附录：极其粗糙的翻译（1）

一、介绍

This paper proposes RSA parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers. As part of the performance analysis, this paper introduces a new algorithm to generate a batch of primes. As part of the attack analysis, this paper introduces a new quantum factorization algorithm that is often much faster than Shor’s algorithm and much faster than pre-quantum factorization algorithms. Initial pqRSA implementation results are provided.

本文提出了RSA参数，在当今的计算机上，密钥生成，加密，解密，签名和验证是可行的，而所有已知的攻击都是不可行的，甚至假定高度可扩展的量子计算机。 作为性能分析的一部分，本文介绍了一种新的算法来生成一批素数。 作为攻击分析的一部分，本文介绍了一种新的量子分解算法，它比Shor算法快得多，比预量子分解算法快得多。 提供了初始的pqRSA实施结果。

The 1994 publication of Shor’s algorithm prompted widespread claims that quantum computers would kill cryptography, or at least public-key cryptography.Shor算法的1994年出版引起了普遍的说法：量子计算机会杀死密码学，至少是公钥密码学。

But these claims go far beyond the actual limits of Shor’s algorithm, and subsequent research into quantum cryptanalysis has done little to close the gap. Theconventional wisdom among researchers in post-quantum cryptography is thatquantum computers will kill RSA and ECC but will not kill hash-based cryptography, code-based cryptography, lattice-based cryptography, ormultivariatequadratic-equations cryptography.但是这些说法远远超出了Shor算法的实际限制，随后对量子密码分析的研究几乎没有缩小差距。该后量子密码学研究人员的传统观点是量子计算机将杀死RSA和ECC，但不会杀死基于散列的密码学，基于代码的密码学，基于格子的密码学或多元二次方程密码学。

Contents of this paper. Is it actually true that quantum computers will killRSA?

The question here is not whether quantum computers will be built, or will be

affordable for attackers. This paper assumes that astonishingly scalable quantum computers will be built, making a qubit operation as inexpensive as a bitoperation. Under this assumption, Shor’s algorithm easily breaks RSA as usedon the Internet today. The question is whether RSA parameters can be adjusted

so that all known quantum attack algorithms are infeasible while encryption and

decryption remain feasible.本文内容。 量子计算机是否真的会杀死RSA？

这里的问题不是量子计算机将会建成还是将来对攻击者负担得起。本文假定将构建令人惊讶的可扩展的量子计算机，使量子比特操作成本低廉。在这个假设下，Shor算法很容易破坏当今互联网上使用的RSA。 问题是RSA参数是否可以调整所有已知的量子攻击算法在加密时都是不可行的解密仍然可行。

The conventional wisdom is that Shor’s algorithm factors an RSA public keyn almost as quickly as the legitimate RSA user can decrypt. Decryption usesan exponentiation modulo n; Shor’s algorithm uses a quantum exponentiationmodulo n. There are some small overheads in Shor’s algorithm—for example,the exponent is double-length—but these overheads create only a very small gapbetween the cost of decryption and the cost of factorization. (Shor speculatedin [48, Section 3] that faster quantum algorithms for modular exponentiation“could even make breaking RSA on a quantum computer asymptotically fasterthan encrypting with RSA on a classical computer”; however, no such algorithmshave been found.)传统的观点是，Shor的算法几乎和合法的RSA用户解密一样快。 解密使用指数模n; Shor算法使用量子幂模n。 Shor算法中有一些小的开销，例如指数是双倍长度的，但是这些开销在解密成本和分解成本之间只产生一个非常小的差距。 （Shor在[48]第三节中推测，用于模幂运算的更快的量子算法甚至可以使量子计算机上的RSA比经典计算机上的RSA加密快得多;然而，没有发现这样的算法。

The main point of this paper is that standard techniques for speeding up RSA,when pushed to their extremes, create a much larger gap between the legitimateuser’s costs and the attacker’s costs. Specifically, for this paper’s version of RSA,the attack cost is essentially quadratic in the usage cost.本文的主要观点是，加速RSA的标准技术在被推到极限时，会在合法用户成本和攻击者成本之间造成更大的差距。 具体而言，对于本文的RSA版本来说，攻击代价在使用成本上基本上是二次的。

These extremes require a careful analysis of quantum algorithms for integer factorization. As part of this security analysis, this paper introduces a newquantum factorization algorithm, GEECM, that is often much faster than Shor’salgorithm and all pre-quantum factorization algorithms. See Section 2. GEECMturns out to be one of the main constraints upon parameter selection for post-quantum RSA.这些极端情况需要仔细分析整数分解的量子算法。 作为安全性分析的一部分，本文介绍了一种新的量子分解算法GEECM，它比Shor算法和所有预量子分解算法快得多。 参见第2节.GEECM成为后量子RSA参数选择的主要限制之一。

These extremes also require a careful analysis of algorithms for the basic RSAoperations. See Section 3. As part of this performance analysis, this paper introduces a new algorithm to generate a large batch of independent uniform randomprimes more efficiently than any known algorithm to generate such primes oneat a time.这些极端情况还需要仔细分析基本RSA操作的算法。 参见第3节。作为性能分析的一部分，本文介绍了一种新的算法，比任何已知算法更有效地生成大批独立的均匀随机素数，以一次一个地生成这样的素数。

Section 4 reports initial implementation results for RSA parameters largeenough to push all known quantum attacks above 2100 qubit operations. Theseresults include successful completion of the most expensive operation in post-quantum RSA, namely generating a 1-terabyte public key.第4节报告RSA参数的初始实现结果足够大，以推动所有已知的量子攻击超过2100 qubit操作。 这些成果包括成功完成后量子RSA中最昂贵的操作，即生成1TB的公钥。

Evaluation and comparison. Post-quantum RSA does not qualify as secure under old-fashioned security definitions requiring asymptotic security against polynomial-time adversaries. However, post-quantum RSA does appear to provide a reasonable level of concrete security评估和比较。后量子RSA在老式安全定义下不符合安全要求，要求对多项式时间对手进行渐进安全。 然而，后量子RSA似乎提供了一个合理的具体安全水平

Note that, for theoretical purposes, it is possible that (1) there are no public-key encryption systems secure against polynomial-time quantum adversaries but (2) there are public-key encryption systems secure against, e.g., essentially-linear-time quantum adversaries. Post-quantum RSA is a candidate for the second category.注意，为了理论上的目的，有可能（1）没有公钥加密系统对多项式时间量子对手是安全的，但是（2）有公钥加密系统对于例如基本线性时间 量子对手。 后量子RSA是第二类的候选人。

One might think that the quadratic security of post-quantum RSA is no better than the well-known quadratic security of Merkle’s original public-key system. However, the well-known quadratic security is against pre-quantum attackers, not against post-quantum attackers. The analyses by Brassard and Salvail in [17], and by Brassard, Høyer, Kalach, Kaplan, Laplante, and Salvail in [16], indicate that more complicated variants of Merkle’s original public-key system can achieve exponents close to 1.5 against quantum computers, but this is far below the exponent 2 achieved by post-quantum RSA. Concretely, (2^100)^(1/1.5) is

approximately 100000 times larger than (2^100)^(1/2)有人可能会认为后量子RSA的二次安全性不如Merkle原有的公钥系统的众所周知的二次安全性好。 然而，众所周知的二次安全是针对前量子攻击者，而不是针对后量子攻击者。 Brassard和Salvail [17]以及Brassard，Hyer，Kalach，Kaplan，Laplante和Salvail [16]的分析表明，Merkle原始公开密钥体系的更复杂的变体可以达到接近1.5的指数 计算机，但是这远低于后量子RSA实现的指数2。 具体来说，（2 ^ 100）^（1 / 1.5）是

比（2 ^ 100）^（1/2）大大约10万倍，

Post-quantum RSA is not what one would call lightweight cryptography: thecost of each new encryption or decryption is on the scale of $1 of computer time,many orders of magnitude more expensive than pre-quantum RSA. However, ifthis is the least expensive way to protect high-security information against beingrecorded by an adversary today and decrypted by future quantum computers,then it should be of interest to some users. One can draw an analogy here withfully homomorphic encryption: something expensive might nevertheless be usefulif it is the least expensive way to achieve the user’s desired security goal.后量子RSA并不是什么人会称之为轻量级加密：每个新的加密或解密的成本是计算机时间的1美元的规模，比前量子RSA昂贵许多数量级。 但是，如果这是保护高安全性信息不被对手记录并由未来的量子计算机解密的最便宜的方式，那么一些用户应该感兴趣。 在这里可以用完全同态加密来进行类比：如果昂贵的方法是实现用户所期望的安全目标的最便宜的方法，则可能是有用的。

Code-based cryptography and lattice-based cryptography have been studiedfor many years and appear to provide secure encryption at far less expense thanpost-quantum RSA. However, one can reasonably argue that triple encryptionwith code-based cryptography, lattice-based cryptography, and post-quantumRSA, for users who can afford it, provides a higher level of confidence than onlytwo of the mechanisms. Post-quantum RSA is also quite unusual in allowing post-quantum encryption, signatures, and more advanced cryptographic functionalitysuch as blind signatures to be provided in a familiar way by a single unifiedmechanism, a multiplicatively homomorphic trapdoor permutation.基于代码的密码学和基于格子的密码学已经研究了很多年，似乎以比后量子RSA更低的费用提供安全加密。 然而，人们可以合理地认为，对于负担得起的用户，基于代码的密码术，基于格的密码术和后量子RSA的三重加密提供了比仅两个机制更高的置信水平。 后量子RSA在允许后量子加密，签名和更高级的密码功能如盲签名方面也是非常不寻常的，通过单一的统一机制，即乘性同态陷门置换，以熟悉的方式提供盲签名。

Obviously the overall use case for post-quantum RSA relies heavily on thefaint possibility of dramatic improvements in attacks against a broad range ofalternatives. But the same criticism applies even more strongly to, e.g., theproposals in [16]. More importantly, it is interesting to see that the conventional wisdom is wrong, and that RSA has enough flexibility to survive the advent of quantum computers—beaten, bruised, and limping, perhaps, but not dead.显然，后量子RSA的总体使用情况很大程度上依赖于大范围的替代攻击的显着改善的微弱可能性。 但是，同样的批评更适用于例如[16]中的提案。 更重要的是，有趣的是，传统智慧是错误的，RSA有足够的灵活性来经受量子计算机的出现 - 被打击，受伤和跛行，可能但不是死亡。

Future work.There is a line of work suggesting big secrets as a protectionagainst limited-volume side-channel attacks and limited-volume exfiltration bymalware. As a recent example, Shamir is quoted in [7] as saying that he wants thefile containing the Coca-Cola secret “to be a terabyte, which cannot be [easily]exfiltrated”. A terabyte takes only a few hours to transmit over a gigabit-per-second link, but the basic idea of this line of work is that there are sometimeslimits on time and/or bandwidth in side channels and exfiltration channels, andthat these limits could stop the attacker from extracting the desired secrets. Itwould be interesting to analyze the extent to which the secrets in post-quantumRSA provide this type of protection. Beware, however, that a positive answercould be undermined by other parts of the system that have not put the sameattention into expanding their data.未来的工作。有一系列的工作表明，大规模的秘密可以防止恶意软件限制数量的旁路攻击和有限数量的漏洞。作为最近的一个例子，沙米尔在[7]中引用他的话说，他希望包含可口可乐秘密的文件“是一个TB，不能[很容易]被泄露”。 一个TB级只需要几个小时就可以通过千兆位每秒的链路进行传输，但是这一线工作的基本思想是，有时会限制侧通道和出口通道的时间和/或带宽，而且这些限制 可以阻止攻击者提取所需的秘密。 分析后量子RSA中的秘密提供这种保护的程度是很有意思的。 然而，要小心，系统的其他部分可能会损害正面的回答，而这些部分并没有把注意力放在扩展数据上。

Our batch prime-generation algorithm suggests that, to help reduce energyconsumption and protect the environment, all users of RSA—including users oftraditional pre-quantum RSA—should delegate their key-generationcomputations to NIST or another trusted third party. This speed improvement would alsoallow users to generate new RSA keys and erase old RSA keys more frequently,limiting the damage of key theft.4 However, all trusted-third-party protocolsraise security questions (see, e.g., [19] and [24]), and there are significant coststo all known techniques to securely distribute or delegate RSA computations.The challenge here is to show that secure multi-user RSA key generation can becarried out more efficiently than one-user-at-a-time RSA key generation.我们的批量生成算法表明，为了帮助降低能耗和保护环境，RSA的所有用户（包括传统的预量子RSA的用户）都应该将他们的密钥生成计算委托给NIST或另一个可信的第三方。 这种速度的提高还可以使用户生成新的RSA密钥，并更频繁地删除旧的RSA密钥，从而限制了密钥被盗用的危害。然而，所有可信的第三方协议都引发了安全问题（参见[19]和[ 24]），并且所有已知技术安全地分配或委托RSA计算的成本都很高。 这里面临的挑战是证明，与一次一个用户的RSA密钥生成相比，可以更有效地执行安全的多用户RSA密钥生成。

Another natural direction of followup work is integration of post-quantumRSA into standard Internet protocols such as TLS. This integration is conceptually straightforward but requires tackling many systems-level challenges, suchas various limitations on the RSA key sizes allowed in cryptographic libraries.后续工作的另一个自然方向是将后量子RSA集成到标准互联网协议（如TLS）中。 这种集成在概念上很简单，但需要解决许多系统级的挑战，例如对加密库允许的RSA密钥大小的各种限制。

If the goal is merely to protect past traffic against complete key theft (“forward secrecy”) then a user can obtain a speedup by generating many RSA keys in advance,and erasing each key soon after it is first used. But erasing each key soon after it hasbeen generated is sometimes advertised as helping protect future traffic against limited types of compromise. Furthermore, batching across many users provides largerspeedups.如果目的仅仅是为了防止过去的流量完全失窃（“前向保密”），则用户可以通过预先生成许多RSA密钥来获得加速，并且在第一次使用之后不久就擦除每个密钥。 但是，在生成每个密钥之后不久就会删除每个密钥，有时会被称为帮助保护未来的流量免受有限类型的泄露。 而且，跨越多个用户的批量提供更大的加速。

二、后量子分解

For every modern variant of RSA, including the variants considered in this paper,the best attacks known are factorization algorithms. This section analyzes thepost-quantum complexity of integer factorization.对于RSA的每个现代变体，包括本文中考虑的变体，已知的最好的攻击都是分解算法。 本节分析整数分解的后期量子复杂度。

There have been some papers analyzing and improving the complexity ofShor’s algorithm; see, e.g., [56]. However, the literature does not seem to containany broader study of quantum factorization algorithms. There seems to be animplicit assumption that—once large enough quantum computers are available—Shor’s algorithm supersedes the entire previous literature on integer factorization, rendering all previous factorization algorithms obsolete, so studying thecomplexity of factorization in a post-quantum world is tantamount to studyingthe complexity of Shor’s algorithm.已经有一些论文分析和改进了Shor算法的复杂性; 例如参见[56]。 然而，文献似乎没有包含任何更广泛的量子分解算法的研究。 似乎有一个隐含的假设，一旦足够大的量子计算机可用，Shor算法取代了以前关于整数分解的所有文献，使以前的所有分解算法都被淘汰，因此研究后量子世界中分解的复杂性等同于 研究Shor算法的复杂性。

The main point of this section is that post-quantum factorization is actually amuch richer subject. It should be obvious that previous algorithms are not alwayssuperseded by Shor’s algorithm: as a trivial example, an integer divisible by 2 or3 or 5 is much more efficiently detected by trial division than by Shor’s algorithm.Perhaps less obvious is that there are quantum factorization algorithms that are,for many integers, much faster than Shor’s algorithm and much faster than allknown pre-quantum algorithms. These algorithms turn out to be important forpost-quantum RSA, as discussed in Section 3.这部分的主要观点是后量子分解实际上是一个更加丰富的课题。 很明显，以前的算法并不总是被Shor算法所取代：作为一个简单的例子，一个可以被2或者3或者5整除的整数比使用Shor算法更有效地被检测分割。 也许不那么明显的是，对于许多整数，量子分解算法比Shor算法快得多，比所有已知的预量子算法快得多。 这些算法对于后量子RSA是非常重要的，正如第3节所讨论的那样。

Overview of pre-quantum integer factorization.There are two importantclasses of factorization algorithms. The first class consists of algorithms thatare particularly fast at finding small primes: e.g., trial division, the rho method[40], the p−1 method [39], the p+ 1 method [55], and the elliptic-curve method(ECM) [35].前量子整数分解概述。有两类重要的因子分解算法。第一类包括在寻找小素数方面特别快的算法：例如，除法，rho方法[40]，p-1方法[39]，p + 1方法[55]和椭圆曲线方法 （ECM）[35]。

Each of these algorithms can be rephrased, without serious loss of efficiency,as a ring algorithm that composes the ring operations 0, 1, +, −, · to producea large integer divisible by many small primes. By carrying out the same sequence of operations modulo a target integer n and computing the greatestcommon divisor of the result with n, one sees whether n is divisible by any of thesame primes. For example, trial division up through y has essentially the sameperformance as computing gcd{n, 2 · 3 · 5 · · · · y}; as another example, m stepsof the rho method compute gcd{n,(ρ2 − ρ1)(ρ4 − ρ2)(ρ6 − ρ3)· · ·(ρ2m − ρm)}with ρ1 = 1 and(ρ(i+1))=(pi)^2+ 10.这些算法中的每一个都可以被重写，而不会造成严重的效率损失，因为它是一个环算法，它构成了一个可以被许多小素数整除的大整数的环操作0,1，+， - 。 通过执行以目标整数n为模的相同操作序列并用n计算结果的最大公约数，可以看出n是否可以被任何相同的素数整除。 例如，通过y的审判分区与计算gcd {n，2·3·5···y}的性能基本相同; 作为另一个例子，ρ1= 1和（ρ（i + 1））的rho方法的m个步骤计算gcd {n，（ρ2-ρ1）（ρ4-ρ2）（ρ6-ρ3）...（ρ2m-ρm） ））=（pi）^ 2 + 10。

The importance of ring operations is that carrying them out modulo n has theeffect of carrying them out modulo every prime p dividing n; i.e., Z/n → Z/pis a ring morphism. To measure the speed and effectiveness of a ring algorithmone sees how many operations are carried out by the algorithm and how manyprimes p of various sizes divide the output. The size of n is almost irrelevant,except that each ring operation modulo n costs (lg n)^(1+o(1))bit operations.环运算的重要性在于将它们模n进行模n的运算， 即Z / n→Z / p是环形态。 为了测量环算法的速度和有效性，我们可以看到算法执行了多少操作，以及不同大小的素数p是如何划分输出的。 n的大小几乎是不相关的，除了每个环运算模n花费（lg n）^（1 + o（1））位操作。

The second class consists of congruence-combining algorithms: e.g., thecontinued-fraction method [33], the quadratic sieve [41], and the number-fieldsieve (NFS) [34]. These algorithms multiply various congruences modulo n to obtain a congruence of the form a^2 ≡ b^2(mod n), and then hope that gcd{n, a − b}is a nontrivial factor of n. These algorithms are not usefully viewed as ring algorithms (the congruences modulo n are produced in a way that depends on n)and are not particularly fast at finding small primes.第二类包括同余组合算法，例如连续分数法[33]，二次筛[41]和数字场筛（NFS）[34]。 这些算法乘以各种同余模n，得到形式a ^ 2≡b ^ 2（mod n）的同余，然后希望gcd {n，a - b}是n的一个非平凡因子。 这些算法并没有被视为环算法（同余模n是以一种依赖于n的方式产生的），而且在寻找小素数方面并不是特别快。

For large n the best congruence-combining algorithm appears to be NFS,which (conjecturally) uses 2^((lg n)^(1/3+o(1)))bit operations. For comparison, ECMuses 2^((lg y)^(1/2+o(1)))ring operations if ECM parameters are chosen to (conjecturally) find every prime p ≤ y. Evidently ECM uses fewer bit operations thanNFS to find sufficiently small primes p; the cutoff is 2^((lg n)^(2/3+o(1)))对于大n，最好的同余组合算法似乎是NFS，它（推测性地）使用2 ^（（lg n）^（1/3 + o（1）））位操作。 为了比较，如果选择ECM参数（猜测）找到每个素数p≤y，则ECM使用2 ^（（lg y）^（1/2 + o（1）））环操作。 显然ECM使用比NFS更少的位操作来找到足够小的素数p; 截距为2 ^（（lg n）^（2/3 + o（1）））

Shor’s algorithm.Shor begins with a circuit to compute the function x →(x, 3^x mod n), where x is an integer having about 2lgn bits. Exponentiationuses about 2lgn multiplications modulo n, and the best multiplication methodsknown use (lgn)^(1+o(1))bit operations, so exponentiation uses (lgn)^(2+o(1))bitoperations.Shor的算法。 Shor从一个电路开始计算函数x→（x，3 ^ x mod n），其中x是一个大约2lgn位的整数。 指数运算使用大约2lgn乘法模n，并且已知的最佳乘法方法使用（lgn）^（1 + o（1））位运算，所以指数运算使用（lgn）^（2 + o（1））位运算。

A standard conversion produces a quantum circuit that uses (lg n)^(2+o(1))qubitoperations to evaluate the same function on a quantum superposition of inputs.With a small extra overhead (applying a quantum Fourier transform to theoutput, sampling, et al.) Shor finds the period of this function, i.e., the order of3 modulo n. This order is a divisor, typically a large divisor, of ϕ(n) = #(Z/n)∗,and factoring n with this information is a standard exercise. In the rare case that3 has small order modulo n, one can replace 3 with a randomnumber—preferablya small random number to save time in exponentiation.

标准转换产生量子电路，其使用（lg n）^（2 + o（1））量子位运算来评估输入的量子叠加上的相同函数。 由于额外的额外开销（对输出进行量子傅立叶变换，采样等），Shor找到了这个函数的周期，即3阶模n。 这个顺序是φ（n）=＃（Z / n）*的除数，通常是一个大的除数，并且用这个信息进行因式分解是一个标准的练习。 在少数情况下，3有小模n，可以用一个随机数（最好是一个小随机数）替换3，以节省取幂的时间。

There is a tremendous gap between the (lg n)^(2+o(1))qubit operations usedby Shor and the 2^((lg n)^(1/3+o(1)))bit operations used by NFS. Of course, for themoment qubit operations seem impossibly expensive compared to bitoperations,but post-quantum cryptography looks ahead to a future where qubit operationsare affordable at a large scale. In this future it seems that congruence-combiningalgorithms will be of little, if any, interest.Shor使用的（lg n）^（2 + o（1））量子比特操作与2 ^（（lg n）^（1/3 + o（1）））比特操作之间存在巨大的差距NFS。 当然，与量子比特操作相比，量子比特操作似乎不可能成本高昂，但量子后密码技术展望了量子比特大规模可支付的未来。 在这个未来看来，同余组合算法将没有什么兴趣，如果有的话。

On the other hand, Shor’s algorithm is not competitive with ring algorithmsat finding small primes. Even if a qubit operation is as inexpensive as a bitoperation, Shor’s (lg n)^(2+o(1))qubit operations are as expensive as (lg n)^(1+o(1))ring operations. ECM’s 2^((lg y)^(1/2+o(1)))ring operations are better than this forsufficiently small primes. The cutoff is 2^((lg lg n)^(2+o(1)))另一方面，Shor算法在寻找小素数时与环算法没有竞争力。 即使量子比特操作与比特操作一样便宜，Shor's（lg n）^（2 + o（1））量子比特操作与（lg n）（1 + o（1））环操作一样昂贵。 对于足够小的素数，ECM的2 ^（（lg y）^（1/2 + o（1）））环操作比这更好。 截止值为2 ^（（lg lg n）^（2 + o（1）））

Some wishful thinking.One might think that Shor’s algorithm can be tweakedto take advantage of a small prime divisor p of n: the function x→ 3^x mod phas small period, and this period should be visible for x having only about 2lg pbits, rather than the 2lg n bits used by Shor. This would save a factor of 2 evenin the most extreme case p ≈√n.一些一厢情愿的想法。有人可能会认为，可以调整Shor的算法来利用n的一个小的素数除数p：函数x→3 ^ x mod p的周期很小，这个周期对于只有大约2lg p位的x是可见的，而 比Shor使用的2lg n位。 即使在最极端的情况下，这也可以节省2倍。

The difficulty is that one is not given the function x→ 3^x mod p. The functionx→ 3^x mod n has a small pseudo-period, in the sense that shifting the inputproduces a related output, but one is also not given this relation.难点是没有给出函数x→3 ^ x mod p。 函数x→3 ^ x mod n有一个小的伪周期，就是说移位输入产生一个相关的输出，但是也没有给出这个关系。

If there were a fast way to detect pseudo-periods with respect to unknownrelations then one could drastically speed up Shor’s algorithm by finding thepseudo-period p of the simpler function x → x mod n. If x is limited to 2lgp

A quantum ring algorithm: GEECM.A more productive approach is totake the best pre-quantum algorithms for finding small primes, and to acceleratethose algorithms using quantum techniques.量子环算法：GEECM。更高效的方法是采用最好的预量子算法来寻找小素数，并使用量子技术来加速这些算法。

Under standard conjectures, ECM finds primes p ≤ y using 2^((lg y)^(1/2+o(1)))ring operations, as mentioned above; the rho method finds primes p ≤ y using y^(1/2+o(1))ring operations; and trial division (in its classic form) finds primesp ≤ y using y^(1+o(1))ring operations. Evidently ECM supersedes the rho methodand trial division as y grows. The cutoff is generally stated (on the basis of moredetailed analyses of the o(1)) to be below 2^30, and the primes of interest in thispaper are much larger, so this paper focuses on ECM.在标准猜想下，ECM使用2 ^（（lg y）^（1/2 + o（1）））环操作来找到素数p≤y。 rho方法使用y ^（1/2 + o（1））环操作找到素数p≤y; 和审判分裂（以其经典形式）使用y ^（1 + o（1））环操作找到素数p≤y。 显然ECM取代rho法和随着y的增长而进行的审判分工。 总的来说，（在对o（1））进行更详细的分析的基础上，截断值在2 ^ 30以下，而本文所关注的主要因素要大得多，所以本文主要关注ECM。

(There are occasional primes for which the p−1 and p+1 methods are fasterthan ECM, but the primes of interest in this paper are randomly generated. Mostof the comments in this section generalize to hyperelliptic curves, but genus-≥2-hyperelliptic-curve methods have always been slightly slower than ECM.)（偶尔有质数p-1和p + 1的方法比ECM快，但是本文中关注的主要内容是随机产生的，本节中的大部分评论推广到超椭圆曲线，但属≥2 超椭圆曲线方法一直比ECM稍慢。）

The state-of-the-art variant of ECM is EECM (ECM using Edwards curves),introduced by Bernstein, Birkner, Lange, and Peters in [12]. EECM choosesan Edwards curve x^2 + y^2 = 1 + dx^2y^2over Q, or more generally a twistedEdwards curve, with a known non-torsion point P; EECM also chooses a largeinteger s and uses the Edwards addition law to compute the sth multiple of Pon the curve, and in particular the x-coordinate x(sP), represented as a fractionof integers. The output of the ring algorithm is the numerator of this fraction.Overall the computation takes (7+o(1)) lg s multiplications (more than half ofwhich are squarings) and a comparable number of additions and subtractions.For optimized curve choices and further details see [12], [11], [14], [5], and [22].ECM的最新变体是EECM（使用Edwards曲线的ECM），由Bernstein，Birkner，Lange和Peters [12]介绍。 EECM选择爱德华兹曲线（Edwards curve）x ^ 2 + y ^ 2 = 1 + dx ^ 2y ^ 2超过Q，或者更一般地选择具有已知非扭转点P的扭曲Edwards曲线; EECM也选择一个较大的整数s，并使用Edwards加法定律来计算曲线上P的倍数，特别是用整数的一小部分表示的x坐标x（sP）。 环算法的输出是这个分数的分子。 总的来说，计算需要（7 + o（1））lg s乘法（其中一半以上是平方）和相当数量的加法和减法。 有关优化的曲线选择和更多详细信息，请参阅[12]，[11]，[14]，[5]和[22]。

If s is chosen as lcm{1, 2, . . . , z} then lg s ≈ 1.4z so this curve computation uses about 10z multiplications. If z ∈ L^(c+o(1))as y → ∞, where L =exp√(logyloglogy)and c is a positive real constant, then standard conjecturesimply that each prime p ≤ y is found by this curve with probability 1/L^(1/2c+o(1)).Standard conjectures also imply that curves are almost independent, so by trying L^(1/2c+o(1))curves one finds each prime p with high probability. The total costof trying all these curves is L^(c+1/2c+o(1))ring operations. The expression c+ 1/2ctakes its minimum value 1 for c = 1/√2; the total cost is then L^(√2+o(1))ringoperations.如果s被选为lcm {1,2，...。。。 ，z}，那么lgs≈1.4z，所以这个曲线计算使用大约10z的乘法。 如果z∈L^（c + o（1））为y→∞，其中L = exp（logyloglogy）且c是一个正实常数，那么标准猜想意味着每条素数p≤y是由 概率1 / L ^（1 / 2c + o（1））。 标准猜想也意味着曲线几乎是独立的，所以通过尝试L ^（1 / 2c + o（1））曲线，我们发现每个素数p具有高概率。 尝试所有这些曲线的总成本是L ^（c + 1 / 2c + o（1））环操作。 对于c = 1 /√2，表达式c + 1 / 2c取最小值1; 那么总成本就是L ^（√2+ o（1））环操作。

This paper introduces GEECM (Grover plus EECM), which uses quantumcomputers as follows to accelerate the same EECM computation. Recall thatGrover’s method accelerates searching for roots of functions: if the inputs to afunction f are roots of f with probability 1/R, then classical searching performs(on average) R evaluations of f, while Grover’s method performs about √Rquantum evaluations of f. Consider, in particular, the function f whose input isan EECM curve choice, and whose output is 0 exactly when the EECM resultfor that curve choice has a nontrivial factor in common with n. EECM finds aroot of f by classical searching; GEECM finds a root of f by Grover’s method. Ifs and z are chosen as above then the inputs to f are roots of f with probability1/L^(1/2c+o(1)), so GEECM uses just L^(1/4c+o(1)) quantum evaluations of f, for a total of L^(c+1/4c+o(1)) quantum ring operations. The expression c + 1/4c takes its minimum value 1 for c = 1/2; the total cost is then just L^(1+o(1)) ring operations.本文介绍了使用量子计算机的GEECM（Grover plus EECM），以加速相同的EECM计算。回想一下，Grover的方法加速搜索函数的根：如果函数f的输入是概率为1 / R的f的根，则经典搜索执行（平均）R的R评估，而Grover的方法执行关于√R量子评估f。尤其考虑函数f，其输入是EECM曲线选择，并且当该曲线选择的EECM结果具有与n相同的非平凡因子时，其输出恰好为0。 EECM通过经典搜索找到f的根; GEECM通过Grover的方法找到了f的根源。如果选择s和z，那么f的输入就是f的概率为1 / L ^（1 / 2c + o（1））的根，所以GEECM只使用L ^（1 / 4c + o（1））量子估计的f，总的L ^（c + 1 / 4c + o（1））量子环运算。对于c = 1/2，表达式c + 1 / 4c取其最小值1;那么总的成本就是L ^（1 + o（1））环操作。

To summarize, GEECM reduces the number of ring operations from L^(√2+o(1)) to L^(1+o(1)), where L = exp√(logyloglogy). For the same number of operations, GEECM increases log y by a factor 2 + o(1), almost doubling the number of bits of primes that can be found.总而言之，GEECM将环操作从L ^（√2+ o（1））减少到L ^（1 + o（1）），其中L = exp（logyloglogy）。 对于相同数量的操作，GEECM将log y增加了2 + o（1），几乎是可以找到的素数的两倍。