Paper 2024/2034

The Jacobi Factoring Circuit: Quantum Factoring with Near-Linear Gates and Sublinear Space and Depth

Gregory D. Kahanamoku-Meyer, Massachusetts Institute of Technology
Seyoon Ragavan, Massachusetts Institute of Technology
Vinod Vaikuntanathan, Massachusetts Institute of Technology
Katherine Van Kirk, Harvard University
Abstract

We present a compact quantum circuit for factoring a large class of integers, including some whose classical hardness is expected to be equivalent to RSA (but not including RSA integers themselves). To our knowledge, it is the first polynomial-time circuit to achieve sublinear qubit count for a classically-hard factoring problem; the circuit also achieves sublinear depth and nearly linear gate count. We build on the quantum algorithm for squarefree decomposition discovered by Li, Peng, Du and Suter (Nature Scientific Reports 2012), which relies on computing the Jacobi symbol in quantum superposition. Our circuit completely factors any number $N$, whose prime decomposition has distinct exponents, and finds at least one non-trivial factor if not all exponents are the same. In particular, to factor an $n$-bit integer $N=P^2 Q$ (with $P$ and $Q$ prime, and $Q<2^m$ for some $m$), our circuit uses $\widetilde{O}(m)$ qubits and has depth at most $\widetilde{O}(m + n/m)$, with $\widetilde{O}(n)$ quantum gates. When $m=\Theta(n^a)$ with $2/3 < a < 1$, the space and depth are sublinear in $n$, yet no known classical algorithms exploit the relatively small size of $Q$ to run faster than general-purpose factoring algorithms. We thus believe that factoring such numbers has potential to be the most concretely efficient classically-verifiable proof of quantumness currently known. The technical core of our contribution is a new space-efficient quantum algorithm to compute the Jacobi symbol of $A$ mod $B$, in the regime where $B$ is classical and much larger than $A$. Crucially, our circuit reads the bits of the classical value $B$ in a streaming fashion, never storing more than $\widetilde{O}(\log A)$ qubits of quantum information at one time. In the context of the larger Jacobi algorithm for factoring $N = P^2Q$, this reduces the overall qubit count to be roughly proportional to the length of $Q$, rather than the length of $N$. Our circuit for computing the Jacobi symbol is also highly gate-efficient and parallelizable, achieving gate count $\widetilde{O}(\log B)$ and depth at most $\widetilde{O}(\log A + \log B/\log A)$. Finally, we note that our circuit for computing the Jacobi symbol generalizes to related problems, such as computing the greatest common divisor, and thus could be of independent interest.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
factoringquantumShor's algorithmsquarefree decomposition
Contact author(s)
gkm @ mit edu
sragavan @ mit edu
vinodv @ mit edu
kvankirk @ g harvard edu
History
2024-12-18: revised
2024-12-17: received
See all versions
Short URL
https://ia.cr/2024/2034
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/2034,
      author = {Gregory D. Kahanamoku-Meyer and Seyoon Ragavan and Vinod Vaikuntanathan and Katherine Van Kirk},
      title = {The Jacobi Factoring Circuit: Quantum Factoring with Near-Linear Gates and Sublinear Space and Depth},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/2034},
      year = {2024},
      url = {https://eprint.iacr.org/2024/2034}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.