一、介紹

This paper proposes RSA parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers. As part of the performance analysis, this paper introduces a new algorithm to generate a batch of primes. As part of the attack analysis, this paper introduces a new quantum factorization algorithm that is often much faster than Shor’s algorithm and much faster than pre-quantum factorization algorithms. Initial pqRSA implementation results are provided.

本文提出了RSA參數，在當今的計算機上，密鑰生成，加密，解密，簽名和驗證是可行的，而所有已知的攻擊都是不可行的，甚至假定高度可擴展的量子計算機。 作為性能分析的一部分，本文介紹了一種新的算法來生成一批素數。 作為攻擊分析的一部分，本文介紹了一種新的量子分解算法，它比Shor算法快得多，比預量子分解算法快得多。 提供了初始的pqRSA實施結果。

The 1994 publication of Shor’s algorithm prompted widespread claims that quantum computers would kill cryptography, or at least public-key cryptography.Shor算法的1994年出版引起了普遍的說法：量子計算機會殺死密碼學，至少是公鑰密碼學。

But these claims go far beyond the actual limits of Shor’s algorithm, and subsequent research into quantum cryptanalysis has done little to close the gap. Theconventional wisdom among researchers in post-quantum cryptography is thatquantum computers will kill RSA and ECC but will not kill hash-based cryptography, code-based cryptography, lattice-based cryptography, ormultivariatequadratic-equations cryptography.但是這些說法遠遠超出了Shor算法的實際限制，隨后對量子密碼分析的研究幾乎沒有縮小差距。該后量子密碼學研究人員的傳統觀點是量子計算機將殺死RSA和ECC，但不會殺死基于散列的密碼學，基于代碼的密碼學，基于格子的密碼學或多元二次方程密碼學。

Contents of this paper. Is it actually true that quantum computers will killRSA?

The question here is not whether quantum computers will be built, or will be

affordable for attackers. This paper assumes that astonishingly scalable quantum computers will be built, making a qubit operation as inexpensive as a bitoperation. Under this assumption, Shor’s algorithm easily breaks RSA as usedon the Internet today. The question is whether RSA parameters can be adjusted

so that all known quantum attack algorithms are infeasible while encryption and

decryption remain feasible.本文內容。 量子計算機是否真的會殺死RSA？

這里的問題不是量子計算機將會建成還是將來對攻擊者負擔得起。本文假定將構建令人驚訝的可擴展的量子計算機，使量子比特操作成本低廉。在這個假設下，Shor算法很容易破壞當今互聯網上使用的RSA。 問題是RSA參數是否可以調整所有已知的量子攻擊算法在加密時都是不可行的解密仍然可行。

The conventional wisdom is that Shor’s algorithm factors an RSA public keyn almost as quickly as the legitimate RSA user can decrypt. Decryption usesan exponentiation modulo n; Shor’s algorithm uses a quantum exponentiationmodulo n. There are some small overheads in Shor’s algorithm—for example,the exponent is double-length—but these overheads create only a very small gapbetween the cost of decryption and the cost of factorization. (Shor speculatedin [48, Section 3] that faster quantum algorithms for modular exponentiation“could even make breaking RSA on a quantum computer asymptotically fasterthan encrypting with RSA on a classical computer”; however, no such algorithmshave been found.)傳統的觀點是，Shor的算法幾乎和合法的RSA用戶解密一樣快。 解密使用指數模n; Shor算法使用量子冪模n。 Shor算法中有一些小的開銷，例如指數是雙倍長度的，但是這些開銷在解密成本和分解成本之間只產生一個非常小的差距。 （Shor在[48]第三節中推測，用于模冪運算的更快的量子算法甚至可以使量子計算機上的RSA比經典計算機上的RSA加密快得多;然而，沒有發現這樣的算法。

The main point of this paper is that standard techniques for speeding up RSA,when pushed to their extremes, create a much larger gap between the legitimateuser’s costs and the attacker’s costs. Specifically, for this paper’s version of RSA,the attack cost is essentially quadratic in the usage cost.本文的主要觀點是，加速RSA的標準技術在被推到極限時，會在合法用戶成本和攻擊者成本之間造成更大的差距。 具體而言，對于本文的RSA版本來說，攻擊代價在使用成本上基本上是二次的。

These extremes require a careful analysis of quantum algorithms for integer factorization. As part of this security analysis, this paper introduces a newquantum factorization algorithm, GEECM, that is often much faster than Shor’salgorithm and all pre-quantum factorization algorithms. See Section 2. GEECMturns out to be one of the main constraints upon parameter selection for post-quantum RSA.這些極端情況需要仔細分析整數分解的量子算法。 作為安全性分析的一部分，本文介紹了一種新的量子分解算法GEECM，它比Shor算法和所有預量子分解算法快得多。 參見第2節.GEECM成為后量子RSA參數選擇的主要限制之一。

These extremes also require a careful analysis of algorithms for the basic RSAoperations. See Section 3. As part of this performance analysis, this paper introduces a new algorithm to generate a large batch of independent uniform randomprimes more efficiently than any known algorithm to generate such primes oneat a time.這些極端情況還需要仔細分析基本RSA操作的算法。 參見第3節。作為性能分析的一部分，本文介紹了一種新的算法，比任何已知算法更有效地生成大批獨立的均勻隨機素數，以一次一個地生成這樣的素數。

Section 4 reports initial implementation results for RSA parameters largeenough to push all known quantum attacks above 2100 qubit operations. Theseresults include successful completion of the most expensive operation in post-quantum RSA, namely generating a 1-terabyte public key.第4節報告RSA參數的初始實現結果足夠大，以推動所有已知的量子攻擊超過2100 qubit操作。 這些成果包括成功完成后量子RSA中最昂貴的操作，即生成1TB的公鑰。

Evaluation and comparison. Post-quantum RSA does not qualify as secure under old-fashioned security definitions requiring asymptotic security against polynomial-time adversaries. However, post-quantum RSA does appear to provide a reasonable level of concrete security評估和比較。后量子RSA在老式安全定義下不符合安全要求，要求對多項式時間對手進行漸進安全。 然而，后量子RSA似乎提供了一個合理的具體安全水平

Note that, for theoretical purposes, it is possible that (1) there are no public-key encryption systems secure against polynomial-time quantum adversaries but (2) there are public-key encryption systems secure against, e.g., essentially-linear-time quantum adversaries. Post-quantum RSA is a candidate for the second category.注意，為了理論上的目的，有可能（1）沒有公鑰加密系統對多項式時間量子對手是安全的，但是（2）有公鑰加密系統對于例如基本線性時間 量子對手。 后量子RSA是第二類的候選人。

One might think that the quadratic security of post-quantum RSA is no better than the well-known quadratic security of Merkle’s original public-key system. However, the well-known quadratic security is against pre-quantum attackers, not against post-quantum attackers. The analyses by Brassard and Salvail in [17], and by Brassard, H?yer, Kalach, Kaplan, Laplante, and Salvail in [16], indicate that more complicated variants of Merkle’s original public-key system can achieve exponents close to 1.5 against quantum computers, but this is far below the exponent 2 achieved by post-quantum RSA. Concretely, (2^100)^(1/1.5) is

approximately 100000 times larger than (2^100)^(1/2)有人可能會認為后量子RSA的二次安全性不如Merkle原有的公鑰系統的眾所周知的二次安全性好。 然而，眾所周知的二次安全是針對前量子攻擊者，而不是針對后量子攻擊者。 Brassard和Salvail [17]以及Brassard，Hyer，Kalach，Kaplan，Laplante和Salvail [16]的分析表明，Merkle原始公開密鑰體系的更復雜的變體可以達到接近1.5的指數 計算機，但是這遠低于后量子RSA實現的指數2。 具體來說，（2 ^ 100）^（1 / 1.5）是

比（2 ^ 100）^（1/2）大大約10萬倍，

Post-quantum RSA is not what one would call lightweight cryptography: thecost of each new encryption or decryption is on the scale of $1 of computer time,many orders of magnitude more expensive than pre-quantum RSA. However, ifthis is the least expensive way to protect high-security information against beingrecorded by an adversary today and decrypted by future quantum computers,then it should be of interest to some users. One can draw an analogy here withfully homomorphic encryption: something expensive might nevertheless be usefulif it is the least expensive way to achieve the user’s desired security goal.后量子RSA并不是什么人會稱之為輕量級加密：每個新的加密或解密的成本是計算機時間的1美元的規模，比前量子RSA昂貴許多數量級。 但是，如果這是保護高安全性信息不被對手記錄并由未來的量子計算機解密的最便宜的方式，那么一些用戶應該感興趣。 在這里可以用完全同態加密來進行類比：如果昂貴的方法是實現用戶所期望的安全目標的最便宜的方法，則可能是有用的。

Code-based cryptography and lattice-based cryptography have been studiedfor many years and appear to provide secure encryption at far less expense thanpost-quantum RSA. However, one can reasonably argue that triple encryptionwith code-based cryptography, lattice-based cryptography, and post-quantumRSA, for users who can afford it, provides a higher level of confidence than onlytwo of the mechanisms. Post-quantum RSA is also quite unusual in allowing post-quantum encryption, signatures, and more advanced cryptographic functionalitysuch as blind signatures to be provided in a familiar way by a single unifiedmechanism, a multiplicatively homomorphic trapdoor permutation.基于代碼的密碼學和基于格子的密碼學已經研究了很多年，似乎以比后量子RSA更低的費用提供安全加密。 然而，人們可以合理地認為，對于負擔得起的用戶，基于代碼的密碼術，基于格的密碼術和后量子RSA的三重加密提供了比僅兩個機制更高的置信水平。 后量子RSA在允許后量子加密，簽名和更高級的密碼功能如盲簽名方面也是非常不尋常的，通過單一的統一機制，即乘性同態陷門置換，以熟悉的方式提供盲簽名。

Obviously the overall use case for post-quantum RSA relies heavily on thefaint possibility of dramatic improvements in attacks against a broad range ofalternatives. But the same criticism applies even more strongly to, e.g., theproposals in [16]. More importantly, it is interesting to see that the conventional wisdom is wrong, and that RSA has enough flexibility to survive the advent of quantum computers—beaten, bruised, and limping, perhaps, but not dead.顯然，后量子RSA的總體使用情況很大程度上依賴于大范圍的替代攻擊的顯著改善的微弱可能性。 但是，同樣的批評更適用于例如[16]中的提案。 更重要的是，有趣的是，傳統智慧是錯誤的，RSA有足夠的靈活性來經受量子計算機的出現 - 被打擊，受傷和跛行，可能但不是死亡。

Future work.There is a line of work suggesting big secrets as a protectionagainst limited-volume side-channel attacks and limited-volume exfiltration bymalware. As a recent example, Shamir is quoted in [7] as saying that he wants thefile containing the Coca-Cola secret “to be a terabyte, which cannot be [easily]exfiltrated”. A terabyte takes only a few hours to transmit over a gigabit-per-second link, but the basic idea of this line of work is that there are sometimeslimits on time and/or bandwidth in side channels and exfiltration channels, andthat these limits could stop the attacker from extracting the desired secrets. Itwould be interesting to analyze the extent to which the secrets in post-quantumRSA provide this type of protection. Beware, however, that a positive answercould be undermined by other parts of the system that have not put the sameattention into expanding their data.未來的工作。有一系列的工作表明，大規模的秘密可以防止惡意軟件限制數量的旁路攻擊和有限數量的漏洞。作為最近的一個例子，沙米爾在[7]中引用他的話說，他希望包含可口可樂秘密的文件“是一個TB，不能[很容易]被泄露”。 一個TB級只需要幾個小時就可以通過千兆位每秒的鏈路進行傳輸，但是這一線工作的基本思想是，有時會限制側通道和出口通道的時間和/或帶寬，而且這些限制 可以阻止攻擊者提取所需的秘密。 分析后量子RSA中的秘密提供這種保護的程度是很有意思的。 然而，要小心，系統的其他部分可能會損害正面的回答，而這些部分并沒有把注意力放在擴展數據上。

Our batch prime-generation algorithm suggests that, to help reduce energyconsumption and protect the environment, all users of RSA—including users oftraditional pre-quantum RSA—should delegate their key-generationcomputations to NIST or another trusted third party. This speed improvement would alsoallow users to generate new RSA keys and erase old RSA keys more frequently,limiting the damage of key theft.4 However, all trusted-third-party protocolsraise security questions (see, e.g., [19] and [24]), and there are significant coststo all known techniques to securely distribute or delegate RSA computations.The challenge here is to show that secure multi-user RSA key generation can becarried out more efficiently than one-user-at-a-time RSA key generation.我們的批量生成算法表明，為了幫助降低能耗和保護環境，RSA的所有用戶（包括傳統的預量子RSA的用戶）都應該將他們的密鑰生成計算委托給NIST或另一個可信的第三方。 這種速度的提高還可以使用戶生成新的RSA密鑰，并更頻繁地刪除舊的RSA密鑰，從而限制了密鑰被盜用的危害。然而，所有可信的第三方協議都引發了安全問題（參見[19]和[ 24]），并且所有已知技術安全地分配或委托RSA計算的成本都很高。 這里面臨的挑戰是證明，與一次一個用戶的RSA密鑰生成相比，可以更有效地執行安全的多用戶RSA密鑰生成。

Another natural direction of followup work is integration of post-quantumRSA into standard Internet protocols such as TLS. This integration is conceptually straightforward but requires tackling many systems-level challenges, suchas various limitations on the RSA key sizes allowed in cryptographic libraries.后續工作的另一個自然方向是將后量子RSA集成到標準互聯網協議（如TLS）中。 這種集成在概念上很簡單，但需要解決許多系統級的挑戰，例如對加密庫允許的RSA密鑰大小的各種限制。

If the goal is merely to protect past traffic against complete key theft (“forward secrecy”) then a user can obtain a speedup by generating many RSA keys in advance,and erasing each key soon after it is first used. But erasing each key soon after it hasbeen generated is sometimes advertised as helping protect future traffic against limited types of compromise. Furthermore, batching across many users provides largerspeedups.如果目的僅僅是為了防止過去的流量完全失竊（“前向保密”），則用戶可以通過預先生成許多RSA密鑰來獲得加速，并且在第一次使用之后不久就擦除每個密鑰。 但是，在生成每個密鑰之后不久就會刪除每個密鑰，有時會被稱為幫助保護未來的流量免受有限類型的泄露。 而且，跨越多個用戶的批量提供更大的加速。

二、后量子分解

For every modern variant of RSA, including the variants considered in this paper,the best attacks known are factorization algorithms. This section analyzes thepost-quantum complexity of integer factorization.對于RSA的每個現代變體，包括本文中考慮的變體，已知的最好的攻擊都是分解算法。 本節分析整數分解的后期量子復雜度。

There have been some papers analyzing and improving the complexity ofShor’s algorithm; see, e.g., [56]. However, the literature does not seem to containany broader study of quantum factorization algorithms. There seems to be animplicit assumption that—once large enough quantum computers are available—Shor’s algorithm supersedes the entire previous literature on integer factorization, rendering all previous factorization algorithms obsolete, so studying thecomplexity of factorization in a post-quantum world is tantamount to studyingthe complexity of Shor’s algorithm.已經有一些論文分析和改進了Shor算法的復雜性; 例如參見[56]。 然而，文獻似乎沒有包含任何更廣泛的量子分解算法的研究。 似乎有一個隱含的假設，一旦足夠大的量子計算機可用，Shor算法取代了以前關于整數分解的所有文獻，使以前的所有分解算法都被淘汰，因此研究后量子世界中分解的復雜性等同于 研究Shor算法的復雜性。

The main point of this section is that post-quantum factorization is actually amuch richer subject. It should be obvious that previous algorithms are not alwayssuperseded by Shor’s algorithm: as a trivial example, an integer divisible by 2 or3 or 5 is much more efficiently detected by trial division than by Shor’s algorithm.Perhaps less obvious is that there are quantum factorization algorithms that are,for many integers, much faster than Shor’s algorithm and much faster than allknown pre-quantum algorithms. These algorithms turn out to be important forpost-quantum RSA, as discussed in Section 3.這部分的主要觀點是后量子分解實際上是一個更加豐富的課題。 很明顯，以前的算法并不總是被Shor算法所取代：作為一個簡單的例子，一個可以被2或者3或者5整除的整數比使用Shor算法更有效地被檢測分割。 也許不那么明顯的是，對于許多整數，量子分解算法比Shor算法快得多，比所有已知的預量子算法快得多。 這些算法對于后量子RSA是非常重要的，正如第3節所討論的那樣。

Overview of pre-quantum integer factorization.There are two importantclasses of factorization algorithms. The first class consists of algorithms thatare particularly fast at finding small primes: e.g., trial division, the rho method[40], the p?1 method [39], the p+ 1 method [55], and the elliptic-curve method(ECM) [35].前量子整數分解概述。有兩類重要的因子分解算法。第一類包括在尋找小素數方面特別快的算法：例如，除法，rho方法[40]，p-1方法[39]，p + 1方法[55]和橢圓曲線方法 （ECM）[35]。

Each of these algorithms can be rephrased, without serious loss of efficiency,as a ring algorithm that composes the ring operations 0, 1, +, ?, · to producea large integer divisible by many small primes. By carrying out the same sequence of operations modulo a target integer n and computing the greatestcommon divisor of the result with n, one sees whether n is divisible by any of thesame primes. For example, trial division up through y has essentially the sameperformance as computing gcd{n, 2 · 3 · 5 · · · · y}; as another example, m stepsof the rho method compute gcd{n,(ρ2 ? ρ1)(ρ4 ? ρ2)(ρ6 ? ρ3)· · ·(ρ2m ? ρm)}with ρ1 = 1 and(ρ(i+1))=(pi)^2+ 10.這些算法中的每一個都可以被重寫，而不會造成嚴重的效率損失，因為它是一個環算法，它構成了一個可以被許多小素數整除的大整數的環操作0,1，+， - 。 通過執行以目標整數n為模的相同操作序列并用n計算結果的最大公約數，可以看出n是否可以被任何相同的素數整除。 例如，通過y的審判分區與計算gcd {n，2·3·5···y}的性能基本相同; 作為另一個例子，ρ1= 1和（ρ（i + 1））的rho方法的m個步驟計算gcd {n，（ρ2-ρ1）（ρ4-ρ2）（ρ6-ρ3）...（ρ2m-ρm） ））=（pi）^ 2 + 10。

The importance of ring operations is that carrying them out modulo n has theeffect of carrying them out modulo every prime p dividing n; i.e., Z/n → Z/pis a ring morphism. To measure the speed and effectiveness of a ring algorithmone sees how many operations are carried out by the algorithm and how manyprimes p of various sizes divide the output. The size of n is almost irrelevant,except that each ring operation modulo n costs (lg n)^(1+o(1))bit operations.環運算的重要性在于將它們模n進行模n的運算， 即Z / n→Z / p是環形態。 為了測量環算法的速度和有效性，我們可以看到算法執行了多少操作，以及不同大小的素數p是如何劃分輸出的。 n的大小幾乎是不相關的，除了每個環運算模n花費（lg n）^（1 + o（1））位操作。

The second class consists of congruence-combining algorithms: e.g., thecontinued-fraction method [33], the quadratic sieve [41], and the number-fieldsieve (NFS) [34]. These algorithms multiply various congruences modulo n to obtain a congruence of the form a^2 ≡ b^2(mod n), and then hope that gcd{n, a ? b}is a nontrivial factor of n. These algorithms are not usefully viewed as ring algorithms (the congruences modulo n are produced in a way that depends on n)and are not particularly fast at finding small primes.第二類包括同余組合算法，例如連續分數法[33]，二次篩[41]和數字場篩（NFS）[34]。 這些算法乘以各種同余模n，得到形式a ^ 2≡b ^ 2（mod n）的同余，然后希望gcd {n，a - b}是n的一個非平凡因子。 這些算法并沒有被視為環算法（同余模n是以一種依賴于n的方式產生的），而且在尋找小素數方面并不是特別快。

For large n the best congruence-combining algorithm appears to be NFS,which (conjecturally) uses 2^((lg n)^(1/3+o(1)))bit operations. For comparison, ECMuses 2^((lg y)^(1/2+o(1)))ring operations if ECM parameters are chosen to (conjecturally) find every prime p ≤ y. Evidently ECM uses fewer bit operations thanNFS to find sufficiently small primes p; the cutoff is 2^((lg n)^(2/3+o(1)))對于大n，最好的同余組合算法似乎是NFS，它（推測性地）使用2 ^（（lg n）^（1/3 + o（1）））位操作。 為了比較，如果選擇ECM參數（猜測）找到每個素數p≤y，則ECM使用2 ^（（lg y）^（1/2 + o（1）））環操作。 顯然ECM使用比NFS更少的位操作來找到足夠小的素數p; 截距為2 ^（（lg n）^（2/3 + o（1）））

Shor’s algorithm.Shor begins with a circuit to compute the function x →(x, 3^x mod n), where x is an integer having about 2lgn bits. Exponentiationuses about 2lgn multiplications modulo n, and the best multiplication methodsknown use (lgn)^(1+o(1))bit operations, so exponentiation uses (lgn)^(2+o(1))bitoperations.Shor的算法。 Shor從一個電路開始計算函數x→（x，3 ^ x mod n），其中x是一個大約2lgn位的整數。 指數運算使用大約2lgn乘法模n，并且已知的最佳乘法方法使用（lgn）^（1 + o（1））位運算，所以指數運算使用（lgn）^（2 + o（1））位運算。

A standard conversion produces a quantum circuit that uses (lg n)^(2+o(1))qubitoperations to evaluate the same function on a quantum superposition of inputs.With a small extra overhead (applying a quantum Fourier transform to theoutput, sampling, et al.) Shor finds the period of this function, i.e., the order of3 modulo n. This order is a divisor, typically a large divisor, of ?(n) = #(Z/n)?,and factoring n with this information is a standard exercise. In the rare case that3 has small order modulo n, one can replace 3 with a randomnumber—preferablya small random number to save time in exponentiation.

標準轉換產生量子電路，其使用（lg n）^（2 + o（1））量子位運算來評估輸入的量子疊加上的相同函數。 由于額外的額外開銷（對輸出進行量子傅立葉變換，采樣等），Shor找到了這個函數的周期，即3階模n。 這個順序是φ（n）=＃（Z / n）*的除數，通常是一個大的除數，并且用這個信息進行因式分解是一個標準的練習。 在少數情況下，3有小模n，可以用一個隨機數（最好是一個小隨機數）替換3，以節省取冪的時間。

There is a tremendous gap between the (lg n)^(2+o(1))qubit operations usedby Shor and the 2^((lg n)^(1/3+o(1)))bit operations used by NFS. Of course, for themoment qubit operations seem impossibly expensive compared to bitoperations,but post-quantum cryptography looks ahead to a future where qubit operationsare affordable at a large scale. In this future it seems that congruence-combiningalgorithms will be of little, if any, interest.Shor使用的（lg n）^（2 + o（1））量子比特操作與2 ^（（lg n）^（1/3 + o（1）））比特操作之間存在巨大的差距NFS。 當然，與量子比特操作相比，量子比特操作似乎不可能成本高昂，但量子后密碼技術展望了量子比特大規模可支付的未來。 在這個未來看來，同余組合算法將沒有什么興趣，如果有的話。

On the other hand, Shor’s algorithm is not competitive with ring algorithmsat finding small primes. Even if a qubit operation is as inexpensive as a bitoperation, Shor’s (lg n)^(2+o(1))qubit operations are as expensive as (lg n)^(1+o(1))ring operations. ECM’s 2^((lg y)^(1/2+o(1)))ring operations are better than this forsufficiently small primes. The cutoff is 2^((lg lg n)^(2+o(1)))另一方面，Shor算法在尋找小素數時與環算法沒有競爭力。 即使量子比特操作與比特操作一樣便宜，Shor's（lg n）^（2 + o（1））量子比特操作與（lg n）（1 + o（1））環操作一樣昂貴。 對于足夠小的素數，ECM的2 ^（（lg y）^（1/2 + o（1）））環操作比這更好。 截止值為2 ^（（lg lg n）^（2 + o（1）））

Some wishful thinking.One might think that Shor’s algorithm can be tweakedto take advantage of a small prime divisor p of n: the function x→ 3^x mod phas small period, and this period should be visible for x having only about 2lg pbits, rather than the 2lg n bits used by Shor. This would save a factor of 2 evenin the most extreme case p ≈√n.一些一廂情愿的想法。有人可能會認為，可以調整Shor的算法來利用n的一個小的素數除數p：函數x→3 ^ x mod p的周期很小，這個周期對于只有大約2lg p位的x是可見的，而 比Shor使用的2lg n位。 即使在最極端的情況下，這也可以節省2倍。

The difficulty is that one is not given the function x→ 3^x mod p. The functionx→ 3^x mod n has a small pseudo-period, in the sense that shifting the inputproduces a related output, but one is also not given this relation.難點是沒有給出函數x→3 ^ x mod p。 函數x→3 ^ x mod n有一個小的偽周期，就是說移位輸入產生一個相關的輸出，但是也沒有給出這個關系。

If there were a fast way to detect pseudo-periods with respect to unknownrelations then one could drastically speed up Shor’s algorithm by finding thepseudo-period p of the simpler function x → x mod n. If x is limited to 2lgp

A quantum ring algorithm: GEECM.A more productive approach is totake the best pre-quantum algorithms for finding small primes, and to acceleratethose algorithms using quantum techniques.量子環算法：GEECM。更高效的方法是采用最好的預量子算法來尋找小素數，并使用量子技術來加速這些算法。

Under standard conjectures, ECM finds primes p ≤ y using 2^((lg y)^(1/2+o(1)))ring operations, as mentioned above; the rho method finds primes p ≤ y using y^(1/2+o(1))ring operations; and trial division (in its classic form) finds primesp ≤ y using y^(1+o(1))ring operations. Evidently ECM supersedes the rho methodand trial division as y grows. The cutoff is generally stated (on the basis of moredetailed analyses of the o(1)) to be below 2^30, and the primes of interest in thispaper are much larger, so this paper focuses on ECM.在標準猜想下，ECM使用2 ^（（lg y）^（1/2 + o（1）））環操作來找到素數p≤y。 rho方法使用y ^（1/2 + o（1））環操作找到素數p≤y; 和審判分裂（以其經典形式）使用y ^（1 + o（1））環操作找到素數p≤y。 顯然ECM取代rho法和隨著y的增長而進行的審判分工。 總的來說，（在對o（1））進行更詳細的分析的基礎上，截斷值在2 ^ 30以下，而本文所關注的主要因素要大得多，所以本文主要關注ECM。

(There are occasional primes for which the p?1 and p+1 methods are fasterthan ECM, but the primes of interest in this paper are randomly generated. Mostof the comments in this section generalize to hyperelliptic curves, but genus-≥2-hyperelliptic-curve methods have always been slightly slower than ECM.)（偶爾有質數p-1和p + 1的方法比ECM快，但是本文中關注的主要內容是隨機產生的，本節中的大部分評論推廣到超橢圓曲線，但屬≥2 超橢圓曲線方法一直比ECM稍慢。）

The state-of-the-art variant of ECM is EECM (ECM using Edwards curves),introduced by Bernstein, Birkner, Lange, and Peters in [12]. EECM choosesan Edwards curve x^2 + y^2 = 1 + dx^2y^2over Q, or more generally a twistedEdwards curve, with a known non-torsion point P; EECM also chooses a largeinteger s and uses the Edwards addition law to compute the sth multiple of Pon the curve, and in particular the x-coordinate x(sP), represented as a fractionof integers. The output of the ring algorithm is the numerator of this fraction.Overall the computation takes (7+o(1)) lg s multiplications (more than half ofwhich are squarings) and a comparable number of additions and subtractions.For optimized curve choices and further details see [12], [11], [14], [5], and [22].ECM的最新變體是EECM（使用Edwards曲線的ECM），由Bernstein，Birkner，Lange和Peters [12]介紹。 EECM選擇愛德華茲曲線（Edwards curve）x ^ 2 + y ^ 2 = 1 + dx ^ 2y ^ 2超過Q，或者更一般地選擇具有已知非扭轉點P的扭曲Edwards曲線; EECM也選擇一個較大的整數s，并使用Edwards加法定律來計算曲線上P的倍數，特別是用整數的一小部分表示的x坐標x（sP）。 環算法的輸出是這個分數的分子。 總的來說，計算需要（7 + o（1））lg s乘法（其中一半以上是平方）和相當數量的加法和減法。 有關優化的曲線選擇和更多詳細信息，請參閱[12]，[11]，[14]，[5]和[22]。

If s is chosen as lcm{1, 2, . . . , z} then lg s ≈ 1.4z so this curve computation uses about 10z multiplications. If z ∈ L^(c+o(1))as y → ∞, where L =exp√(logyloglogy)and c is a positive real constant, then standard conjecturesimply that each prime p ≤ y is found by this curve with probability 1/L^(1/2c+o(1)).Standard conjectures also imply that curves are almost independent, so by trying L^(1/2c+o(1))curves one finds each prime p with high probability. The total costof trying all these curves is L^(c+1/2c+o(1))ring operations. The expression c+ 1/2ctakes its minimum value 1 for c = 1/√2; the total cost is then L^(√2+o(1))ringoperations.如果s被選為lcm {1,2，...。。。 ，z}，那么lgs≈1.4z，所以這個曲線計算使用大約10z的乘法。 如果z∈L^（c + o（1））為y→∞，其中L = exp（logyloglogy）且c是一個正實常數，那么標準猜想意味著每條素數p≤y是由 概率1 / L ^（1 / 2c + o（1））。 標準猜想也意味著曲線幾乎是獨立的，所以通過嘗試L ^（1 / 2c + o（1））曲線，我們發現每個素數p具有高概率。 嘗試所有這些曲線的總成本是L ^（c + 1 / 2c + o（1））環操作。 對于c = 1 /√2，表達式c + 1 / 2c取最小值1; 那么總成本就是L ^（√2+ o（1））環操作。

This paper introduces GEECM (Grover plus EECM), which uses quantumcomputers as follows to accelerate the same EECM computation. Recall thatGrover’s method accelerates searching for roots of functions: if the inputs to afunction f are roots of f with probability 1/R, then classical searching performs(on average) R evaluations of f, while Grover’s method performs about √Rquantum evaluations of f. Consider, in particular, the function f whose input isan EECM curve choice, and whose output is 0 exactly when the EECM resultfor that curve choice has a nontrivial factor in common with n. EECM finds aroot of f by classical searching; GEECM finds a root of f by Grover’s method. Ifs and z are chosen as above then the inputs to f are roots of f with probability1/L^(1/2c+o(1)), so GEECM uses just L^(1/4c+o(1)) quantum evaluations of f, for a total of L^(c+1/4c+o(1)) quantum ring operations. The expression c + 1/4c takes its minimum value 1 for c = 1/2; the total cost is then just L^(1+o(1)) ring operations.本文介紹了使用量子計算機的GEECM（Grover plus EECM），以加速相同的EECM計算。回想一下，Grover的方法加速搜索函數的根：如果函數f的輸入是概率為1 / R的f的根，則經典搜索執行（平均）R的R評估，而Grover的方法執行關于√R量子評估f。尤其考慮函數f，其輸入是EECM曲線選擇，并且當該曲線選擇的EECM結果具有與n相同的非平凡因子時，其輸出恰好為0。 EECM通過經典搜索找到f的根; GEECM通過Grover的方法找到了f的根源。如果選擇s和z，那么f的輸入就是f的概率為1 / L ^（1 / 2c + o（1））的根，所以GEECM只使用L ^（1 / 4c + o（1））量子估計的f，總的L ^（c + 1 / 4c + o（1））量子環運算。對于c = 1/2，表達式c + 1 / 4c取其最小值1;那么總的成本就是L ^（1 + o（1））環操作。

To summarize, GEECM reduces the number of ring operations from L^(√2+o(1)) to L^(1+o(1)), where L = exp√(logyloglogy). For the same number of operations, GEECM increases log y by a factor 2 + o(1), almost doubling the number of bits of primes that can be found.總而言之，GEECM將環操作從L ^（√2+ o（1））減少到L ^（1 + o（1）），其中L = exp（logyloglogy）。 對于相同數量的操作，GEECM將log y增加了2 + o（1），幾乎是可以找到的素數的兩倍。