Frédéric JacobsAug 21, 2023
Nice to see some work on #Quantum Factoring algorithms, combining quantum circuits of smaller size with a “classical” lattice reduction post-processing step. Unclear what the practical impact is though since it's unclear that the optimizations to reduce the number of qubits required would still work because of the repeated squaring of Regev's paper.
https://arxiv.org/abs/2308.06572
An Efficient Quantum Factoring Algorithm

We show that $n$-bit integers can be factorized by independently running a quantum circuit with $\tilde{O}(n^{3/2})$ gates for $\sqrt{n}+4$ times, and then using polynomial-time classical post-processing. The correctness of the algorithm relies on a number-theoretic heuristic assumption reminiscent of those used in subexponential classical factorization algorithms. It is currently not clear if the algorithm can lead to improved physical implementations in practice.

arXiv.org
Show threadFrédéric JacobsFeb 18, 2024

Another interesting result using a hybrid algorithm to do prime factorization:

"In particular, the number of qubits goes below the size of the RSA modulus, and for RSA-2048 we could propose a circuit with less than 1700 qubits. The space required for factoring will depend on the input register rather than the workspace register, as the latter
can be compressed down to size O(log n)"
https://eprint.iacr.org/2024/222
#Quantum #QuantumComputing

Reducing the Number of Qubits in Quantum Factoring

This paper focuses on the optimization of the number of logical qubits in quantum algorithms for factoring and computing discrete logarithms in $\mathbb{Z}_N^*$. These algorithms contain an exponentiation circuit modulo $N$, which is responsible for most of their cost, both in qubits and operations. In this paper, we show that using only $o(\log N)$ work qubits, one can obtain the least significant bits of the modular exponentiation output. We combine this result with May and Schlieper's truncation technique (ToSC 2022) and the Eker{\aa}-H{\aa}stad variant of Shor's algorithm (PQCrypto 2017) to solve the discrete logarithm problem in $\mathbb{Z}_N^*$ using only $d + o(\log N)$ qubits, where $d$ is the bit-size of the logarithm. Consequently we can factor $n$-bit RSA moduli using $n/2 + o(n)$ qubits, while current envisioned implementations require about $2n$ qubits. Our algorithm uses a Residue Number System and succeeds with a parametrizable probability. Being completely classical, we have implemented and tested it. For RSA factorization, we can reach a gate count $\mathcal{O}(n^3)$ for a depth $\mathcal{O}(n^2 \log^3 n)$, which then has to be multiplied by $\mathcal{O}(\log n)$ (the number of measurement results required by Eker{\aa}-H{\aa}stad). To factor an RSA-2048 instance, we estimate that 1730 logical qubits and $2^{36}$ Toffoli gates will suffice for a single run, and the algorithm needs on average 40 runs. To solve a discrete logarithm instance of 224 bits (112-bit classical security) in a safe-prime group of 2048 bits, we estimate that 684 logical qubits would suffice, and 20 runs with $2^{32}$ Toffoli gates each.

IACR Cryptology ePrint Archive
Show threadFrédéric JacobsMay 23, 2025

Google quantum researcher Craig Gidney published yesterday a preprint demonstrating that 2048-bit RSA encryption could theoretically be broken by a #quantum computer with 1 million noisy qubits running for one week.

This 20x decrease in estimated required ressources for quantum factoring comes from better algorithms and better error correction.

https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.html

Tracking the Cost of Quantum Factoring

Posted by Craig Gidney, Quantum Research Scientist, and Sophie Schmieg, Senior Staff Cryptography Engineer  Google Quantum AI's mission is t...

Google Online Security Blog
Thomas Bosboom ✅4d ago
Show threadFrédéric Jacobs

🌐 The security community has moved 🔐protocols over the last decade from RSA to elliptic curves, allowing for smaller key sizes

⚛️ While #quantum algorithms research focused around optimizing Shor’s (breaking RSA), a new result shows that breaking the elliptic curve discrete logarithm problem requires significantly less qubits than previously thought.

⚠️ Breaking P-256, which has equivalent classical security to RSA-3072, only requires 1193 logical qubits against 2043.

https://eprint.iacr.org/2026/280

Reducing the Number of Qubits in Quantum Discrete Logarithms on Elliptic Curves

Solving the Discrete Logarithm problem on the group of points of an elliptic curve is one of the major cryptographic applications of Shor's algorithm. However, current estimates for the number of qubits required remain relatively high, and notably, higher than the best recent estimates for factoring of RSA moduli. For example, recent work by Gidney (arXiv 2025) estimates 2043 logical qubits for breaking 3072-bit RSA, while previous work by Häner et al. (PQCrypto 2020) estimates a requirement of 2124 logical qubits for solving discrete logarithm instances on 256-bit elliptic curves over prime fields. Indeed, for an $n$-bit elliptic curve, the most space-optimized optimized implementation by Proos and Zalka (Quant. Inf. Comput. 2003) gives $5n + o(n)$ qubits, as more additional space is required to store the coordinates of points and compute the addition law. In this paper, we propose an alternative approach to the computation of point multiplication in Shor's algorithm (on input $k$, computing $k P$ where $P$ is a fixed point). Instead of computing the point multiplication explicitly, we use a Residue Number System to compute directly the projective coordinates of $k P$ with low space usage. Then, to avoid performing any modular inversion, we compress the result to a single bit using a Legendre symbol. This strategy allows us to obtain the most space-efficient polynomial-time algorithm for the ECDLP to date, with only $3.12n + o(n)$ qubits, at the expense of an increase in gate count, from $\mathcal{O}(n^3)$ to $\widetilde{\mathcal{O}}(n^3)$. For $n = 256$ we estimate that 1098 qubits would be necessary, with 22 independent runs, using $2^{38.10}$ Toffoli gates each. This represents a much higher gate count than the previous estimate by Häner et al. (roughly $2^{30}$), but half of the corresponding number of qubits (2124).

IACR Cryptology ePrint Archive
Feb 18 at 9:59amIvory for Mac
Show threadFrédéric Jacobs6d ago

🆕⚛️🔐 Google published 2 ressource estimates to break 256-bit ECDLP:
"one that uses <1,200 logical qubits and 90 million Toffoli gates and one that uses <1450 logical qubits and 70 million Toffoli gates."

Unlike the previous work by Chevignard, Fouque & Schrottenloher, this work uses slightly more logical qubits for a significantly lower amount of Toffoli quantum gates.

They are not releasing the algorithm, only a Zero Knowledge Proof that it exists:
https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf

Show threadcynicalsecurity Feb 18
@fj fortunately, putting things in perspective, they are nowhere near 1193 logical qubits.
Show threadRelloFeb 19
@cynicalsecurity @fj still <100 logical qbits as far as I read
Show threadJustin ScholzFeb 18
@fj oof, what was the previous state of the art assessment for where elliptic curves would sit?
Show threadFrédéric JacobsFeb 18
@jmovs