be ﬁgured out by any third party, it is called a weak key.

426 Shor’s factorization algorithm

For Alice, who is the only one to own and know the private key d, the operation of

block-by-block decryption consists of computing



= c

mod N. (20.37)

Let’s now look at the modular-arithmetic value of the m



that Alice gets. It takes a few

substitutions to ﬁgure out that the result comes to:



= c

mod N

= (m

)

mod N

= m

mod N

= m

k( p−1)(q−1)+1

mod N

= m × m

k( p−1)(q−1)

mod N

= m × [m

(p−1)(q−1)

mod N ]

mod N

= m × 1

mod N

= m.

(20.38)

The result in Eq. (20.38) shows that Alice has fully and unambiguously retrieved the

original plaintext block m. Note that for the above demonstration, we used different

properties of modular arithmetic, and in particular Euler’s theorem, as described in

Appendix T.

We also used the pre-set property of Alice’s key, ed = 1modφ, from which we have

ed = k( p − 1)(q − 1) +1. Alice is, thus, able to decrypt any message sent to her from

various “Bob” correspondents who may use her public key for this very purpose.

For illustration, consider a full example of RSA encryption and decryption.

First,

here is Bob’s private and intimate declaration to Alice:

Plaintext I l oveyou

PT-ASCII 1001001 1101100 1101111 1110110 1100101 1111001 1101111 1110101

Consistently with the RSA approach, Bob may encrypt his plaintext by blocks, which

represent for instance two letters each. With the above ASCII message, a two-letter block

is a number of 2 × 7 = 14 bits, corresponding to a maximum size of 2

–1= 16 383.

Let us assume that this is the standard. On her part, Alice also chose two primes p, q

whose product is greater or equal to 16 383, for instance p = 73 and q = 227, which

gives N =pq =16 571, and φ = ( p − 1)(q − 1) = 72 ×226 = 16 272. To be effective,

Alice made the number N = 16 571 known to everyone, just like a phone number in the

directory. Of course, the numbers p, q,φ remain only known to her.

This example was previously published in E. Desurvire, Global Telecommunications, Broadband Access,

Optical Components and Networks, and Cryptography (New York: J. Wiley and Sons, 2004).