# How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits

@article{Gidney2019HowTF, title={How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits}, author={Craig Gidney and Martin Eker{\aa}}, journal={Quantum}, year={2019}, volume={5}, pages={433} }

We significantly reduce the cost of factoring integers and computing discrete logarithms in finite fields on a quantum computer by combining techniques from Shor 1994, Griffiths-Niu 1996, Zalka 2006, Fowler 2012, Eker{\aa}-H{\aa}stad 2017, Eker{\aa} 2017, Eker{\aa} 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor…

## 251 Citations

### Factoring integers with sublinear resources on a superconducting quantum processor

- Education, Materials Science
- 2022

This paper presents a probabilistic simulation of the response of the immune system to quantum fluctuations in a low-dimensional environment.

### Demonstration of Shor Encoding on a Trapped-Ion Quantum Computer

- PhysicsPhysical Review Applied
- 2021

Fault-tolerant quantum error correction (QEC) is crucial for unlocking the true power of quantum computers. QEC codes use multiple physical qubits to encode a logical qubit, which is protected…

### The Present and Future of Discrete Logarithm Problems on Noisy Quantum Computers

- Computer ScienceIEEE Transactions on Quantum Engineering
- 2022

The experiments with the ibm_kawasaki device discovered that the simplest circuit from a 2-bit DLP instance achieves a sufficiently high success probability to proclaim the experiment successful, and a near-term prediction based on required noise levels to solve some selected small DLPs and integer factoring instances is given.

### Practical Security of RSA Against NTC-Architecture Quantum Computing Attacks

- Computer Science, PhysicsInternational Journal of Theoretical Physics
- 2021

This work has shown the robustness of the updated RSA against practical quantum computing attacks, and the time complexity must be considered when the number of serial quantum operations is particularly large.

### Quantum Period Finding against Symmetric Primitives in Practice

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

An optimized quantum circuit for boolean linear algebra as well as complete reversible implementations of PRINCE, Chaskey, spongent and Keccak which are of independent interest for quantum cryptanalysis are proposed.

### Quantum estimation of classically intractable kernels for highly-entangled feature maps

- Physics, Computer Science
- 2019

This project is aimed at exploring proposals for machine learning on near-term quantum computers, and will focus on a quantum kernel estimation algorithm which utilizes a quantum computer to construct an estimator for a kernel that is intractable to compute classically.

### Leveraging State Sparsity for More Efficient Quantum Simulations

- Computer ScienceACM Transactions on Quantum Computing
- 2022

This work is the first to fully simulate a quantum algorithm to compute elliptic curve discrete logarithms, and its prototype implementation includes optimizations such as gate (re)scheduling, which amortizes data structure accesses and reduces memory usage.

### Design and Analysis of a Scalable and Efficient Quantum Circuit for LWE Matrix Arithmetic

- Computer Science2022 IEEE 40th International Conference on Computer Design (ICCD)
- 2022

This paper designs an optimized quantum circuit for LWE computation, which does not need any ancillary qubits and scales efficiently and easily if there are more qubits available on a higher qubit quantum computer.

### Improved quantum circuits for elliptic curve discrete logarithms

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A full implementation of point addition in the Q# quantum programming language that allows unit tests and automatic quantum resource estimation for all components and presents various trade-offs between different cost metrics including the number of qubits, circuit depth and $T$-gate count.

### Forecasting timelines of quantum computing

- PhysicsArXiv
- 2020

It is estimated that that proof-of-concept fault-tolerant computation based onsuperconductor technology is unlikely to be exhibited before 2026, and that quantum devices capable of factoring RSA-2048 are unlikely to exist before 2039.

## References

SHOWING 1-10 OF 98 REFERENCES

### Quantum algorithms for computing short discrete logarithms and factoring RSA integers

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2017

The quantum algorithm for computing short discrete logarithms is generalized to allow for various tradeoffs between the number of times that the algorithm need be executed, and the complexity of the algorithm and the requirements it imposes on the quantum computer.

### Halving the cost of quantum addition

- Computer ScienceQuantum
- 2018

An n-bit controlled adder circuit with T-count of 8n+O(1), a temporary adder that can be computed for the same cost as the normal adder but whose result can be kept until it is later uncomputed without using T gates, and some other constructions whose T- Count is improved by the temporary logical-AND.

### Improved reversible and quantum circuits for Karatsuba-based integer multiplication

- Computer ScienceTQC
- 2017

A reversible circuit for integer multiplication that is inspired by Karatsuba's recursive method is presented, with the main improvement over circuits that have been previously reported in the literature is an asymptotic reduction of the amount of space required.

### Quantum computation with realistic magic-state factories

- Computer Science
- 2017

It is found that the magic-state factory required for postclassical factoring can be as small as 6.3 million data qubits, ignoring ancilla qu bits, assuming 10^−4 error gates and the availability of long-range interactions.

### Quantum algorithms for computing general discrete logarithms and orders with tradeoffs

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

The probability distributions induced by the algorithm, and by Shor's and Seifert's order-finding algorithms, are analyzed, and it is described how these algorithms may be simulated when the solution is known, and the number of runs required for a given minimum success probability when making different tradeoffs.

### Factoring using $2n+2$ qubits with Toffoli based modular multiplication

- Computer ScienceQuantum Inf. Comput.
- 2017

An implementation of Shor's quantum algorithm to factor n-bit integers using only 2n+2 qubits using a purely Toffoli based modular multiplication circuit that evades most of the cost overheads originating from rotation synthesis and enables testing and localization of some faults in both, the logical level circuit and an actual quantum hardware implementation.

### Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms

- Computer Science, MathematicsASIACRYPT
- 2017

The results indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.

### Modifying Shor's algorithm to compute short discrete logarithms

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2016

It is shown that the complexity of computing discrete logarithms on a quantum computer can be made to depend not only on the choice of group, and on its order q, but also on theLogarithm d, and may hence be generalized to finite abelian groups.

### Fast Quantum Modular Exponentiation Architecture for Shor's Factorization Algorithm

- Computer Science
- 2012

We present a novel and efficient in terms of circuit depth design for Shor's quantum factorization algorithm. The circuit effectively utilizes a diverse set of adders based on the quantum Fourier…

### Reduced space-time and time costs Ising dislocation codes and arbitrary ancillas

- Computer ScienceQuantum Inf. Comput.
- 2015

An amortized analysis is used to show that even in a parallel setting this leads to only a constant factor slowdown as opposed to the logarithmic slowdown that might be expected naively.