Quantum Algorithm for Attacking RSA Based on Fourier Transform and Fixed-Point

: Shor in 1994 proposed a quantum polynomial-time algorithm for finding the order r of an element a in the multiplicative group Z n* , which can be used to factor the integer n by computing /2 gcd( 1, ), r a n  and hence break the famous RSA crypto-system. However, the order r must be even. This restriction can be removed. So in this paper, we propose a quantum polynomial-time fixed-point attack for directly recovering the RSA plaintext M from the ciphertext C , without explicitly factoring the modulus n . Compared to Shor’s algorithm, the order r of the fixed-point C for RSA( e , n ) satisfying (mod ) r e C C n  does not need to be even. Moreover, the success probability of the new algorithm is at least 2 4 ( )/ r r   and higher than that of Shor’s algorithm, though the time complexity for both algorithms is about the same.

/ 2 gcd( 1, ), r a n  and hence break the famous RSA cryptosystem. However, the order r must be even. This restriction can be removed. So in this paper, we propose a quantum polynomial-time fixed-point attack for directly recovering the RSA plaintext M from the ciphertext C, without explicitly factoring the modulus n. Compared to Shor's algorithm, the order r of the fixed-point C for RSA(e, n) satisfying (mod ) r e C C n  does not need to be even. Moreover, the success probability of the new algorithm is at least 2 4 ( )/ r r   and higher than that of Shor's algorithm, though the time complexity for both algorithms is about the same. Key words: information security; cryptology; RSA fixed-point; quantum computing CLC number: TP 391

Introduction
Since the discovery of quantum mechanics, people have paid much attention to quantum computers and quantum computing [1,2] , which can perform some tasks, such as integer factorization problems, phase estimating problems, hidden subgroup problems, that are not feasible on a classical computer by using quantum parallelism and interference effect. In these quantum algorithms mentioned above, the Quantum Fourier Transform (QFT), which is a linear unitary transform, plays a significant role and lies in the core of the algorithms. Moreover, the QFT is one of the most important computational problems and many real-world applications require that the transform should be performed as quickly as possible.
It is well known that factoring an integer n can be reduced to finding the order of an integer a with respect to the module n. The order, r, of an element a in the multiplicative group Z n * , denoted by order(a, n), plays a significant role in the period of certain pseudo-random number generators, and particularly in Shor's quantum integer factorization algorithm and other cryptographic applications. So far as is known, there is not a polynomial time algorithm running on classical computers which can compute order(a, n) in polynomial time. The main idea of Shor's algorithm is simple: to factor n, one first computes the order r. If the computed r is even, then one further computes, with high probability, /2 gcd( 1, ) { , }, r a n pq   with 1＜p, q＜n. The world was astonished when Shor announced in 1994 [3] that he found an efficient quantum integer factorization algorithm which can solve IFP (Integer Factrorization Problem) in time proportion to 2 ((log ) ) O n   . Security analysis of public key cryptosystems is of great significance in theory and practical application, especially the security of widely used public key cryptosystems such as RSA, ElGamal and ECC, which is worthy of further research [1] . Current research on quantum factoring is concentrated on various improved and compiled versions of Shor's original algorithm. Smolin et al [4] claimed that if one can find a such that order (a, n)=2, then Shor's quantum factoring algorithm can be implemented easily using two quantum bits. Peng et al [5] found an approach to implement the prime factorization of 21=3×7 based on the adiabatic theory. More recently, it extends to 143 on a Dipolar-Coupling Nuclear Magnetic Resonance System [6] . Wang et al [7] analyzed the RSA deciphering method based on D-Wave quantum annealing principle, which is a new attack algorithm for quantum computing.
There are three important research directions of quantum computing public-key cryptographic attacks: 1) Improve, modify and simply Shor's algorithm or even invent new quantum factoring algorithms to be run on quantum computers with fewer quantum bits [5,[8][9][10][11][12] .
It has been known for a long time that there is no need to factor n if one just wish to break RSA.
In fact, to recover M from C, one could just compute the sequence of numbers (assume C is known): In classical computing, this process of computation is equivalent to the factorization of n, which is believed to be a hard problem. However, it can be done efficiently on a quantum computer, and it is even more convenient than Shor's original algorithm. In this paper, we shall propose a new quantum algorithm for directly recovering the RSA plaintext M from the ciphertext C by computing the order r of the fixed-point C, without explicitly factoring the modulus n, with higher success probability. Before discussing the algorithm, we present some basic concepts and results that will be used throughout the paper.
Definition 1 [15] The RSA problem may be defined as follows. Given the RSA public-key ( , ) e n and the RSA ciphertext C , find the corresponding RSA plaintext M . That is, then x is called a fixed-point of RSA (e, n) and the smallest r satisfying (1) is the order of the fixed-point. Theorem 1 Let C to be the fixed-point of RSA (e, n) with order r : where M is the plaintext, C is ciphertext, and e is the encryption key.

The New Algorithm
In this section, we shall present a polynomial-time quantum algorithm for computing the order r of the fixed-point C for RSA (e, n), such that (mod ).  qubits (whose number depends on the space requirement).
Step 3 Perform a Hadamard transform on Reg1, we get Step 4 Perform the unitary transform x C U on Reg2, we get 1 2 = mod e C U y y n , thus, = mod x x e C U y y n .
Step 5 Measure Reg2. Suppose we observe mod l e m C n  , and at the same time, the state in Reg1 is collapsed into a superposition over all x such that mod x e C m n  . That leaves Reg1 in state where l n is the largest positive integer satisfying 2 1.  Then we can use continued fraction method to find the closest to / c q among all the convergent of the continued fractions with their denominators less than n, thus its denominator is the required order r, similar to Shor's method [3] for obtaining r from the observation value c.
Step 8 Compute 1 (mod ), r e M C n   hence, the required plaintext M is obtained, that is, RSA is broken.
An example illustrating each of computational steps is given as follows.
Step 1 Find a number q such that

 
Step 7 Measure Reg1. Suppose that c=1024 is observed with a higher probability 1/2, and in fact, all other states are observed with the probability 0. Then use the continued fraction expansion r=2 can be deduced.
Step 8 Compute  , hence, the required plaintext is obtained, that is, RSA is broken. Table 1 summarizes the main processes and differences between Shor's algorithm and Algorithm 1 for breaking RSA.
Definition 3 If the state c was observed and r can be found correctly by Algorithm 1, then c is a good value.
Theorem 2 If there exists a positive integer d which is less than r and is prime to r, such that then c is a good value. Proof We first introduce a lemma which will be used in the proof of the theorem. and hence, break the RSA completely. Compared to Shor's original order finding algorithm, the order in the new algorithm does not need to be even and the algorithm is easy to be implemented on a quantum computer. Of course, for the algorithm to be practical, more research still needs to be done. One of our current research directions, along with this line, is to reduce the quantum bits used in the algorithm, so that it may be run on a smaller quantum computer that may be relatively easy to construct and build.