Algorithms for Quantum Computation: Discrete Logarithms and Factoring Peter W. Shor AT&T Bell Labs Room 2D-149 ‘600 Mountain Ave. ‘Murray Hill, NI. 07974, USA Abstract A computer is generally considered to be a universal ‘computational device; ie, itis believed able 10 simulate ‘any physical computational device with a cost in com: uation time of at most a polynomial factor It is not ‘clear whether this is still true when quantum mechanics is taken into consideration. Several researchers, starting with David Deutsch, have developed models for quantum ‘mechanical computers and have investigated their compu- tational properties. This paper gives Las Vegas algorithms Jor finding discreve logarithms and factoring integers on ‘quantum computer that take a number of steps whichis ‘polynomial in he input size, e.g, the numberof digits ofthe Integer 10 be factored. These ovo problems are generally considered hard on a classical computer and have been used as the bass of several proposed eryptosystems. (We thus give the fist examples of quantum cryptanalysis.) 1 Introduction Since the discovery of quantum mechanics, people have found the behavior of the laws of probability in quan- ‘um mechanics counterintuitive. Because of ths behavier, ‘quantum mechanical phenomena behave quit differently than the phenomena of classical physics that we are used to. Feynman seems to have been the frst to ask what effect this has on computation (13, 14]. He gave arguments at to why this behavior might make it intrinsically compu- tationally expensive to simulate quantum mechanics on a classical (or von Neumann) computer. He also suggested the possibilty of using a computer based on quantum me- chanical principles to avoid this problem, thus implicitly asking the converse question: by using quantum mecha ies in a computer can you compute more efficiently than ‘on a classical computer. Other early work inthe field of ‘quantum mechanics and computing was done by Benioff 0272.542494 $04.00 © 1996 IEEE, [1.2]. Although he did not ask whether quantum mechan- ics confered extra power to computation, he did show that «Turing machine could be simulated by the reversible uni- tary evolution of a quantum process, which isa necessary prerequisite for quantum computation, Deutsch (9, 10] was the first to give an explicit model of quantum computation, Hee defined both quantum Turing machines and quantum circuits and investigated some oftheir properties. ‘The next part ofthis paper discusses how quantum com- putation relates to classical complexity classes, We will thus first give a brief intuitive discussion of complexity classes for those readers who do not have this background There ae generally two resources which limit the ability cof computers o solve large problems: time and space (ie. memory). The field of analysis of algorithms considers the asymptotic demands that algorithms make for these resources as a function of the problem size, Theoretical ‘computer scientists generally classify algorithms as efi cient when the number of steps of the algorithms grows as «polynomial in the size of the input. The class of prob- lems which can be solved by efficient algorithms is known as P. This classification has several nice properties. For ‘one thing, it does 2 reasonable job of reflecting the per- formance of algorithms in practice (although an algorithm ‘whose running time isthe tenth power of the input size, say. isnot truly efficient), For another, this classification is nice theoretically, as different reasonable machine models produce the same class P. We will ee this behavior reap- pear in quantum computation, where different models for ‘quantum machines will vary in running times by no more than polynomial factors, There are also other computational complexity classes Aiscussed in this paper. One of these is PSPACE, which ae those problems which can be solved with an amount of memory polynomial in the input size. Another impor- tant complexity clas is NP, which intuitively i the class ‘of exponential search problems. These are problems which may requie the seach of an exponential size space to findthe solution, but for which the solution, once found, may ‘be verified in polynomial time (possibly with a polynomial mount of additional supporting evidence). We will also iscuss two other traditional complexity classes. One is BPP, which are problems which can be solved with high probability in polynomial time, piven access to a random ‘number generator. The other is P™, which are thse prob- lems which could be solved in polynomial time if sums ‘of exponentially many terms could be computed eficiently ‘owhere these sums must satisfy the requirement that each term is computable in polynomial me). These classes are related as follows: PC BPP,NPC PC PSPACE, ‘The relationship of BPP and NP is not known, ‘The question of whether using quantum mechanics in a ‘computer allows one to obtain more computational power hhas not yet been satisfactorily answered. This question was addressed in (11, 6,7], But it was not shown how 10 solve any problem in quantum polynomial dime that was rot known to be solvable in BPP (the class of problems Which can be solved in polynomial time with a bounded probability of eror). Recent work on this problem was stimulated by Bernstein and Vazirani's paper [5] which laid the foundations ofthe quantum computation theory of ‘computational complexity. One ofthe results contained in this paper was an oracle problem (2 problem involving a “black box” subroutine) which can be done in polynomial time on a quantum Turing machine and requires super- polynomial time on a classical computer, This was the first indication, other than the fact that nobody knew how to simulate a quantum computer on a classical computer without an exponential slowdown, that quantum computa tion might obtain a greater than polynornil speedup over classical computation augmented with a random number ‘generator. Ths result was improved by Simon [28], who gave a much simpler construction of an oracle problem which takes polynomial time on a quantum computer and requires exponential time on a classical computer. Indeed, by viewing Simon's oracle as a subroutine, this result be cones ptomise problem which takes polynomial time ona «quantum computer and looks as ft would be very difficult fon a classical computer, The algorithm forthe “easy case of discrete log given in this paper is directly analogous to Simon's algorithm with the group 24 replaced bythe group Z,--::1 was only able to discover ths algorithm afer seeing ‘Simon's paper. In another result in Bernstein and Vazirani’s paper, a particular class of quantum Turing machine was rigorously defined and a universal quantum Turing machine was given ‘which could simulate any other quantum Turing machine ofthis class. Unfortunately, it was nt clear whether these quantum Turing machines could simulate other clases of, quantum Turing machines, so this esult was not entirely satisfactory. Yao [32] has remedied the situation by show- ing that quantum Turing machines can simulate, and be simulated by, uniform families of polynomial size quantum circuits, with at most polynomial slowdown. He has further defined quantum Turing machines with k heads and showed that these machines can be simulated with slowdown of a factor of 2 This seems to show thatthe class of problems ‘whieh can be solved in polynomial time on one of these ‘machines, posibly with a bounded probability © < 1/3 of error, i reasonably robust. This clas is called BOP in analogy to the classical complexity class BPP, which are ‘hose problems which can be solved with a bounded prob ability of err on a probabilistic Turing machine. This class BQP could be considered the class of problems that ae efliciently solvable ona quantum Turing machine, Since BOP C P* C PSPACE [5], any non-rlativized ‘proof that BOP is strictly larger than BPP would imply the structural complexity result BPP ¢ PSPACE which isnot yet proven. In view of this difficulty, several approaches ome to mind; one is showing that BQP C BPP would lead toa collapse of classical complexity classes which are believed to be different. A second approach is to prove results elative toan oracle, In Bennett eal. [4 itis shown that relative toa random orale iti not the case that NP C QP. This proof in fact suggests that a quantum com puter cannot invert one-way functions, but only proves this Tor one-way oracle, ie. “black box” functions given as a subroutine which the quantum computer is not allowed 10 Took inside. Such oracle results have been misleading in the past, most notably in the case of IP = PSPACE (15,27. [A thid approach, which we take, i 0 solve in BQP some well-studied problem for which no polynomial time alg ‘thm is known, This shows thatthe extra power conferred by quantum interference is atleast hard to achieve using classical computation. Both Bernstein and Vazirani (5) and ‘Simon [28 also gave polynomial time algorithms for prob- lems which were not known tobe in BPP, but these prablems were invented especially for this purpose although Simon's problem does not appear contrived and could conceivably be useful Discrete logarithms and integer factoring are wo number theory problems which have been studied exten- sively but for which no polynomial-time algorithms are known {16, 19, 20, 25). In fat, these problems are so Widely believed to be hard that cryptosystems based on their hardness have been proposed, and the RSA public key cxyplosystem (26) based on the hardness of factoring, isin use. We show that these problems can be solved in BQP. Currently, nobody knows how to build a quantum com= although it seems as though it could be possible pulWithin the laws of quantum mechanics. Some suggestions have been made as to possible designs for such computers [29, 21, 22, 12}, but there willbe substantial dificult in building any of these 18, 31]. Even if it is possible to build small quantum computers, scaling up to machines large enough to do interesting computations could present fundamental difficulties. It is hoped tht this paper wil stimulate research on whether itis feasible to actually con- struct a quantum computer, Even f no quantum computer is ever bul, this research oes illuminate the problem of simulating quantum me- chanics on a classical computer. Any method of doing this for an arbitrary Hamiltonian would necessarily be abe to simulate a quantum computer. Thes, any general method {or simulating quantum mechanics with at most a polyno- rial slowdown would lead to a polynomial algorithm for factoring, 2 Quantum computation In this section we will give a brief introduction to qua ‘um computation, emphasizing the properties that we will use, For a more complete overview I refer the eader to ‘Simon's paper inthis proceedings [28] orto earlier papers ‘on quantum computational complexity theory (5, 32. Th quantum physics, an experiment behaves a if it pro- ceeds downall possible paths simultaneously. Each ofthese paths has a complex probability amplitude determined by the physics ofthe experiment. The probability of any par ticular outcome of the experiment is proportional to the square ofthe absolute value of the sum of the amplitudes of all the paths leading to that outcome. In order to sum lover a set of paths, the outcomes have to be identical in allrespecs, i. the universe must be in the same state. A ‘quantum computer behaves in much the same way. The ‘computation proceeds down all possible paths at once, and ‘each path has associated with ita complex amplitude, To determine the probability of any fnal stat ofthe machine, ‘we add the amplitudes of ll the paths which reach tha final state, and then square the absolute value of this sum. ‘An equivalent way of looking at this process is to imag ine thatthe machine isin some superposition of states at ‘every step of the computation. We will represent this su perposition of states as Cals, where the amples a; are complex numbers such tht Sin? = and each |S) bari state of the machine: i's quamum Turing machine, a bans sine is dened by whats writen on he tape an by the position and state of the head. Tn quantum circuit bass state x defined by en 126 the values of the signals on all the wites at some level of the circuit Ifthe machine is examined a a parcular stp, the probability of seeing basis state |S,) is |a,|*; however, by the Heisenberg uncertainty principle, loking atthe me- chine during the computation will distur the rest of the computation. ‘The laws of quantum mechanics only permit unitary transformatonsof the state. unitary mats sone whose conjugate transpose is equal to its inverse, and rogirng sie transformations to be represented by unitary mati ces ensures thatthe probable of obtaining all posible outcomes will add upto ove. Farther, the definitions of quantum Turing machine and quantum circuit only allow local unitary tansformations, dha i, unitary transforma: ‘ions on ted numberof bits Perhaps an example will be informative a his point Suppose ou machine isin the superposition of states 331000) + § 100) ~ § 110) 2) and we apply the unitary transformation © oO wo tt mye Poa a oa} db : -} 4] es wi -b ob - Tea tit eat E to the last two bits of our state, ‘Tha i, we multiply the last two bits of the components ofthe vector (2.2) by the ‘matrix (2.3). The machine wil then go tothe superposition of states 35 ((000) + J001) + 1010) + oun) +$ 101) + 41110) ea) Notice that the result would have been different had we started with the superposition of states $1000) +} 100)+ $1110), sy which has the same probabilities of being in any particular configuration if itis observed. ‘We now give certain properties of quantum computation that willbe useful. These facts are not immediately ap- patent from the definition of quantum Turing machine or uantum circuit, and they are very usefl for constructing Algorithms for quantum machines. Fact 1: A deterministic computation is performable on ‘quantum computer if and only if it is reversible From results on reversible computation {3,30}, we can compute any polynomial time function f(a) aslongas we keep the input, a, onthe machine, Toceraseaand replace it with f(a) weneedin addition ‘that fis one-to-one and that a is computable in polynomial time from fa); i. that both f and £7? are polynomial-time computable, Fact 2: ‘Any polynomialsize unitary matrixean be approx- ‘mated using a polynomial umber of elementary unitary transformations [10, 5,32] and thus ean be approximated in polynomial time on a quantum computer. Further, this approximation is good {enough sos to inteduce at most a bounded prob: bility of ero into the results ofthe computation. 3 Building unitary transformations Since quantum computation deals with unitary transfor: mations, itis helpful tobe able to build certain useful unitary transformations. In this section we give some techniques for constructing unitary transformations on quantum ma- chines, which will result in our showing how to construct one particular unitary ransformation in polynomial time. These transformations will generally be given as matrices, ‘with both rows and columas indexed by sates. These states will correspond to representations of integers on the com: puter in particular, the rows and columns will be indexed beginning with O unless otherwise specified, ‘A tool we will use repeatedly inthis paper isthe follow ing unitary transformation, the summation of which gives ‘Fourier transform. Consider a number a with 0 in the process). Now, combining 2) and 0 obtain b = may + ds gives the result of B applied to a (with the right amplitude). The computation of BY takes T(.) time, and the rest ofthe computation is polynomial in logm +logn. We now show how to obtain ay for smooth q. We will decompose nto a product of polynomial amber Of unitary transformations all of which are prformable in polynomial time; this enables us to construct yin polynomial time. Suppose that we have q = aig> with sed(aisaa) = 1. What we wil dois represent Ay = CD, ‘where by rearranging the rows and colums of D we obtain @,, Ay, and earanging the rows and columns of C we bitin @,, Age As long as these rearrangements of the rows and Columns of C and D are perfrmable in polyno ial me (.e., given row 7, we can find in polynomial ime the row to which iis taken) and te inverse operations ae also performable in polynomial ime, then by using the lemma above and recursion we can obtain polynomial- time way to perform, ona quantum computer. ‘We now need to define © and D and check that Ay = CD. To deine C and D we need some preliminary Gefntions. Recall that g = guts with gx and gs eatively prime, Lets = exp(2si/a). Leu be the number (med g) Such that w = 0 (mod 1) and w = ~1 (mod q2) Such a number exists bythe Chinese remainder theorem, and can te computed in polynomial time. We will decompose row and column indices a, Band ea follows: a = outa +7. = Bags + Bas and c= 3s + 9 Note the asymmetry in the definitions of, bandWe can now define C and D: (0,5) { grirtiessaens Sete, 62) ad : Db.) { grirne-ane fee 63) It is easy to see that CD(a,e) = O(0,6)D(b,¢) where 5 = ayn +m since we need a2 = fi and fy = 7 to censure non-zero entries in C(a,8) and D(b,). Now, psa et) Bing Bie eD(ae) = ape" = Sppunetenetann = dpuferstentnnte) = gros oa s0CD(ae) = Aye) ‘We will now sich how to rearrange the rows snd columns of C to get the matrix @. Ay. The max C canbe put in bock-dagonl form whee the blocks ae indexed by a2 = By (since all enres with a #9 ae 0). Letw-+ 1 = tg (mod). Within given block o the ens look like vaC(a,b) oie telat) exp(2ri(ou 8s + BiBathn2/a) exp(2ni(ay + 03t)82/a1). as) “Thus if we rearrange the rows within this block otha they are indexed by a = ay +aat (mod )), we obtain thetrans- formation a! — with amplitude Jy exp(2rib/a thats, the wansformatio given by the unitary matix with the (a) entry equal to fy exp(2rial/a), which s Ag. The matrix D can similarly be rearranged to obtain the matrix ®,, Ap. ‘We also nced to show how to finda smooth ¢ that lies between n and 2n in polynomial time. There are actully smooth q much closer to than this, but hiss all we need Ttis not known how to find smooth numbers very close to ‘in polynomial ime Lemma 3.2 Given, there isa polynomial-time algorithm to find a number q with n < q < 2n such that no prime power larger than cloga divides q, for some constant Independent of n Proof: To find such a , multiply the primes 2-3-5-7 11---py until the product is larger than mn, Now, if this products larger than 2n divide it by the largest prime that keps the number larger than. This proces the desired. Therein always prime between m and 2 (17, ‘Theorem 418) som 1 log(p). (Actus ally rom [17, Theorem 328}, iminf 6(p ~ 1)/(p — 1) ® e"/loglogp.) Thus we oaly need a number of exper iments that is polynomial in logp to obtain r with high probability. In fact, we can find a setof's such that at east ‘one is relatively prime to every prime divisor of p ~ 1 by ‘repeating the experimentonly an expected constant number ‘of times. This would also give us enough information to obtain 5 Anote on precision ‘The numberof bits of precision needed in the ampli- tude of quantum mectanical computers could be a barter to practicality. The generally accepted theoretical divi: ing line between feasible and infeasible is that polynomial precision (.e., a numberof bits logarithmic inthe problem size) is feasible and that more is infeasible, This is because fon a quantum computer the phase angle would need to be obtained through some physical device, and constructing such devices with beter than polynomial precision seems unquestionably impractical. Infact, even polynomial pre- cision may prove to be impractical: however, using this 2s the theoretical dividing line results in nice theoretical Properties ‘We thus need o show that the computations inthe pre= vious section need to use only polynomial precision in the amplitudes. The very act of writing down the expression exp(2riac/(p~ 1)) seems o imply that we need exponen: til precision, as this phase angle is exponentially precise Fortunately, this isnot the case, Consider the same ma: trix A, with every texm exp(2riae/(p~ 1) replaced by exp(2xiac/{(p— 1) + m/20). Each positive case, ie, one resulting in d = ~re, wil sil occur with nearly as large probability as before: instead of adding p — | amplitudes ‘which have exactly the same phase angle, we add p ~ 1 amplitudes which have nearly the same phase angle, and thus the size ofthe sum will only be reduced by a constant factor. The algorithm will thus give a (cyd) with d = —re with constant probability (instead of probability 1. Recall that we obtain the matrix 4, by multiplying a most log p matrices A,,. Further, each entry in ayy isthe product of at most log p terms. ‘Suppose that each phase angle were off by at most ¢/logp in the Ag,’s. Then in the product, each phase angle would be off by at most, ‘which i enough to perform the computation with constant probability of succes, A similar argument shows thatthe ‘magnitude of the amplitudes inthe Ay, can be off by a polynomial fraction. Similar argumentshold forthe general, ease of discrete log and for factoring to show that we need ‘only polynomial precision forthe amplitudes in these cases aswel We sill need to show how to construct 4s, from con: stant size unitary matrices having limited precision. The arguments are much the same as above, but we wil ot give ‘them in tis paper because. infact, Bennet etal (3) have ‘shown that it is sufficient to use polynomial precision for any computation on a quantum Turing machine t obtain the answer with high probability Since precision could easily be the limiting factor for practicality of quantum computation, it might be advisable {0 investigate how much precision is actly needed for‘quantum algorithms. Although Bernstein and Vazirani (8) show thatthe numberof bits of precision needed is never ‘more than the logarithm of the number of computational eps a quantum computer takes, in some algorithms it ‘could conceivably require less. Interesting open questions are whether itis possible to do discrete logarithms or factor- ing with less than polynomial precision and whether some tradeoff between precision and time is possible. 6 Factoring ‘The algorithm for factoring is similar tothe one forthe ‘general case of discrete log, only somewhat simpler. 1 ‘resent this algorithm before the general case of discrete Jog s0 as to give te thee algorithms inthis paper in order ‘ofincreasing complexity. Readers interested in discrete log may skip tothe next section, Instead of giving a quantum computer algorithm to factor m, we will give a quantum computer algorithm for finding the order of an element z in the multiplica- tive group (mod n); that is, the least integer such that 2° = 1 (modn). There is a randomized reduction fom factoring tothe order of an element {23} “To factor an odd number n, given a method for comput. ing the order of an element, we choose a random z, find the order r= of z, and compute god(2"+/? — 1,n). This {alls to give a non-trivial divisor of n only ifr is odd or if 27+)? 3 —1 (mod n). Using this criterion, itcan be shown, that the algorithm finds a factor of m with probability at least 1 = 1/2, where kis the numberof distinct prime factors of n. This scheme will thus work as long a8 1 is ‘ot a prime power; however, factoring prime powers can bbe done efficiently with classical methods Given x and m, to find such that x" = 1 (mod n), we o the fllowing. First, we finda smooth q with 2n? 2n?, thre i at most one fraction d+ with 7 < n that satises the above inequality “Thus, we can obain the fraction d/r in lowest terms by rounding c/q 0 the neatest fraction having a denominator Smaller than n. This fraction ean be fund in plyaoasal time by using continued faction expansion of /¢, which finds all he best approximations of e/g by fatons (17, Chapter X) Tf we have the fraction d/r in lowest terms, and if d happens to be relatively prime tor. this will give usr. ‘We will now count the number of sates [2 (ne n}) which enable us to computer in this way. There ae (7) possible values ford elavelyprmetor, where ¢ isu 1 function. Each of these factions dr is close 10 one fraction c/a with lo/a ~ dr < 1/2g. There are also r possible values fr 24 since r ithe orderof x Thus, there fre ro(r) states [e,2" (mod n)) which would enable us to ‘obtain 7. Since each ofthese states occurs with probability fleas 1/3r, we obtain? with probability atleast (7/3. Using the theorem that ¢(r)/r > k/loglogr for some fixed & [17, Theorem 328, this shows that we Bnd r at least ak Ioglogr fraction ofthe time, so by epeating his ‘experiment only O(loglogr) times, we are assured of a high probability of success ‘Not than the algorithm fororder, wedi not se many ofthe properties of multiplication (me). In fat if we havea permutation f mapping these {0,1,2,-...n = 1} nto self such that its th iterate, F(a). is computable jn time polynomial in log and logk the same algoithm will be able ta in the order ofan element a under fie, {be minimum r such that f(a) =a 7 Diserete log: the general case For the general case, we fits find a smooth number g such that gis closet pie, with p-< 4 < 2p (See Lemna 32). ‘Next we dothe same thing asin the easy ase thats, we choose @ and 6 uniformly (mod p ~ 1), and then compute g°z* (mod p). This leaves our machine in the tate 1 ee ST abate (mod p)). m As before, ous the Fourier transform yt send @—+€ and’ ~ d (mod g),withamplade #exp(2(ac+a)/4) ving ws the state srioa 5S exp (acta) Jessgt2-*medy) 02) Note that we now have two moduli to deal with, p— 1 and. While ths makes Keeping Wack of things more confusing, sve wl sil be able toobtin rusing a algorithm similar to the easy ease. The probability of observing a stat ey) with y = 9 (mod p) is almest as before, atm © ov(attectea)| 03 where the sum is over all (2,8) sueh that a ~ rb = e(mod p ~ 1), We now use the relation ork (o- 0 [| and substitute in the above expression to obtain the ampli tude aay Peay (ti(ore+ke+ bd ein— 1) | = as) ‘The absolute value of the square of this amplitude is the probability of observing the state [o,d, 9" (mod p)). ‘We will now analyze this expression a factor of ‘exp(2rike/q) can be taken out ofall the terms and ig noted, because it does not change the probability. Next, we split the exponent into two parts and fator out to obi aie (ee) e0 as) ee sor T = re+d-hlelp— Me on a v= (fr- [et] ee-m. om Here by {2}, we mean the residue of = (mod q) with 4/2 < {2}q < 4/2. We will show that if we get enough “good” outputs, then we still can deduce r, and that fa thermore, the chance of getting a good! outputs constant. The ideais that if HP} = red sElel—Nhys9] <5, 79)where jis the closest integer to T/g, then as varies be- tween 0 and p ~ 2, the phase ofthe fst exponential term in Eq (7.6) only varies over at most half ofthe unit citle. Further, if Helm - hel < 4/20, 7.10) then [V| is always at most 4/20, s0 the phase of the sec- ‘ond exponential term in Eq. (7.6) never is farther than exp(ri/10) from 1. By combining these two observa- tions, we will show that if both conditions hold, then the contribution tothe probability from the coresponding term is significant. Furthermore, both conditions will hold with ‘constant probability, and a reasonable sample of «'s for hich Condition (7.9) hold will allow us to deduce r. ‘We now give a lower bound on the probability of each 00d output, e., an output that satisfies Conditions (79) and (7:10), We know that as ranges from O top ~ 2, the phase of exp(2xiU/a) ranges from Oto 2riW¥ where 2. Wwe 2(rerd-gyleo- he) aD and ji sin Eq (7.8). Ths, the componentof the ampli- tude of the Sst exponential in Ea (7.6) i the direction expnil¥) zy is at east cou(2|W/2 ~ Wb/(p ~ 2)). Now, by Condi- dion 710) the phase can vary by at most ri/10 due tothe ‘second exponential exp(2iV/q). Applying this variation in the manner tat minimizes the component inthe dzec- dion (7-12), we get that the component inthis direction is at least cos(2x |W 2 = W/(p ~2)| + 7/10). Since » <9, and from Condition (7.9), |W| < 1/2, putting everything together, the probability of avin ata state [edy) that satisfies both Condition (7.9) and 7.10) is atleast 7.13) ovat least 137/¢2 ‘We wil now count the numberof pais (cd) saisying Conditions (79) and (7.10). The numberof pais (,2) such that (7.9) hold is exactly the numberof possible c's, since for every c there is exactly one d such that (7.9) holds (ound off the fractonto the nearest ntge to obtain this), “The number of c's for which (7.10) holds is approximately 4/10. Thus, thete ate 4/10 pats (c,d) saying both conditions Mulsplying by p~ 1, which is the number ‘of posible y's, gives approximately py/10 sates ed). ‘Combining this calculation with the Tower bound on the probably of cach good state gives us thatthe probability ‘of obiaining any good state isa least p/80, ora last 1/60 (since g < 29). ‘We now want to recoverr from a pair ¢,d such that wh chy t (e HE=Dhe) C1 Gm weet a) <3, a ‘where this equation was obtained from Condition (79) by dividing bya. Te fst thing to notice i thatthe mulpier (on ri a fraction with denominator p~ I, since g evenly eivides e(p~ 1)~ (p= 1)}q. Tus, we need only round ja off to the nearest multiple of 1/(p ~ 1) and divide (0d p = 1) by N= Keo Mhe aay to find candidate r. To show tha this experiment need nly be repeated a polynomial numberof mest ind the comes r requires only afew more details. The problem is again that we cannot divide by a number which snot relatively prime wp ~ 1 For the general case ofthe discrete log algorithm, we do not Know that all possible values of ate generated with reasonable litelitood we only know this about one- tenth of them. This adstona difficulty makes the next step harder than the corresponding step inthe two previous algorithms. I we knew the remainder ofr moduloal prime powersdividing p~ 1, we could ue the Chinese remainder theorem to recover rin polynomial ime, We will only be able to find this remainder for primes lager than 20, but ‘with afte extra work we wl sll beable to recover ‘What we have is that each good (od) pai generated with probability atleast 137p/q > 1/16q, and that atleast. 2 tenth ofthe possible c's ae in «good (c,d) pai. From Bq. (718) follows that hese c's are mapped from c/a t0 /{(p~ 1) by rounding othe nearest integer multiple of 1/(p~ 1). Fars, the goo cs are exatly those in which -¢/q is close to c’/(p — 1). Thus, each good c corresponds: with exacly one 2. We would ike to show that for any ‘rime powers?" dividing p-1,arandom good¢isunlikely focontainp, Ifweare wiling wo accept lage constant for te algorithm, we can just ignore the prime powers under 20; if we know + meduloall prime powers over 20, we can ary ll posible residues for primes under 20 with only a (large constant factor increase in running time, Because at least one tenth of the 's were ina good (yd) pat least one tenth of the sae good. Thus, fora pine power fa random good e is divisible by 72" with probability at most 10/p;". If we have t good c's, the probability of having a prime power over 20 that divides allof them is 16)‘where the sum is overall prime powers greater then 20 that divide p 1, This sum (over all integers > 20) converges for {= 2, and goes down by atleast a factor of 2 for each, further increase of t by 1: thus for some large constant tit is less than 1/2 Recall that each good cis obtained with probability at least 1/16q from any experiment. Since there are q/10 ‘good cs, aller 160 experiments, we ate likely to obtain a sample of good cs chosen equally likely from all good 5, Thus, we will beable to ind ast of 2s such that all prime powers p* > 20 dividing p~ 1 are relatively prime to at least one of these os. For each prime p less than 20, we thus have at most 20 possibilities for the residue modulo 7, where a; is the exponent on prime py in the prime factorization of p~ 1. We can thus ty all possibiites, For residues modulo powersof primes ess than 0: foreach possibilty we can calculate the corresponding r using the ‘Chinese remainder theorem, and then check to see whether itis the desired diserete logarithm. This algorithm does not use very many properties of 2, sowecanuse the same algorithm o find discrete logarithms over other fields such as Zr. What we need isthat we know the order of the generator, and that we can multiply and take inverses of elements in polynomial tie fone were to actually program this algorithm (which ‘must wait uni a quantum computer is built) there are many ways in which the efficiency could be inereased over the effieieney shown inthis pape. Acknowledgements | would lke to thank Jeff Lagarias for finding and fx ing a eitcal bug in the fist version of the discrete log algorithm. I would also like to thank him, Charles Ben- net, illes Brassard, Andrew Odlyzko, Dan Simon, Umesh ‘acirani, as well as other correspondents to0 numerous to list, for productive discussions, for corrections to and im= provements of early drafts ofthis pape, and for pointers to ‘he literature. References 1. P.Benioff, “Quantum mechanical Hamiltonian models fof Turing machines J. Star Phys, Vol. 29, pp. S1S— 546 1982). 2. P Benioff."Quantum mechanical Hamiltonian models of Turing machines that dissipate no energy.” Phys. Few Let Vol 8, pp. 1581-1585 (1982), 3. C.H, Bennet, "Logical reversibility of computation,” IBM J, Res, Develop. Nol. 17, pp. 325-532 (1973) 24 C,H. Bennet, E, Bernstein, G, Brassard and U. Vazi- rani, “What is feasible on a quantum computer ‘manuscript (1994). EE. Bernstein and U. Vazirani, “Quantum complexity theory” in Proc. 250k ACM Symp. on Theory of Com: uation, pp. 11-20 (1993), ‘A. Bentiaume and G. Brassard, “The quantum challenge to structural complexity theory.” in Proc 7th IEEE Conf. on Structure in Complexity Theory ‘132-137 (1992), ‘A. Berthiaume and G. Brassard, "Oracle quantum com- puting," in Proc, Workshop on Physis of Computation, ‘p. 195-199, IEEE Press (1992) D, Coppersmith, “An approximate Fourier transform useful in quantum factoring.” IBM Research Report RC 19642 1994). D. Deutsch, “Quantum theory, the Chureh—Turing Principle and the universal quantum computer.” Proc. Rox. Soc. Lond. Vol. A400, pp. 96-117 (1985), D, Deutsch, "Quantum computational networks. Roy. Soc, Lond. Vol. A425, pp. 73-90 1989). D. Deutsch and R. Jo2s8, "Rapid solution of prob- Jems by quantum computation." Proc, Roy. Soe, Lon. Vol. A439, pp. 853-558 (1992), D. P. DiVincenzo, “Two-bit gates are universal for {quantum computation,” manuscript (1994), R. Feynman, “Simulating physics with computers” In ternational Journal of Theoretical Physics, Vol. 21, No. 67, pp. 467-488 (1982). R. Feynman, “Quantum mechanical computers” Foun dations of Physics, Vol. 16, pp. 507-531 (1986). (Orig: {nally appeared in Optics News, February 1985.) L-Fortnow and M. Sipser, “Are there interactive proto cols forco-NP languages?” Inform. Proc. Lett. Vol. 28, 1p. 249-251 (1988). D. M. Gordon, “Discrete logarithms in GF(p) using ‘the number field seve," SIAM J. Discrete Math, Vol. 6 pp. 124-139,1993). (G. Hardy and E. M. Wright, An dnaroduction tothe Theory of Numbers, Fifth Edition, Oxford Unive Press, New York (1979. R. Landauer, “Is quantum mechanics useful?” Proc Roy, Soe, Lon, 10 appear (1994) AK. Lenstra and H, W. Lense In, eds, The Devel: ‘opment of the Number Feld Sieve, Lecture Notes in “Mathematics No. 1554, Springer-Verlag (1993). HW. Lensira, Ie and C. Pomerance, “A rigorous time bound for factoringimteyers, J. Amer Math. Soc. Vol. 5, pp. 483-516 (1992), S. Lloyd, “A potentially realizable quantum compute Science, Vol.261, pp. 1569-1571 (1993)2, 23 2%, 2s, 26, 2. S, Lloyd, “Envisioning a quantum supercomputer” Science, Vol. 263, p. 695 (1994) G.L. Mille, “Riemann’s hypothesis and tests for pri- smality’"J. Comp. Sei. Vl. 13, pp. 300-317 (1976) SS. Poblig and M. Hellman, “An improved algorithm for computing discrete logarithms over GF(p) and its ‘xyptographic significance" IEEE Trans. Information Theory, Vol. 24, pp. 106-110(1978). C. Pomerance, “Fast, rigorous factorization and dis crete logarithm algorithms.” in Diserete Algorithms ‘and Complexity (Proc. Japan-US Joint Seminar), pp. 119-143, Academic Press (1986). R.L. Rivest, A. Shamir, and. Adleman “A method of obtaining digital signatures and public-key cryptosys- tems" Communications ACM, Vol.21, No.2, pp. 120- 126 (1978), A. Shami, IP = PSPACE,”in Proc. 31th Ann. Symp. Foundations of Computer Science, pp. 11-15, IEEE Press (1990) 28, D. Simon, “On the power of quantum computation’ in Proc. 35th Ann. Symp. Foundations of Computer Science, IEEE Press (1994). 29, W. G. Teich, K. Obermayer, and G. Mahler, “Struc- tural basis of multstationary quantum systems Il Ef fective few-partice dynamics,” Phys. Rev. B, Vol. 37, pp- 8111-8121 (1988). 30. T. Toffol, "Reversible computing,” in Aufomata, Lan ‘guages and Programming, Seventh Colloq, Lecture [Notes in Computer Science No. 84 (J. W. De Bakker and J. van Leeuwen, eds.) pp. 632-644, Springer- ‘Verlag (1980) 31. W. G. Unruh, “Maintaining coherence in quantum ‘computers manuscript (1994), 32. A. Yao, “Quantum circuit complexity." in Proc. 34 ‘Ann. Symp. Foundations of Computer Science, p.352- 361, IEEE Press (1993).