How to factor 2048 bit RSA integers with less than a million noisy qubits (2505.15917v1)

Abstract: Planning the transition to quantum-safe cryptosystems requires understanding the cost of quantum attacks on vulnerable cryptosystems. In Gidney+Eker{\aa} 2019, I co-published an estimate stating that 2048 bit RSA integers could be factored in eight hours by a quantum computer with 20 million noisy qubits. In this paper, I substantially reduce the number of qubits required. I estimate that a 2048 bit RSA integer could be factored in less than a week by a quantum computer with less than a million noisy qubits. I make the same assumptions as in 2019: a square grid of qubits with nearest neighbor connections, a uniform gate error rate of $0.1\%$, a surface code cycle time of 1 microsecond, and a control system reaction time of $10$ microseconds. The qubit count reduction comes mainly from using approximate residue arithmetic (Chevignard+Fouque+Schrottenloher 2024), from storing idle logical qubits with yoked surface codes (Gidney+Newman+Brooks+Jones 2023), and from allocating less space to magic state distillation by using magic state cultivation (Gidney+Shutty+Jones 2024). The longer runtime is mainly due to performing more Toffoli gates and using fewer magic state factories compared to Gidney+Eker{\aa} 2019. That said, I reduce the Toffoli count by over 100x compared to Chevignard+Fouque+Schrottenloher 2024.

Factoring 2048-bit RSA Integers with a Million Noisy Qubits

Craig Gidney's paper, "How to factor 2048 bit RSA integers with less than a million noisy qubits," represents a significant advancement in quantum computation applied to cryptography. The paper deviates from previous quantum factoring estimates, particularly shifting from a 20 million qubit requirement down to under a million, while maintaining an execution timeline of less than a week. This reduction is achieved by streamlining various components of quantum arithmetic and state management within quantum circuits.

Reduction Techniques

The primary numerical reduction comes from integrating approximate residue arithmetic, leveraging Chevignard+Fouque+Schrottenloher's insights, which circumvent historical bottlenecks in modular arithmetic for quantum computation. Traditional methods required operations modulo the integer to be factored, demanding substantial register sizes. Instead, approximate residue arithmetic computes the exponentiations in a dot product format that reduces multiplicative counts by breaking the operation into manageable sub-problems, with exponentially smaller register demands. The modular deviation remains controlled, ensuring the fidelity of the quantum operation despite the approximations.

Gidney also incorporates methods for reducing qubit overhead through advanced quantum error correction techniques and logical qubit storage, such as yoked surface codes. Yoked storage allows for storing idle qubits with lesser physical overhead without compromising logical errors due to noise. Additionally, magic state cultivation—a refined method for destillation processes—facilitates the demand for fewer qubits during fault tolerance operations.

Optimized Arithmetic and Runtime

The paper describes intricate optimizations of Shor's original algorithm, notably by employing Ekerå-Håstad-style period finding. This modification, tailored to exploit the RSA integer structure, further narrows qubit count while offsetting the need for superfluous qubits seen in non-specific algorithms. Furthermore, calculations are mapped via windowing techniques that batch inputs effectively, diminishing multiplicative expansion, subsequently reducing spatial qubit footprint.

Gidney's estimation of physical execution depicts a quantum computer cycling with a mere 1 microsecond surface code time and a 10 microsecond control reaction time across a square grid layout. Through lattice surgery and detailed routing protocols, operations such as addition and lookup are conducted within constrained cycle budgets, affirming feasibility within prescribed hardware bounds.

Practical and Theoretical Implications

The implications of this research are broad-spectrum. Practically, reducing qubits directly influences hardware requirements, potentially shaving years from the predicted timeline for economically viable quantum computation in cryptography. The methodical nature of this paper also hints at modular approaches that could extend to other cryptographic standards, pending RSA's foundational demise in a post-quantum era.

Theoretically, bold assertions such as achieving RSA2048 factoring with one million qubits underscore the maturation of approximative quantum methodologies. The integration of quantum state disciplines with fundamental arithmetic optimizations paves avenues for myriad applications demanding rapid factorization—which includes non-cryptographic number theory challenges that persist in computational domains.

Future Directions

While the paper does not claim further drastic reductions without altering assumptions, the groundwork laid presents a formidable challenge to classical cryptosystems reliant on RSA and similar mechanisms. As quantum computers evolve, further innovations may arise leveraging similar approximations in expounding state management and arithmetic efficiency.

This paper contextualizes a significant segment of cryptographic security transitions, marking a milestone in provable computational forecasts against quantum threats. While 2030-2035 remains a suggested timeline for quantum-safe systems, advancements like these bolster the call for expedited cryptographic evolution.