# Post Quantum Cryptography

<img src="images/quantum_intro.webp" alt="Description" width="800" height="800"/>

## Importing the required packages 

Please run this code below to have all the required packages and functions you will have to use to start the lab!

In [17]:
from math import floor, sqrt, isqrt, log
from random import randint
from sympy import isprime, legendre_symbol, gcd
from numpy import full, pi, array
from time import time
from qiskit import QuantumCircuit, transpile
from qiskit_aer import AerSimulator
from qiskit.visualization import plot_histogram
from qiskit.circuit.library import UnitaryGate
from qiskit.circuit import QuantumRegister, ClassicalRegister
from fractions import Fraction

**This lab will be done entirely in python**

Feel free to add your own cells to try out the functions you’ve built! We’ve included some important examples to get you started, but you’re welcome to test your code with any others you’d like.

# I) What is RSA ?

## a) Presentation of RSA (History)

Before the 1970s, all cryptography relied on shared secret keys (symmetric encryption). But this raised a major problem: how could the secret key be exchanged securely if enemies were listening?
In response to it, in 1976, Whitfield Diffie and Martin Hellman published New Directions in Cryptography by introducing the idea of a public key to encrypt and a private key to decrypt so no need to secretly exchange keys in advance.
Building on this, researchers realized that multiplying two large prime numbers was a simple task, whereas factoring their product back into its prime components was extremely difficult.
This property, known as a “one-way function,” provided exactly the mathematical foundation needed for a secure encryption system. In 1977, Rivest, Shamir, and Adleman transformed this insight into a practical algorithm, which became known as RSA, named after their initials.

## b) Implementation of RSA (Algorithm)

Before the 1970s, all cryptography relied on shared secret keys (symmetric encryption). But this raised a major problem: how could the secret key be exchanged securely if enemies were listening?
In response to it, in 1976, Whitfield Diffie and Martin Hellman published New Directions in Cryptography by introducing the idea of a public key to encrypt and a private key to decrypt so no need to secretly exchange keys in advance.
Building on this, researchers realized that multiplying two large prime numbers was a simple task, whereas factoring their product back into its prime components was extremely difficult.
This property, known as a “one-way function,” provided exactly the mathematical foundation needed for a secure encryption system. In 1977, Rivest, Shamir, and Adleman transformed this insight into a practical algorithm, which became known as RSA, named after their initials.

## c) Implementation of RSA (Algorithm)

As you might have already guessed, we are now going to talk about the RSA algorithm. 

The first step is the **Key Generation**:

1) Choose two prime numbers, $p$ and $q$, and compute the number $n = pq$.
- *$n$ will be the modulus which will be used in both the public and private key.* 
- *The **key length** is the length of $n$ in bits (for example 2048 bits, which is a commonly recommended key length).* 
- *It is important to keep $p$ and $q$ secret since computing the value of $n$ will allow anyone to "break" your encrypted messages.*

2) Then, compute the value $\varphi(n) = (p-1)(q-1)$
- *$\varphi(n)$ is known as the Euler's totient function that counts the positive integers up to a given integer $n$ that are relatively prime to $n$.* 
- *The RSA algorithm correctness can be proved using Euler's theorem (see below).*

3) Choose a number $e$, such that $1 < e < \varphi(n)$ and $e$ must be coprime with $\varphi(n)$ (meaning $\gcd(e, \varphi(n)) = 1$)
- *$e$ is called the public exponent. It is part of the public key.* 
- *The Public Key is the pair of values $(n, e)$.* 
- *$\gcd$ is the greatest common divisor.*

4) Finally, determine $d$ as  
$$
ed \equiv 1 \pmod{\varphi(n)}
$$
- *$d$ is the private key (sometimes the Private Key is also written as the pair of values $(n, d)$).* 
- *$d$ is the modular multiplicative inverse of $e$ modulo $\varphi(n)$.*

Now we got our public and private keys! We can now use them to encrypt or decrypt a message.

---

### Encrypt
Assuming you want to communicate a message $M$, you must first ensure that $M$ is an integer and that $0 \le M < n$.  
Then, you can compute the encrypted message $C$ with:  

$$
C \equiv M^e \pmod{n}
$$

(Note that the value of $C$ will be strictly less than $n$, since it's the modulus.)

---

### Decrypt
To decrypt the ciphertext $C$, you use the private key $d$:  

$$
M \equiv C^d \pmod{n}
$$

---

### Proof of correctness with Euler's Theorem
The RSA Algorithm "works" because we can prove using Euler's Theorem that any encrypted message $M$ can be decrypted to recover the exact same $M$.

Euler's theorem states that given any integer $n > 0$ and any integer $a$ coprime with $n$, we have:

$$
a^{\varphi(n)} \equiv 1 \pmod{n}
$$

In RSA, the number $a$ is actually our message $M$. Since $n$ is the product of $p$ and $q$, there are high chances that $M$ is coprime with $n$.  
(If not, the algorithm works anyway but uses another proof with Fermat's little theorem.)

Now, when we want to decrypt $C$ (which is $M^e$), we do:

$$
C^d = M^{ed}
$$

Since $d$ is the modular multiplicative inverse of $e$ modulo $\varphi(n)$, we have:  

$$
ed \equiv 1 \pmod{\varphi(n)} \quad \Leftrightarrow \quad ed = 1 + k \varphi(n)
$$

Then the proof is:

$$
M^{ed} \equiv M^{1 + k \varphi(n)} \equiv M \cdot M^{k \varphi(n)} \equiv M \cdot 1^k \equiv M \pmod{n}
$$

We demonstrated that our private key $d$ can be used to decrypt $C$ and recover the original message $M$!

---

### Here is a quick implementation in Python of RSA, following the steps mentioned above:


In [2]:
#This function will generate random numbers until a prime number is generated
def generate_prime_number(low, high):
    while True:
        p = randint(low, high)
        if isprime(p):
            return p

# Key Generation
def generate_keys():
    # Step 1 : Choose p and q, prime numbers, and compute n
    p = generate_prime_number(100, 300)  
    q = generate_prime_number(100, 300)
    while q == p:
        q = generate_prime_number(100, 300)
    
    n = p*q

    # Step 2 : Compute phi = (p-1)*(q-1)
    phi = (p-1)*(q-1)

    # Step 3 : Choose e that gcd(e, phi) = 1 and 1 < e < phi
    e = randint(2, (phi-1))
    while gcd(e, phi) != 1:
        e = randint(2, (phi-1))
    
    # Step 4 : Compute d, the modular multiplicative inverse of e (we can use python pow() function)
    d = pow(e, -1, phi) 

    public_key = (n, e)
    private_key = (n, d)
    return public_key, private_key

# Encrypting
def encrypt(m, public_key):
    n, e = public_key
    C = pow(m, e, n) #Using the definition of C above, we can use once again the pow() function to calculate the power with modulo
    return C

# Decrypting
def decrypt(c, private_key):
    n, d = private_key
    M = pow(c, d, n) 
    return M

public, private = generate_keys()
print("Public Key :", public)
print("Private Key :", private)

message = 12 #Test message for example (for text, we will have to convert it to integers first)

C = encrypt(message, public)
print("Encrypted message :", C)

M = decrypt(C, private)
print("Decrypted message :", M)

NameError: name 'randint' is not defined

## II) Can we crack RSA ?

### II.I) Brute Force

### II.II) The GNFS Algorithm

#### Story of the GNFS

The General Number Field Sieve (GNFS) is the most efficient classical algorithm known for factoring large integers larger than $10^{100}$. Its history traces the evolution of computational number theory and reflects decades of research aimed at understanding the limits of public-key cryptography, particularly RSA.

The origins of the method go back to the 1980s, when John Pollard introduced the Number Field Sieve for a very special class of integers known as Cunningham numbers. Building on this idea, Arjen Lenstra, Hendrik Lenstra, Mark Manasse, and John Pollard generalized the approach in the early 1990s, creating the algorithm now known as the GNFS. This breakthrough provided, for the first time, a sub-exponential algorithm that could factor arbitrary large integers more efficiently than the Quadratic Sieve, which had been the previous state of the art.

From that point forward, GNFS became the central tool in record-setting factorizations. In 1994, it was used to factor RSA-129, a 129-digit number (426 bits) made famous by Martin Gardner’s challenge in Scientific American. Over the following decades, GNFS was refined and scaled up through distributed computing efforts and advances in algorithm engineering. Notable milestones include the factorization of RSA-768 (232 digits) in 2009, RSA-240 (795 bits) in 2019, and RSA-250 in 2020. Each of these achievements pushed the limits of available hardware and demonstrated both the power of GNFS and the ongoing need to increase RSA key sizes.

Today, GNFS remains the gold standard for classical integer factorization. Its history underscores the constant interplay between mathematical innovation and computational progress, and it provides the foundation for our understanding of how secure RSA remains in the face of classical attacks.

#### The algorithm & Code in python

**I hope you are ready and you have fastened your seatbelts, because it isn't an easy algorithm to understand!**
We will be working through a specific numerical example to illustrate each concept along the way.

**Disclaimer:**  
This Python implementation of the General Number Field Sieve (GNFS) is designed for **educational purposes only**.  
It is **not optimized for performance** and will run **very very very** slowly but this is a good Proof of Concept (PoC).  
In practice, highly optimized GNFS implementations are written in **C or C++** with advanced sieving, memory management, and parallelization to handle real-world cryptographic-sized numbers efficiently.

---

##### Step 0: Preliminary Idea – Difference of Squares

**Principle:** If we can find integers $s$ and $r$ such that:
$s^2 \equiv r^2 \pmod{n}$
then:
$n$ divides $(s - r)(s + r)$

**Factor extraction:** Let $n = p \cdot q$ (product of two primes). Then at least one of the following is a nontrivial factor of $n$ with high probability ($\sim 2/3$):
$\gcd(s + r, n)$ or $\gcd(s - r, n)$

**Core idea of GNFS:** Reduce factoring $n$ to finding a congruence of squares modulo $n$:
$s^2 \equiv r^2 \pmod{n} \Rightarrow$ potential factorization via gcd.

***

##### Step 1: Choose $m$ and $f(x)$

We start by picking an integer $m$ close to $n^{1/d}$, where $d$ is the degree of the polynomial we want to construct. Using the base-$m$ expansion of $n$:
$$n = a_d m^d + a_{d-1} m^{d-1} + \dots + a_0$$we define the polynomial$$f(x) = a_d x^d + a_{d-1} x^{d-1} + \dots + a_0$$
so that $f(m) \equiv 0 \pmod{n}$. This polynomial encodes $n$ in a way that allows us to later find algebraic numbers whose squares are congruent modulo $n$, which is key to factorization.

**Implementation detail:** The base-$m$ expansion provides an easy way to construct a polynomial $f(x)$ with integer coefficients where $f(m)=n$. This ensures the crucial congruence $f(m) \equiv 0 \pmod n$ holds, which is a fundamental requirement for the mapping $\phi$ used later in the algorithm. For example, to factor $n=45113$, we can choose $m=31$ and use its base-31 expansion: $45113 = 1 \cdot 31^3 + 15 \cdot 31^2 + 29 \cdot 31 + 8$. From this, we can define the polynomial $f(x) = x^3 + 15x^2 + 29x + 8$.

<span style="color:red;font-weight: bold;">Question 2.2.1 : Implement the function to perform the base m expansion</span>

In [6]:
# ------------------------
# Step 1: Base-m polynomial selection
# ------------------------
def base_m_expansion(n, m):
    """
    Expand integer n in base m to get polynomial coefficients.
    - Returns coefficients [a_d, ..., a_0] such that n = a_d*m^d + ... + a_0
    - Highest-degree coefficient comes first
    """
    coeffs = []
    temp = n
    degree = 0
    # Determine the degree of the polynomial (largest power of m needed)
    while temp // m**degree != 0:
        degree += 1 
    # Extract coefficients by repeatedly dividing by m
    for _ in range(degree + 1):
        coeffs.append(temp % m)
        temp //= m
    return coeffs[::-1]  # reverse so highest-degree comes first

The functions below will help you create the function itself

In [7]:
def evaluate_polynomial(coeffs, x):
    """
    Evaluate a polynomial at a given x
    - coeffs: list of coefficients [a_d, ..., a_0]
    - returns sum(a_i * x^(degree-i))
    """
    result = 0
    deg = len(coeffs) - 1
    for i, c in enumerate(coeffs):
        result += c * (x ** (deg - i))
    return result

def polynomial_function(coeffs):
    """
    Return a callable function f(x) from a list of coefficients
    - Makes it easy to evaluate polynomial at any x later
    """
    return lambda x: evaluate_polynomial(coeffs, x)  # create a function for later use

This is a function that will transform the function you created into a string to be visualized now or later if needed

In [None]:
def polynomial_to_string(coeffs):
    """Convert a list of coefficients into a polynomial string. Only for print purposes"""
    degree = len(coeffs) - 1
    terms = []
    for i, c in enumerate(coeffs):
        power = degree - i
        if c == 0:
            continue
        if power == 0:
            terms.append(f"{c}")
        elif power == 1:
            terms.append(f"{c}*x")
        else:
            terms.append(f"{c}*x**{power}")
    return " + ".join(terms)

***

##### Step 2: Define the rational factor base $R$

Next, we select a finite set of small prime numbers $R = \{p_1, p_2, \dots, p_k\}$. This **rational factor base** will be used to check if certain integers are “smooth,” meaning they factor completely over these primes. Working with smooth numbers ensures that we can later represent them as vectors for linear algebra over $\mathbb{F}_2$. $\mathbb{F}_2$ is a mathematical term that refers to the finite field with two elements. In simpler terms, it's a number system that only contains the numbers 0 and 1.

**Implementation detail:** The rational factor base is a collection of prime numbers. For practical purposes, it is often a set of small, consecutive primes up to a certain bound $M$, such as $R = \{p: \text{p is prime and } p \le M\}$. For the example of factoring $n=45113$, the rational factor base was chosen as all primes less than 30: $R = \{2, 3, 5, 7, 11, 13, 17, 19, 23, 29\}$. An integer $l$ is considered "smooth" over $R$ if all of its prime divisors are in $R$. This is a core concept that allows us to convert the factorization problem into a linear algebra problem over $\mathbb{F}_2$.

<span style="color:red;font-weight: bold;">Question 2.2.2 : Implement the function to define the rational factor base</span>

In [8]:
# ------------------------
# Step 2: Rational factor base R
# ------------------------
def rational_factor_base(bound):
    """
    Generate the rational factor base: 
    all prime numbers up to the given bound.
    """
    return [p for p in range(2, bound+1) if isprime(p)]

***

##### Step 3: Define the algebraic factor base $A$

In the first step, we built a list of small prime numbers to act as our "factoring toolkit" for regular integers. In this step, we're doing the same thing, but for a new, abstract number system.

Imagine we're not just working with numbers anymore, but with a new kind of "number plant" that has sprouted from our polynomial. These "number plants" are called **algebraic numbers**, and they look like $a + b\theta$. This is similar to how complex numbers are built: we introduce a symbol $i$ with $i^2 = -1$, and then form numbers of the type $a + bi$. So what is $\theta$ in our case? It’s a special symbol we introduce to represent a root of our polynomial $f(x)$. For example, if $f(x) = x^2 - 2$, then $\theta = \sqrt{2}$ because $\theta^2 = 2$. We don’t need to know $\theta$ as a decimal; we just work with it symbolically, like we do with i. 

We now need a way to factor these new "plants" so we create an **algebraic factor base**, which is our toolkit of special "algebraic prime seeds" for this new number system.

We identify these "prime seeds" as pairs of regular numbers, $(r_i, p_i)$, that satisfy a specific condition: when you plug $r_i$ into our original polynomial, the result is divisible by the prime $p_i$ (i.e., $f(r_i) \equiv 0 \pmod{p_i}$). This clever trick lets us use something we know (our polynomial) to find and categorize these new "algebraic primes."

**Implementation detail:** The goal is to find "number plants" ($a + b\theta$) that can be completely factored using only the "prime seeds" in our toolkit. We call these numbers "smooth," just as we did with the regular integers. This ensures that the algebraic side of our calculations is manageable and mirrors the integer side, providing two parallel sets of data that will eventually be combined. For example, with $n=45113$, we found our "prime seeds" by looking at all primes less than 90 : 
$A = \{ (0, 2), (6, 7), (13, 17), (11, 23), ... , (50, 73), (23, 79), (47, 79), (73, 79), (28, 89), (62, 89), (73, 89) \}$

<span style="color:red;font-weight: bold;">Question 2.2.3 : Implement the function to define the algebraic factor base</span>

In [9]:
# ------------------------
# Step 3: Algebraic factor base A
# ------------------------
def algebraic_factor_base(f, primes):
    """
    Generate the algebraic factor base:
    pairs (r, p) where p is a prime from the given list
    and r is a root of f(x) modulo p.
    """
    A = []
    for p in primes:
        for r in range(p):
            if f(r) % p == 0:
                A.append((r, p))
    return A

***

##### Step 4: Define the quadratic character base $Q$

To capture additional congruence information, we choose a set of primes $Q$ not in $A$ and find integers $s$ such that $f(s) \equiv 0 \pmod{q}$. This **quadratic character base** helps control certain signs and parity conditions when combining smooth numbers, which is crucial for guaranteeing that the final products will form perfect squares.

**Implementation detail:** This base helps verify that an element in $\mathbb{Z}[\theta]$ is a perfect square. Each entry in $Q$ is a pair $(s, q)$, where $q$ is a prime not in $A$ and $s$ satisfies $f(s) \equiv 0 \pmod q$. These pairs are used to compute the Legendre symbol $\left(\frac{a+bs}{q}\right)$, which acts as a check for squareness. The number of entries in $Q$ can be increased to raise the probability that the final result is a perfect square. For $n=45113$, primes 97, 101, 103, and 107 were used to build $Q$. $Q = \{(28, 97), (87, 101), (47, 103), (4, 107), (8, 107), (80, 107)\}$

<span style="color:red;font-weight: bold;">Question 2.2.4 : Implement the function to define the quadratic character base</span>

In [10]:
# ------------------------
# Step 4: Quadratic character base Q
# ------------------------
def quadratic_character_base(f, primes, exclude_A):
    """
    Generate the quadratic character base:
    pairs (s, q) where q is a prime (not in the Algebraic factor base)
    and s is a root of f(x) modulo q.
    """
    Q = []
    for q in primes:
        if q in exclude_A:  # skip primes already used in A
            continue
        for s in range(q):
            if f(s) % q == 0:
                Q.append((s, q))
    return Q

***

##### Step 5: Find smooth pairs $(a, b)$

We then search for integer pairs $(a, b)$ such that both $a + bm$ and $a + b\theta$ are smooth over the rational and algebraic factor bases, respectively. By looping over $a$ for fixed $b$ and checking factorability, we collect enough pairs (typically more than $1 + k + l + u$) to ensure the linear system in the next step will have nontrivial solutions. These **smooth pairs** form the building blocks for constructing a congruence of squares.

*1+k+l+u represents the total number of columns in the matrix we are building, where 1 is for the sign bit, k is the number of primes in the rational factor base, l is the number of "algebraic primes" in the algebraic factor base, and u is the number of primes in the quadratic character base.*

**Implementation detail:** This is the core "sieving" part of the algorithm. We fix a small integer $b$ and let $a$ vary over a range, for example from $-N$ to $N$. For each pair $(a, b)$, we test if $a+bm$ is smooth over the rational factor base $R$ and if $a+b\theta$ is smooth over the algebraic factor base $A$. This is done using sieve arrays. An integer $q \in R$ divides $a+bm$ if $a \equiv -bm \pmod q$, while an algebraic factor $(r_i, p_i) \in A$ divides $a+b\theta$ if $a \equiv -br_i \pmod{p_i}$. We continue this process with different values of $b$ until we have found a sufficient number of smooth pairs, which is typically more than the total number of elements in all three bases ($1+k+l+u$).

You don't have to implement this function

In [11]:
# ------------------------
# Step 5: Find smooth pairs (a, b)
# ------------------------
def factorize_with_sieve(x, factor_base_primes, spf):
    '''
    Return a list of exponents for each prime in factor_base_primes
    Exponents = how many times each prime divides x
    Leftover cofactor = any remaining part of x not in the base (1 if fully smooth)
    Example: 
       factor_base_primes = [2, 3, 5]
       x = 60 = 2^2 * 3^1 * 5^1
           returns: ([2, 1, 1], 1)  --> fully smooth
       x = 77 = 7 * 11
           returns: ([0, 0, 0], 77) --> not smooth
    '''
    
    if x <= 1:
        return [0] * len(factor_base_primes), 1

    exponents = [0] * len(factor_base_primes)
    temp_x = x
    # Factor using precomputed smallest-prime-factor table (spf)
    while temp_x > 1:
        p = spf[temp_x]                     # smallest prime factor of temp_x
        try:
            idx = factor_base_primes.index(p)   # find index in factor base
            exponents[idx] += 1
        except ValueError:
            # Found a prime not in the factor base -> not smooth
            return [0] * len(factor_base_primes), temp_x
        temp_x //= p                        # divide out this factor
    return exponents, 1

def find_smooth_pairs(n, m, f, R, A, Q, a_limit=50, b_limit=3):
    "Systematically search for smooth pairs (a, b) that will later build the GNFS matrix."
    pairs = []
    A_primes = [p for _, p in A]

    # Determine range for sieve (must cover all candidate values of a + b*m and a + b*f(m))
    max_val_rational = b_limit * m + a_limit
    max_val_algebraic = b_limit * f(m) + a_limit
    max_val = max(max_val_rational, max_val_algebraic)

    # Build smallest-prime-factor (spf) table via sieve of Eratosthenes
    spf = list(range(max_val + 1))
    for i in range(2, int(max_val**0.5) + 1):
        if spf[i] == i:                      # i is prime
            for j in range(i * i, max_val + 1, i):
                if spf[j] == j:
                    spf[j] = i               # record smallest prime factor for j

    # Lookup dictionaries (not strictly needed, but conceptually map base primes to indices)
    R_dict = {p: i for i, p in enumerate(R)}
    A_dict = {p: i for i, p in enumerate(A_primes)}

    # Loop over candidate (a, b) values
    for b in range(1, b_limit):
        for a in range(-a_limit, a_limit):
            val_r = a + b * m                 # rational side value
            val_a = a + b * f(m)              # algebraic side value (f evaluated at m)

            # Factor rational side; skip if not smooth over R
            rat_exp, rem_r = factorize_with_sieve(abs(val_r), R, spf)
            if rem_r != 1:
                continue

            # Factor algebraic side; skip if not smooth over A
            alg_exp, rem_a = factorize_with_sieve(abs(val_a), A_primes, spf)
            if rem_a != 1:
                continue

            # Quadratic character contributions from (s, q) in Q
            quad_exp = [0 if legendre_symbol(a + b * s, q) == 1 else 1 for s, q in Q]

            # Save relation: exponent vectors and sign bits
            pairs.append({
                "a": a, "b": b,
                "rational": rat_exp,
                "algebraic": alg_exp,
                "quadratic": quad_exp,
                "sign_r": 0 if val_r >= 0 else 1,
                "sign_a": 0 if val_a >= 0 else 1
            })

    return pairs

***

##### Step 6: Construct the matrix $X$

Each smooth pair $(a, b)$ is represented as a row vector containing the sign of $a + bm$, the exponents of its rational prime factors modulo 2, the exponents of the algebraic factors modulo 2, and any relevant quadratic characters. Stacking these vectors forms a $y \times (1+k+l+u)$ matrix $X$. y is the number of smooth pairs collected hance the number of rows in the matrix. This matrix encodes all information necessary to combine smooth numbers into perfect squares.

**Implementation detail:** For each smooth pair $(a,b)$, a row vector is created. The first entry is a sign bit (0 for positive $a+bm$, 1 for negative). The next $k$ entries are the exponents of the primes in the rational factor base $R$ from the factorization of $a+bm$, taken modulo 2. The following $l$ entries are the exponents of the algebraic factors from the factorization of $a+b\theta$, also modulo 2. Finally, the last $u$ entries are derived from the quadratic character base $Q$, representing whether the Legendre symbol $\left(\frac{a+bs}{q}\right)$ is 1 (entry 0) or -1 (entry 1). This vector essentially summarizes the parity of the exponents and the quadratic characters, which is a concise way to check for perfect squares.

We have defined the matrix for you

In [12]:
# ------------------------
# Step 6: Construct matrix X
# ------------------------
def construct_matrix_X(pairs, R_len, A_len, Q_len):
    """
    Build the exponent matrix X for GNFS:
    - Each row corresponds to a smooth pair (a, b)
    - Columns represent:
        1. Sign bits (rational and algebraic)
        2. Exponents modulo 2 for rational factor base R
        3. Exponents modulo 2 for algebraic factor base A
        4. Quadratic character bits for Q
    - All entries reduced modulo 2 for linear algebra over F2
    """
    matrix = []
    for p in pairs:
        # Combine all info into a single row
        row = [p["sign_r"], p["sign_a"]] + p["rational"] + p["algebraic"] + p["quadratic"]
        # Reduce entries modulo 2
        matrix.append([x % 2 for x in row])
    return array(matrix, dtype=int)

***

##### Step 7: Solve the linear system modulo 2

We solve the system
$$X^T \cdot \mathbf{A} \equiv 0 \pmod{2}$$to find subsets of smooth pairs that, when multiplied together, produce a perfect square both in $\mathbb{Z}$ and in $\mathbb{Z}[\theta]$. Let $V \subset U$ denote the selected subset. By construction:
$$\prod_{(a_j, b_j) \in V} (a_j + bm) \text{ is a perfect square in } \mathbb{Z},$$
$$\prod_{(a_j, b_j) \in V} (a_j + b_j\theta) \text{ is a perfect square in } \mathbb{Z}[\theta]$$
This gives us the congruence of squares needed to attempt factorization.

**Implementation detail:** The matrix equation $X^T \mathbf{A} \equiv \mathbf{0} \pmod 2$ is a system of linear equations over the field $\mathbb{F}_2$. The entries of the vector $\mathbf{A}$ are either 0 or 1, and a non-trivial solution is guaranteed to exist if the number of rows is greater than the number of columns ($y > 1+k+l+u$). Each $A_j=1$ in the solution vector corresponds to including the $j$-th smooth pair $(a_j, b_j)$ in the product. When the vectors corresponding to these pairs are added modulo 2, the result is the zero vector, which means that all exponents (and signs) in the final product are even, a necessary condition for being a perfect square.

We already have solved for you the linear system

In [13]:
# ------------------------
# Step 7: Solve linear system modulo 2
# ------------------------
def solve_linear_system_mod2(X):
    """
    Solve the linear system X^T * A ≡ 0 (mod 2) to find dependencies:
    - Each row in X represents a smooth pair (a, b)
    - Columns are exponent/sign/quadratic bits modulo 2
    - Goal: find non-trivial combinations of rows that sum to the zero vector (over F2)
    - Returns indices of dependent rows forming a solution
    """
    mat = X.copy()
    rows, cols = mat.shape
    pivot_rows = []      # keep track of pivot rows used in elimination
    dependencies = []    # store indices of rows that form zero-sum combinations

    # Gaussian elimination modulo 2
    for col in range(cols):
        pivot_row = None
        for r in range(rows):
            if r in pivot_rows:
                continue
            if mat[r, col] == 1:
                pivot_row = r
                pivot_rows.append(r)  # mark row as used as pivot
                break
        if pivot_row is None:
            continue
        # Eliminate 1s in this column from other rows
        for r in range(rows):
            if r != pivot_row and mat[r, col] == 1:
                mat[r] = (mat[r] + mat[pivot_row]) % 2

    # Rows that become all zeros correspond to dependencies
    for i, row in enumerate(mat):
        if not row.any():
            dependencies.append(i)

    # Return indices of dependent rows, or [0] if none found
    return dependencies if dependencies else [0]


***

##### Step 8: Factor $n$ using the difference of squares

Finally, we map the algebraic product back to integers using
$$x^2 = \phi \left( \prod_{(a_j, b_j) \in V} (a_j + b_j\theta) \right),$$$$y^2 = \prod_{(a_j, b_j) \in V} (a_j + bm)$$and try to extract factors via$$\gcd(n, x+y) \quad \text{and} \quad \gcd(n, x-y)$$
If a nontrivial factor is found, the algorithm succeeds. Otherwise, we repeat the process with a new factor base or additional smooth pairs. This step exploits the classical “difference of squares” idea: if $s^2 \equiv r^2 \pmod{n}$, then $\gcd(s \pm r, n)$ often reveals a nontrivial factor of $n$.

**Implementation detail:** With the subset of pairs $V$ from the previous step, we compute the products to get a perfect square in $\mathbb{Z}$ and a perfect square in $\mathbb{Z}[\theta]$. We then compute the integer value of the algebraic perfect square using the mapping $\phi: \mathbb{Z}[\theta] \rightarrow \mathbb{Z}/n\mathbb{Z}$. This mapping satisfies $\phi(\theta) \equiv m \pmod n$. Thus, if $\beta^2 = \prod_{(a_j, b_j) \in V} (a_j + b_j\theta)$, then $\phi(\beta^2) = \phi(\beta)\phi(\beta)$ and $\phi(\beta^2) = \phi(\prod_{(a_j, b_j) \in V} (a_j + b_j\theta)) = \prod_{(a_j, b_j) \in V} (a_j + b_jm)$. This creates the congruence of squares $x^2 \equiv y^2 \pmod n$ that can be used for factorization with a high probability of success. For example, in the case of $n=45113$, this process led to the discovery of factors 197 and 229.

<span style="color:red;font-weight: bold;">Question 2.2.5 : Implement the difference of squares</span>

In [14]:
# ------------------------
# Step 8: Factor n using difference of squares
# ------------------------
def difference_of_squares_factor(n, s, r):
    """
    Attempt to factor n using the difference of squares:
    If s^2 ≡ r^2 (mod n), then n divides (s-r)*(s+r).
    Returns a non-trivial factor if found, else None.
    """
    factor1 = gcd(s + r, n)
    factor2 = gcd(s - r, n)
    # Keep only non-trivial factors (not 1 or n)
    factors = [f for f in (factor1, factor2) if 1 < f < n]
    return factors[0] if factors else None

<span style="color:red;font-weight: bold;">Question 2.2.6 : Implement the factorisation process</span>

In [15]:
def factor_n_from_pairs(n, pairs, dependency, m, f):
    """
    Combine selected smooth pairs (from dependency) to form perfect squares:
    - Multiply rational side (a + b*m) to get x^2
    - Multiply algebraic side (a + b*theta) evaluated at m to get y^2
    - Use difference_of_squares_factor to attempt factorization of n
    """
    #define x^2 and y^2
    x_prod = 1
    y_prod = 1
    #for every idx in dependency retrieve a, b from pairs and compute the calculations to get x^2 and y^2
    for idx in dependency:
        a = pairs[idx]["a"]
        b = pairs[idx]["b"]
        x_prod *= (a + b * m)          # integer side
        y_prod *= (a + b * f(m))       # algebraic side evaluated at m
    # for x make sure it's positive if not make it positive
    x = abs(x_prod)
    # for y take integer square root, make sure y is positive if not make it positive
    y = int(isqrt(abs(y_prod)))
    #use difference of squares to retrieve a factor    
    factor = difference_of_squares_factor(n, x, y)
    return factor

#### Complexity

Heuristically, its complexity for factoring an integer `n` (consisting of $\lfloor\log_2 n\rfloor + 1$ bits) is of the form:

![alt text](images/GNFS.svg)

#### Write the algorithm

In the section above we listed and you have implemented all the functions you needed to construct the GNFS algorithm.

<span style="color:red;font-weight: bold;">Question 2.2.7 : Implement the full GNFS algorithm.</span>

In [None]:
def gnfs(n, m, R_bound=30, A_bound=90, Q_bound=107, a_limit=20, b_limit=3):
    #retieve the coefficients
    coeffs = base_m_expansion(n, m)
    #create the polynomial function
    f = polynomial_function(coeffs)
    print(f"Polynomial f(x) = {polynomial_to_string(coeffs)}")
    #create the Rational factor base
    R = rational_factor_base(R_bound)
    print(f"Rational factor base R: {R}")
    #retrieve all the primes from 2 to A_bound
    A_primes = [p for p in range(2, A_bound) if isprime(p)]
    #create the Algebraic factor base
    A = algebraic_factor_base(f, A_primes)
    print(f"Algebraic factor base A: {A}")
    #retrieve all the primes from A_bound + 1 to Q_bound + 1
    Q_primes = [p for p in range(A_bound + 1, Q_bound + 1) if isprime(p)]
    #create the Quadratic character base
    Q = quadratic_character_base(f, Q_primes, [p for _, p in A])
    print(f"Quadratic character base Q: {Q}")
    #Find smooth pairs
    pairs = find_smooth_pairs(n, m, f, R, A, Q, a_limit=a_limit, b_limit=b_limit)
    print(f"Found {len(pairs)} smooth pairs")
    # quick check to see if we have enough pairs
    num_cols = len(R) + len(A) + len(Q) + 1
    if len(pairs) < num_cols:
        print("Not enough smooth pairs. Increase limits (a and b) or bounds (R, A, Q).")
        return None
    #construct the matrix X
    X = construct_matrix_X(pairs, len(R), len(A), len(Q))
    #solve the system
    dependency = solve_linear_system_mod2(X)
    # check if no dependency was found
    if not dependency:
      print("No non-trivial dependency found.")
      return None
    # find one of the factors 
    factor = factor_n_from_pairs(n, pairs, dependency, m, f)
    #return the factor found
    return factor

Let's run gnfs on an example. The goal here is only to find the prime factors of a given number because this is the most difficult part. This example will work (please note that the execution takes 8-12 seconds approximately) but if you want to try different values feel free but it might not work.

In [None]:
n = 45113
m = 31
print(f"Trying to factor {n} with m={m}...")
start_time = time()
factor = gnfs(n, m, R_bound=75, A_bound=150, Q_bound=167, a_limit=770, b_limit=753)
if factor:
    end_time = time()
    print(f"Found the 2 factors : {factor} and {n // factor} in {end_time - start_time} seconds")
    print(f"{n} = {factor} * {n // factor}")
else:
    print(f"Could not factor {n}")
    print(f"Try increasing limits (a and b) or bounds (R, A, Q) or use different values of m")

#### GNFS Cracking Time Estimates (Classical Resources)

For reference, the following table estimates show how long it would take to factor RSA keys of different sizes. The times are extrapolated from data on previously factored, smaller numbers.

| RSA key size (bits) | 1 core | 100 cores | 1 k cores | 10 k cores | 1 M cores |
|---------------------|--------------:|----------:|----------:|-----------:|-----------:|
| **512** | ~10 years     | ~36 days  | ~3.6 days | ~8.6 hours | ~5 minutes | 
| **768** | ~600 years    | ~6 years  | ~2.2 years| ~7.9 months| ~5 days    | 
| **1024** | ~30,000 years | ~300 years| ~30 years | ~3 years   | ~10 days   | 
| **2048** | ~1B years     | ~10M years| ~1M years | ~100k years| ~1,000 years| 
| **4096** | ~10¹⁵ years   | ~10¹³ years| ~10¹² years| ~10¹¹ years| ~10⁹ years |

As we can see, classical computers have no hope of cracking RSA today. But what about the emerging world of quantum computing ? Could it succeed where classical machines fail?

## III) Foundations of Quantum Physics

### Brief Introduction

### Superposition and no-cloning theorem

### Entanglement

## IV) Discover the Quantum Computers

### What is a quantum computer

### What is a qubit & how to measure a state ?

### Quantum Circuits & Gates

### Advanced Concepts and Further Reading

#### Relaxation (T1) and Decoherence (T2) times in quantum world

#### Further reading

## V) Setting up our first algorithm for quantum computers

### Setting up qiskit

Here is a function to run your circuit on a simulator

We will be running the functions on a quantum computer simulator so you don't have to setup a IBM qiskit account. All the required packages are already installed. If you want to run your code on a real quantum hardware we advice you to follow the steps [here](https://canvas.kth.se/courses/56029/pages/tutorial-ibm-quantum-platform-upgraded-login-api-key-and-your-first-run-bell-pair?module_item_id=1256103).

In [1]:
def run_simulation(qc, shots=1024):
    simulator = AerSimulator()
    compiled_circuit = transpile(qc, simulator)
    job = simulator.run(compiled_circuit, shots=shots)
    result = job.result()
    counts = result.get_counts()
    return counts

### First Algorithm (QRNG)

In **quantum computing**, one of the simplest yet most powerful applications is the generation of **random numbers**.  

In **classical computing**, we usually rely on *pseudo-random number generators (PRNGs)*.  
These algorithms create numbers that **look random**, but they are ultimately **deterministic** if the algorithm and the initial seed are known.

---

#### How the Algorithm Works

Think of a **qubit** like a magic coin:

1. **Start:**  
   It’s set to heads ($|0⟩$) by default.

2. **Hadamard gate (H):**  
   This is like spinning the coin perfectly.  
   While it’s spinning, it’s in a **superposition**, not just heads or tails, but both at once.

3. **Measure:**  
   You “catch” the coin. The spin stops, and it becomes either heads or tails.  
   In quantum terms, the qubit **collapses** to $0$ or $1$, each with a 50% chance.

If you **spin and measure** the qubit many times, you get a list of 0s and 1s that’s **truly random**. In our case we are going to use 3 qubits to directly form a number of 3 bits.

That’s a **Quantum Random Number Generator (QRNG)**. 

Now we have to try to implement it.


First we have to create a circuit

In [2]:
n = 3
qc = QuantumCircuit(n) #We use the QuantumCircuit primitive and specify the number of qubits
# The initial state of the cicuit is every qubit in state 0

NameError: name 'QuantumCircuit' is not defined

Then we have to add the gates we are going to use on the qubits

In [3]:
for i in range(n):
    qc.h(i) #We apply the hadamard gate on every qubit as seen in the algorithm before
    # This will put every qubit in superposition (like spinning a coin)

NameError: name 'qc' is not defined

Then we have to measure the state of the qubits 

In [4]:
qc.measure_all(n) #We use this function because we want to measure all the qubits. This will collapse the state of one qubit to be 0 or 1 
# and store the result in a so called measuring bit

NameError: name 'qc' is not defined

We can visualise the circuit

In [5]:
qc.draw('mpl')

NameError: name 'qc' is not defined

Then we have to run the simulation. We have to run the simulation many times to have good results. In fact, each run of a quantum circuit gives only **one random outcome** (e.g., `0` or `1`). Because quantum results are **probabilistic**, we must repeat the circuit many times (called *shots*) to estimate the **true probabilities** of each outcome (More runs = more accurate results). In our case we will run the simulation 1024 times.

In [None]:
results = run_simulation(qc, shots=1024)
print(results)

The result is a dictionnary with key an output of a simulation and value how many time this value appeared during all the 1024 simulations. But this isn't a good way to visualise it. It would be more representative with a plot. Fortunately qiskit has a way to do it with 'plot_histogram'.

In [6]:
plot_histogram(results)

NameError: name 'plot_histogram' is not defined

We can see that the outcome is truly random making each 3 bits numbers equally likely. We really have implemented a quantum random generator.

## VI) Crack RSA with Quantum Computers

### Shor Algorithm


### Step-by-Step Tutorial: Implementing Shor's Algorithm in Qiskit

## VII) Is security of our data compromised ?

### Quantum Computers are yet not powerful enough

Although Shor’s algorithm provides a polynomial-time method for integer factorization, its practical application is severely limited by the current state of quantum hardware. Experimental demonstrations have so far only managed to factor very small numbers, with the most reliable implementations handling integers such as **15** and **21**.  

**Guess what?** *YOU have implemented a circuit that factors 15!* So you officially belong to the elite ranks of quantum computing pioneers :).

These results validate the algorithm but highlight the vast gap between theoretical capability and cryptographically relevant problem sizes.

Estimates for breaking a **2048-bit RSA modulus** remain far beyond present technology. Factoring such a number is projected to require approximately **20 million physical qubits** when error correction overhead is considered. Even with algorithmic optimizations, the requirement is unlikely to fall below **one million physical qubits**. By contrast, the most advanced hardware currently available contains just over **1,000 qubits** (such as IBM’s *Condor* processor with **1,121 qubits**), underscoring the enormous gap between experimental capability and the resources required to compromise RSA in practice.  

The circuit depth of Shor’s algorithm scales quadratically with the key size, and at this scale, execution would demand **trillions of sequential quantum gate operations**—orders of magnitude beyond the **coherence times of existing devices** (IBM's best hardware has a coherence time of **400 microseconds**). In addition, the total energy expenditure for such a computation has been estimated in the **tens of megawatt-hours**, comparable to the continuous operation of a small industrial facility.

In summary, while RSA is theoretically vulnerable to quantum factorization, the hardware required to execute such an attack does not yet exist. Present-day quantum computers remain **millions of qubits** and several technological breakthroughs away from posing a realistic threat to widely used cryptographic key sizes.

### Classical methods such as Elliptic Curve Cryptography cannot be crack by quantum computers (yet)

### Quantum Cryptography based on superposition and entanglement (Bell's Pairs)

#### You are done with this lab ! Hope you liked it that and you have learned a bit more about cryptography today and the quantum world!