## Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer (1997)

### Cached

### Download Links

Venue: | SIAM J. on Computing |

Citations: | 913 - 2 self |

### BibTeX

@ARTICLE{Shor97polynomial-timealgorithms,

author = {Peter W. Shor},

title = {Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer},

journal = {SIAM J. on Computing},

year = {1997},

pages = {1484--1509}

}

### Years of Citing Articles

### OpenURL

### Abstract

A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.

### Citations

3063 | A and Adleman L A. Method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir |

834 | Algorithms for quantum computation: Discrete logarithms and factoring
- Shor
- 1994
(Show Context)
Citation Context ...ndard fast Fourier transform (FFT) algorithm [Knuth 1981] adapted for a quantum computer; the following description of it follows that of Ekert and Jozsa [1996]. In the earlier version of this paper [=-=Shor 1994-=-], we gave a construction for Aq when q was in the special class of smooth numbers having only small prime power factors. In fact, Cleve [1994] has shown how to construct Aq for all smooth numbers q w... |

697 |
Quantum Theory: Concepts & Methods
- Peres
- 1993
(Show Context)
Citation Context ...|Si〉. Thus, looking at the machine during the computation will invalidate the rest of the computation. General quantum mechanical measurements, i.e., POVMs (positive operator valued measurement, see [=-=Peres 1993-=-]), can be considerably more complicated than the case of projection onto the canonical basis to which we restrict ourselves in this paper. This does not greatly restrict our model of computation, sin... |

678 | Quantum theory, the Church-Turing principle and the universal quantum computer
- Deutsch
- 1985
(Show Context)
Citation Context ...nally studied by Yao [1993] and is closely related to the quantum computational networks discussed by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [=-=Deutsch 1985-=-; Bernstein and Vazirani 1993; Yao 1993] and quantum cellular automata [Feynman 1986; Margolus 1986, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing m... |

489 | U.Vazirani, Quantum Complexity Theory
- Bernstein
- 1993
(Show Context)
Citation Context ...by Yao [1993] and is closely related to the quantum computational networks discussed by Deutsch [1989]. For other models of quantum computers, see references on quantum Turing machines [Deutsch 1985; =-=Bernstein and Vazirani 1993-=-; Yao 1993] and quantum cellular automata [Feynman 1986; Margolus 1986, 1990; Lloyd 1993; Biafore 1994]. If they are allowed a small probability of error, quantum Turing machines and quantum gate arra... |

471 |
Logical reversibility of computation
- Bennett
- 1973
(Show Context)
Citation Context ..., a deterministic computation is performable on a quantum computer only if it is reversible. Luckily, it has already been shown that any deterministic computation can be made reversible [Lecerf 1963; =-=Bennett 1973-=-]. In fact, reversible classical gate arrays (or reversible acyclic circuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there are also univer... |

358 | On the power of quantum computation - Simon - 1994 |

346 | Rapid solution of problems by quantum computation - Deutsch, Jozsa - 1992 |

318 | Strengths and weaknesses of quantum computing
- Bennett, Bernstein, et al.
- 1997
(Show Context)
Citation Context ...gorithms for solving these problems on a quantum computer would be a momentous discovery. There are some weak indications that quantum computers are not powerful enough to solve NP-complete problems [=-=Bennett et al. 1997-=-], but I do not believe that this potentiality should be ruled out as yet. Acknowledgments. I would like to thank Jeff Lagarias for finding and fixing a critical error in the first version of the disc... |

301 |
An Introduction to the Theory of
- Hardy, Wright
- 1989
(Show Context)
Citation Context ...ey are all 1, then r is odd and r/2 does not exist; if they are all equal and larger than 1, then xr/2 ≡−1 (mod p αi i ) for every i, soxr/2 ≡−1 (mod n). By the Chinese remainder theorem [Knuth 1981; =-=Hardy and Wright 1979-=-, Theorem 121], choosing an x (mod n) at random is the same as choosing for each i anumberxi(mod p αi i ) at random, where x ≡ xi (mod p αi i ). The multiplicative group (mod pα ) for any odd prime po... |

284 | An unsolvable problem of elementary number theory - Church - 1936 |

250 | Quantum computational networks - Deutsch - 1989 |

225 |
Scheme for reducing decoherence in quantum computer memory
- Shor
- 1995
(Show Context)
Citation Context ...e out more complicated ways of reducing inaccuracy or decoherence using software. In fact, some progress in the direction of reducing inaccuracy [Berthiaume, Deutsch, and Jozsa 1994] and decoherence [=-=Shor 1995-=-] has already been made. The result of Bennett et al. [1996] that quantum bits can be faithfully transmitted over a noisy quantum channel gives further hope that quantum computations can similarly be ... |

221 |
Conservative logic
- Fredkin, Toffoli
- 1982
(Show Context)
Citation Context ...ike the result that any classical computation can be done using NAND gates, there are also universal gates for reversible computation. Two of these are Toffoli gates [Toffoli 1980] and Fredkin gates [=-=Fredkin and Toffoli 1982-=-]; these are illustrated in Table 3.1. The Toffoli gate is just a doubly controlled NOT, i.e., the last bit is negated if and only if the first two bits are 1. In a Toffoli gate, if the third input bi... |

218 |
Riemann’s hypothesis and tests for primality
- Miller
- 1976
(Show Context)
Citation Context ...nt x in the multiplicative group (mod n); that is, the least integer r such that xr ≡ 1 (mod n). It is known that using randomization, factorization can be reduced to finding the order of an element [=-=Miller 1976-=-]; we now briefly give this reduction. To find a factor of an odd number n, given a method for computing the order r of x, choose a random x (mod n), find its order r, and compute gcd(xr/2 − 1,n). Her... |

187 | New lower bound techniques for robot motion planning problems - Canny, Reif - 1987 |

171 |
Multiplication of multidigit numbers on automata
- Karatsuba, Ofman
- 1963
(Show Context)
Citation Context ...hoice for small numbers. There are also multiplication algorithms which have asymptotic efficiencies between these two algorithms and which are superior for intermediate length numbers [Karatsuba and =-=Ofman 1962-=-; Knuth 1981; Schönhage, Grotefeld, and Vetter 1994]. It is not clear which algorithms are best for which size numbers. While this is known toPRIME FACTORIZATION ON A QUANTUM COMPUTER 1495 some exten... |

147 | Two-bit gates are universal for quantum computation, Phys
- DiVincenzo
- 1995
(Show Context)
Citation Context ...e possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; =-=DiVincenzo 1995-=-; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; ... |

133 |
Elementary Gates for Quantum Computation,” Phys
- Barenco, Bennett, et al.
- 1995
(Show Context)
Citation Context ...s. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; =-=Barenco et al. 1995-=-b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficu... |

123 | The Computer as a Physical System - A Microscopic Quantum-Mechanical Hamiltonian Model of Computers as Represented by Turing-Machines - Benioff - 1980 |

119 |
Reversible computing
- Toffoli
- 1980
(Show Context)
Citation Context ...rcuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there are also universal gates for reversible computation. Two of these are Toffoli gates [=-=Toffoli 1980-=-] and Fredkin gates [Fredkin and Toffoli 1982]; these are illustrated in Table 3.1. The Toffoli gate is just a doubly controlled NOT, i.e., the last bit is negated if and only if the first two bits ar... |

114 | Oracle Quantum Computing - Berthiaume, Brassard - 1992 |

111 | Purification of noisy entanglement and faithful teleportation via, noisy channels - BENNETT, BRASSARD, et al. - 1996 |

94 |
Time/space trade-offs for reversible computation
- Bennett
- 1989
(Show Context)
Citation Context ...e, then making it reversible in this manner will result in a large increase in the space required. There are methods that do not use as much space, but use more time, to make computations reversible [=-=Bennett 1989-=-, Levine and Sherman 1990]. While there is no general method that does not cause an increase in either space or time, specific algorithms can sometimes be made reversible without paying a large penalt... |

79 | Quantum mechanical Hamiltonian models of Turing machines - Benioff - 1982 |

76 |
A potentially realizable quantum computer
- Lloyd
- 1993
(Show Context)
Citation Context ...r, although it seems as though it might be possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; =-=Lloyd 1993-=-, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landaue... |

72 | Universality of quantum computation - Deutsch, Barenco, et al. - 1995 |

70 | The number field sieve
- Lenstra, Lenstra, et al.
(Show Context)
Citation Context ...eman 1994]. This has resulted in a great improvement in the efficiency of factoring algorithms. Currently the best factoring algorithm, both asymptotically and in practice, is the number field sieve [=-=Lenstra et al. 1990-=-, Lenstra and Lenstra 1993], which in order to factor an integer n takes asymptotic running time exp(c(log n) 1/3 (log log n) 2/3 ) for some constant c. Since the input n is only log n bits in length,... |

67 | Discrete logarithms in GF(p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...number theory problems which have been studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [Pomerance 1987, =-=Gordon 1993-=-, Lenstra and Lenstra 1993, Adleman and McCurley 1994]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including the widely u... |

55 | The quantum challenge to structural complexity theory - Berthiaume, Brassard - 1992 |

53 | Parallel quantum computation - Margolus - 1990 |

43 |
Quantum computation with cold, trapped ions Phys
- Cirac, Zoller
- 1995
(Show Context)
Citation Context ...ms as though it might be possible within the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; =-=Cirac and Zoller 1995-=-; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chu... |

38 | The complexity of analog computation - Vergis, Steiglitz, et al. - 1986 |

37 | Is Quantum Mechanically Coherent Computation Useful - Landauer - 1995 |

35 | Fast algorithms – a multitape Turing machine implementation - Schönhage, Grotefeld, et al. - 1994 |

34 |
Maintaining coherence in quantum computers, Phys
- Unruh
- 1995
(Show Context)
Citation Context ...and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; =-=Unruh 1995-=-; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficult obstacles appear to involve the decoherence of quantum superpositions through the interaction of the computer with the enviro... |

29 |
A.T.Sherman, A note on Bennett ′ s time-space tradeoff for reversible computation
- Levine
- 1990
(Show Context)
Citation Context ... it reversible in this manner will result in a large increase in the space required. There are methods that do not use as much space, but use more time, to make computations reversible [Bennett 1989, =-=Levine and Sherman 1990-=-]. While there is no general method that does not cause an increase in either space or time, specific algorithms can sometimes be made reversible without paying a large penalty in either space or time... |

28 | Machine models and simulations - Boas, P - 1990 |

26 | Open problems in number-theoretic complexity ii
- Adleman, McCurley
- 1994
(Show Context)
Citation Context ...studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [Pomerance 1987, Gordon 1993, Lenstra and Lenstra 1993, =-=Adleman and McCurley 1994-=-]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including the widely used RSA public key cryptosystem developed by Rivest, ... |

25 | Precision-sensitive Euclidean shortest path in 3-Space - Sellen, Choi, et al. - 1999 |

25 |
Machines de Turing réversibles. Récursive insolubilité en n ∈ N de l’équation u = θ n , où θ est un “isomorphisme de codes
- Lecerf
(Show Context)
Citation Context ...m computation, a deterministic computation is performable on a quantum computer only if it is reversible. Luckily, it has already been shown that any deterministic computation can be made reversible [=-=Lecerf 1963-=-; Bennett 1973]. In fact, reversible classical gate arrays (or reversible acyclic circuits) have been studied. Much like the result that any classical computation can be done using NAND gates, there a... |

23 |
Conditional quantum dynamics and logic
- Barenco, Deutsch, et al.
- 1995
(Show Context)
Citation Context ...s. Some suggestions have been made as to possible designs for such computers [Teich, Obermayer, and Mahler 1988; Lloyd 1993, 1994; Cirac and Zoller 1995; DiVincenzo 1995; Sleator and Weinfurter 1995; =-=Barenco et al. 1995-=-b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; Chuang et al. 1995; Palma, Suominen, and Ekert 1996]. The most difficu... |

23 | An Approximate Fourier Transform Useful - Coppersmith - 1994 |

21 | Quantum computers, factoring, and decoherence
- Chuang, Laflamme, et al.
- 1995
(Show Context)
Citation Context ...995; DiVincenzo 1995; Sleator and Weinfurter 1995; Barenco et al. 1995b; Chuang and Yamomoto 1995], but there will be substantial difficulty in building any of these [Landauer 1995, 1997; Unruh 1995; =-=Chuang et al. 1995-=-; Palma, Suominen, and Ekert 1996]. The most difficult obstacles appear to involve the decoherence of quantum superpositions through the interaction of the computer with the environment, and the imple... |

20 | On the power of multiplication in random access machines - Hartminis, Simon - 1974 |

20 |
rigorous factorization and discrete logarithm algorithms, in: Discrete Algorithms and Complexity
- Pomerance, Fast
- 1987
(Show Context)
Citation Context ...this paper. Two number theory problems which have been studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [=-=Pomerance 1987-=-, Gordon 1993, Lenstra and Lenstra 1993, Adleman and McCurley 1994]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including... |

17 | Digital simulation of analog computation and Church’s thesis - Rubel - 1989 |

17 |
Asymptotically fast algorithms for the numerical multiplication and division of polynomials with complex coefficients
- Schönhage
- 1982
(Show Context)
Citation Context ...nd multiplications of l-bit numbers (mod n). Asymptotically, the best classical result for gate arrays for multiplication is the Schönhage–Strassen algorithm [Schönhage and Strassen 1971, Knuth 1981, =-=Schönhage 1982-=-]. This gives a gate array for integer multiplication that uses O(l log l log log l) gates to multiply two l-bit numbers. Thus, asymptotically, modular exponentiation requires O(l2 log l log log l) ti... |

16 | J.Preskill, Efficient networks for quantum factoring, Phys - Beckman, Devabhaktuni - 1996 |

16 | Simulating physics with computers, Internat - Feynman - 1982 |