Integer Factoring, Always Integer Factoring



A learning problem that is related to factoring



Peter Shor is the discover of the famous quantum algorithm for fast integer factoring. It is an algorithm that launched a thousand papers—with all due apologizes to Christopher Marlowe, who wrote:

that launched a thousand ships, and burnt the topless towers of Ilium?

“The topless towers of Ilium” mean “the high towers of Troy.” Perhaps the high towers stand for the world of classic algorithms.

Today I want to talk about a learning problem that is related to integer factoring.

The Last Step Of Shor’s Algorithm

Shor’s quantum factoring algorithm can be viewed as implementing an oracle. The oracle depends on the number you wish to factor, , but it does not return a factor. Instead it returns another number that allows you to factor via a polynomial time classic algorithm. The brilliant insight of Peter is twofold: such an oracle suffices to factor, and such an oracle can be implemented by a quantum computation.

Here is how the oracle works. Each time we ask the oracle it returns a natural number with the following property: is such that for some . The number is much larger than , but is a known power of . The number is the “secret” that allows us to factor . Further is a uniform random integer in the interval .

The number can be recovered by the continued fraction method, or by noticing that recovering is equivalent to solving the system of integer equations:

This is an integer programing problem in , where the value of is the value that we want. Note in general integer programming is -hard, but for a fixed number of variables it is in polynomial time thanks to the brilliant work of Hendrik Lenstra, which is based on the beautiful LLL algorithm of Arjen Lenstra, Hendrik Lenstra, and László Lovász.

Our Problem

Shor’s oracle is very powerful since it allows one to factor in total time that is polynomial in the length of , where . The quantum part and the classical part both run in time. We wish to study what happens if we replace his powerful oracle by a much weaker one that only gives us partial information about each time. The question is, can such an oracle still be used to find ?

When we ask the new oracle for information, it selects an just as before, and the value satisfies the same inequality,

However we only get to see bits of . We can pick which bits before the oracle call, but those are the only positions we see. They can vary from one oracle call to another. Thus we could ask for the bits in positions one time and then another time. Of course is still constant and known, while varies with and is unknown.

Can we still find the value of ? We now allow many oracle calls, and each can ask for a different or the same set of bits. It seems plausible that some information is leaked, but perhaps not. The trouble is that the value of , and hence , can change between calls. Thus the -many bits of may be no help for completing the bits of a different . We can generate many equations, but they involve huge disjunctions of congruences. It may help, however, that values of arise uniformly.

We might suppose that is at least linear in . It is possible for , and hence , to have length or more, and that be a similar polynomial in . However, we would even be interested in a method that used oracle calls and each time got bits of the for that call.

Open Problems

The interest in the problem is we believe that we may be able to construct such an oracle without using quantum methods. We are still checking this carefully, but in any event the above seems like an interesting problem. There are many examples in cryptography where partial leakage of information still breaks a system. Does this happen here?