How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits (1905.09749v3)

Abstract: We significantly reduce the cost of factoring integers and computing discrete logarithms in finite fields on a quantum computer by combining techniques from Shor 1994, Griffiths-Niu 1996, Zalka 2006, Fowler 2012, Eker{\aa}-H{\aa}stad 2017, Eker{\aa} 2017, Eker{\aa} 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of $10^{-3}$, a surface code cycle time of 1 microsecond, and a reaction time of 10 microseconds. We account for factors that are normally ignored such as noise, the need to make repeated attempts, and the spacetime layout of the computation. When factoring 2048 bit RSA integers, our construction's spacetime volume is a hundredfold less than comparable estimates from earlier works (Van Meter et al. 2009, Jones et al. 2010, Fowler et al. 2012, Gheorghiu et al. 2019). In the abstract circuit model (which ignores overheads from distillation, routing, and error correction) our construction uses $3 n + 0.002 n \lg n$ logical qubits, $0.3 n^3 + 0.0005 n^3 \lg n$ Toffolis, and $500 n^2 + n^2 \lg n$ measurement depth to factor $n$-bit RSA integers. We quantify the cryptographic implications of our work, both for RSA and for schemes based on the DLP in finite fields.

• The paper introduces an optimized quantum algorithm that integrates techniques from Shor, Griffiths-Niu, and Zalka to factor RSA integers.
• The research demonstrates factoring a 2048-bit RSA integer in 8 hours using only 20 million noisy qubits, significantly reducing required spacetime volume.
• The paper quantifies the cryptographic threat posed by quantum computing and highlights the need for transitioning towards quantum-resistant security measures.

Overview: Factoring RSA Integers Using Quantum Resources

This paper, authored by Craig Gidney and Martin Ekerå, lays out an optimized quantum algorithm for factoring RSA integers and computing discrete logarithms in finite fields, proposing cost-effective quantum resource requirements. The research significantly reduces the spacetime volume required to factor 2048-bit RSA integers, estimating only 20 million noisy qubits and approximately eight hours of computation time under specific physical assumptions.

Key Contributions

1. Algorithmic Optimization: The paper integrates techniques from several seminal works, including those by Shor, Griffiths-Niu, and Zalka, to optimize the implementation of Shor’s algorithm, which underpins the quantum factoring of composite integers and discrete logarithm calculations.
2. Resource Requirements: The authors meticulously estimate the cost of their construction in terms of logical qubits, Toffoli gate operations, and measurement depth. Notably, they report a Toffoli count of $0.3n^3 + 0.0005n^3\log n$ and a measurement depth of $500n^2 + n^2\log n$ for an $n$-bit integer, providing a framework for assessing the computational feasibility of their method.
3. Spacetime Volume Reduction: A standout achievement of the work is the reduction of spacetime volume—an order of magnitude improvement over previous estimates for comparable tasks from earlier works like those of Van Meter et al. 2009 and Fowler et al. 2012.
4. Quantum Computation Model: The paper utilizes a planar grid of qubits with nearest-neighbor connectivity, assuming a surface code cycle time of 1 microsecond and a characteristic physical gate error rate at the $10^{-3}$ threshold, which offers a realistic yet challenging experimental setup.
5. Cryptographic Implications: The authors quantitatively represent the cryptographic threat posed by the implementation of large-scale quantum computers to RSA and discrete logarithm-based cryptosystems. They engage with the potential need to transition to quantum-resistant cryptographic systems in line with the advancing feasibility of quantum attacks.

Numerical Results and Predictions

The research posits that a cryptographically relevant 2048-bit RSA integer could be factored using a spacetime volume almost 100 times smaller than previously estimated, leading to implications that inform the transition timeline to post-quantum cryptography.

• 2048-bit RSA Factoring: Expected to utilize 20 million qubits for an 8-hour runtime, significantly altering the landscape of quantum cryptanalysis.
• Expected Scalability: The techniques presented scale to larger bit sizes, with numerical estimates provided for cryptographically relevant sizes up to 16384 bits.

Technical Insights

Mounting optimizations such as windowed arithmetic, efficient quantum Fourier transforms, and innovative qubit layouts (oblivious carry runways and coset representation of modular integers), the research redefines the required conditions for practically executing quantum cryptanalysis.

Implications and Future Directions: While the current hardware capabilities are insufficient for deploying the proposed algorithms at scale, the detailed resource estimates and identified optimizations guide future experimental designs and theoretical explorations. Researchers, especially those concentrating on quantum error correction methods, architecture designs, and quantum-resistant algorithms, will find fertile ground for further experimental and theoretical development.

The research underscores the impending reality where quantum computing capabilities intersect with cryptographic vulnerabilities, advocating for timely advancements in both quantum algorithm optimization and cryptographic standards evolution. This exemplifies the dual trajectory of advancing quantum computing prowess while mitigating its potential cryptographic threats.