Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1155/2023/2963110

IF: 1.968

2023-11-24

Security and Communication Networks

Abstract:Since the RSA public key cryptosystem was proposed, it has been widely used because of its strong security. Although the proposal of the Shor’s algorithm offers hope for cracking RSA, it is debatable whether the algorithm can actually pose a threat in practice. From the perspective of the quantum circuit of the Shor’s algorithm, we analyse the feasibility of cracking RSA with improved quantum circuits using an ion-trap quantum computer. We present an improved quantum circuit for the modular exponentiation of a constant, which is the most expensive operation in Shor’s algorithm for integer factorization. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we minimize the number of CNOTs, which greatly affects the time to run the algorithm on an ion-trap quantum computer. First, we give the implementation of the basic arithmetic with the lowest known number of CNOTs and the construction of an improved modular exponentiation of a constant by accumulating intermediate data and using a windowing technique. Then, we precisely estimate the number of improved quantum circuits needed to perform the Shor’s algorithm for factoring an n -bit integer, which is 217 n 3 / log 2 n + 4 n 2 + n . We analyse the running time and feasibility of the Shor’s algorithm on an ion-trap quantum computer according to the number of CNOTs. Finally, we discussed the lower bound of the number of CNOTs needed to implement the Shor’s algorithm.

computer science, information systems,telecommunications

Rini Wisnu Wardhani,Dedy Septono Catur Putranto,Jaehan Cho,Howon Kim

DOI: https://doi.org/10.1109/access.2024.3489552

IF: 3.9

2024-11-09

IEEE Access

Abstract:This paper provides a detailed analysis and estimation of the quantum resources required for depth-optimized elliptic curve point multiplication (ECPM), with a focus on qubits, Toffoli gates, CNOT gates, and circuit depth. The proposed ECPM quantum circuit, which is tailored for binary elliptic curve cryptanalysis using Shor's algorithm, incorporates improved arithmetic operations into optimized point addition (PA) and point doubling (PD) processes. The quantum resources required for single-step and full-step ECPM implementations (comprising PD +2 PA) were systematically evaluated to enable in-depth cryptanalysis of binary elliptic curve cryptography using Shor's algorithm. The proposed approach offers a significant improvement in resource efficiency compared to circuits that rely solely on the existing PA, which typically require ( )PA operations. The execution of a full iteration of quantum cryptanalysis using the Shor circuit was estimated to require Toffoli gates, approximately qubits, and a circuit depth of approximately . Comparisons with leading Toffoli gate-level analysis results validate our findings, which demonstrate reduced quantum resource usage. In addition, key findings related to techniques for solving discrete logarithm problems are summarized, drawing from influential previous studies and current advancements.

computer science, information systems,telecommunications,engineering, electrical & electronic

John Proos,Christof Zalka

DOI: https://doi.org/10.48550/arXiv.quant-ph/0301141

2004-01-23

Abstract:We show in some detail how to implement Shor's efficient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits. In this paper we only consider elliptic curves over GF($p$) and not yet the equally important ones over GF($2^n$) or other finite fields. The main technical difficulty is to implement Euclid's gcd algorithm to compute multiplicative inverses modulo $p$. As the runtime of Euclid's algorithm depends on the input, one difficulty encountered is the ``quantum halting problem''.

Quantum Physics

Sunyeop Kim,Insung Kim,Seonggyeom Kim,Seokhie Hong

DOI: https://doi.org/10.1007/s11128-024-04536-1

IF: 1.965

2024-10-01

Quantum Information Processing

Abstract:Shor's algorithm solves the elliptic curve discrete logarithm problem (ECDLP) in polynomial time. To optimize Shor's algorithm for binary elliptic curves, reducing the cost of binary field multiplication is essential because it is the most cost-critical arithmetic operation. In this paper, we propose Toffoli gate count-optimized, space-efficient (i.e., no ancilla qubits are used) quantum circuits for binary field ( ) multiplication. To achieve this, we leverage the Karatsuba-like formulae and demonstrate that its application can be implemented without the need for ancillary qubits. We optimize these circuits in terms of CNOT gate count and depth. Building upon the Karatsuba-like formulae, we develop a space-efficient CRT-based multiplication technique utilizing two types of out-of-place multiplication algorithms to reduce the CNOT gate count. Our quantum circuits exhibit an extremely low Toffoli gate count of , where represents the iterative logarithmic function that grows very slowly. When compared to recent Karatsuba-based space-efficient quantum circuit, our approach requires only (10–25 %) of the Toffoli gate count and Toffoli depth for cryptographic field sizes in the range of n  = 233–571. To the best of our knowledge, this represents the first successful utilization of the Karatsuba-like formulae and CRT-based multiplication in quantum circuits.

physics, multidisciplinary,quantum science & technology, mathematical

Harashta Tatimma Larasati,Howon Kim

2023-06-13

Abstract:In the past years, research on Shor's algorithm for solving elliptic curves for discrete logarithm problems (Shor's ECDLP), the basis for cracking elliptic curve-based cryptosystems (ECC), has started to garner more significant interest. To achieve this, most works focus on quantum point addition subroutines to realize the double scalar multiplication circuit, an essential part of Shor's ECDLP, whereas the point doubling subroutines are often overlooked. In this paper, we investigate the quantum point doubling circuit for the stricter assumption of Shor's algorithm when doubling a point should also be taken into consideration. In particular, we analyze the challenges on implementing the circuit and provide the solution. Subsequently, we design and optimize the corresponding quantum circuit, and analyze the high-level quantum resource cost of the circuit. Additionally, we discuss the implications of our findings, including the concerns for its integration with point addition for a complete double scalar multiplication circuit and the potential opportunities resulting from its implementation. Our work lays the foundation for further evaluation of Shor's ECDLP.

Quantum Physics,Cryptography and Security

Igor L. Markov,Mehdi Saeedi

DOI: https://doi.org/10.1103/PhysRevA.87.012310

2013-01-15

Abstract:A major obstacle to implementing Shor's quantum number-factoring algorithm is the large size of modular-exponentiation circuits. We reduce this bottleneck by customizing reversible circuits for modular multiplication to individual runs of Shor's algorithm. Our circuit-synthesis procedure exploits spectral properties of multiplication operators and constructs optimized circuits from the traces of the execution of an appropriate GCD algorithm. Empirically, gate counts are reduced by 4-5 times, and circuit latency is reduced by larger factors.

Quantum Physics,Data Structures and Algorithms,Emerging Technologies

Yan Huang,Zhaofeng Su,Fangguo Zhang,Yong Ding,Rong Cheng

DOI: https://doi.org/10.1007/s11128-019-2562-5

IF: 1.965

2020-01-01

Quantum Information Processing

Abstract:The discrete logarithm problem (DLP) plays an important role in modern cryptography since it cannot be efficiently solved on a classical computer. Currently, the DLP based on the hyperelliptic curve of genus 2 (HCDLP) is widely used in industry and also a research field of hot interest. At the same time, quantum computing, a new paradigm for computing based on quantum mechanics, provides the ability to solve certain hard problems that cannot be efficiently solved on classical computers. In this paper, we consider the problem of solving the HCDLP in the paradigm of quantum computing. We propose a quantum algorithm for solving the HCDLP by applying the framework of quantum algorithm designed by Shor. The key of the algorithm is the realization of divisor addition. We solve the key problem and get analytical results for divisor addition by geometric meaning of the group addition. Therefore, the procedure can be efficiently realized on a quantum computer using the basic modular arithmetic operations. Finally, we conclude that the HCDLP defined over an n-bit prime field \(\mathbb {F}_{p}\) can be computed on a quantum computer with at most \(13n+2\lfloor \log _{2}n\rfloor +10\) qubits using \(2624n^{3} \log _{2}n-2209.2n^{3} + 1792n^{2} \log _{2}n-3012.8n^{2}\) Toffoli gates. For current parameters at comparable classical security levels, there are fewer qubits and Toffoli gates to solve the HCDLP than the ones to solve the DLP based on elliptic curves.

Tian-Long Huang,Yong-Zheng Wu,Ming Ni,Shi Wang,Yong-Jin Ye,Huang Tian-Long,Wu Yong-Zheng,Ni Ming,Wang Shi,Ye Yong-Jin,

DOI: https://doi.org/10.7498/aps.73.20231414

IF: 0.906

2024-01-01

Acta Physica Sinica

Abstract:Shor's quantum factoring algorithm(Shor's algorithm) can solve factorization problem of large integers using a fully-operational quantum computer with the complexity of polynomial level, thereby cracking a series of encryption algorithms whose security is guaranteed by the factorization of large integers being a hard problem, such as Rivest-Shamir-Adleman encryption algorithm, Diffie-Hellman key exchange protocol, etc. We are currently in the noisy intermediate-scale quantum era, which means we can only operate on quantum computers with limited number of qubits and we have to take care of the effects of quantum noise. Quantum states are susceptible to quantum noise when running on a quantum computer due to low-fidelity gates or interaction between qubits and environment, which will lead to the incorrect results by measurements. We study the effects of quantum noise on Shor's algorithm from 3 typical quantum noise channels respectively: depolarizing channel, state preparation and measurement channel and thermal relaxation channel. We successfully simulate factoring 15, 21 and 35 into their corresponding prime factors based on the quantum circuit we have constructed on a classical computer. Our research then simulates running quantum circuit of Shor's algorithm in a noisy environment with different level of noise for one certain type of noise channel and yields numerical results. We can obtain precise distribution of measurement by calculating the statevector before measurement which contributes to higher effiency instead of simulating and measuring for a large amount of times. Each experiment is conducted for 1000 times to diminish discrepancy. Our research indicates that Shor's algorithm is easily affected by quantum noise. Success rate of Shor's algorithm decreases exponentially with increasing level of noise in depolarizing channel, where succuss rate is an indicator we propose in this research to quantify the effect of noise on Shor's algorithm, meanwhile noise in both state preparation and measurement channel and thermal relaxation channel can linearly affect the success rate of Shor's algorithm. There are $O(n^4)$ quantum gates in the circuit, each of which is disrupted by noise in depolarizing channel during running the circuit, meanwhile there are only $O(n)$ interruption caused by noise in state preparation and measurement channel since we only do measurements for $O(n)$ times in the circuit where $n$ is the number of bits of the integer about to be factored. Linear relationship in thermal relaxation channel is mainly due to the large gap between quantum gate time and relaxation time even if every gate in the circuit is disrupted by noise in thermal relaxation channel like depolarizing channel. Our paper can be used for subsequent error correction, improving Shor's algorithm and providing guidance to requirements for fidelity in engineering implementation of Shor's algorithm.

physics, multidisciplinary

Archimedes Pavlidis,Dimitris Gizopoulos

DOI: https://doi.org/10.48550/arXiv.1207.0511

2013-11-05

Abstract:We present a novel and efficient in terms of circuit depth design for Shor's quantum factorization algorithm. The circuit effectively utilizes a diverse set of adders based on the quantum Fourier transform (QFT) Draper's adders to build more complex arithmetic blocks: quantum multiplier/accumulators by constants and quantum dividers by constants. These arithmetic blocks are effectively architected into a generic modular quantum multiplier which is the fundamental block for modular exponentiation circuit, the most computational intensive part of Shor's algorithm. The proposed modular exponentiation circuit has a depth of about $2000n^{2}$ and requires $9n+2$ qubits, where $n$ is the number of bits of the classical number to be factored. The total quantum cost of the proposed design is $1600n^{3}$. The circuit depth can be further decreased by more than three times if the approximate QFT implementation of each adder unit is exploited.

Quantum Physics

Brittanney Amento,Rainer Steinwandt,Martin Roetteler

DOI: https://doi.org/10.48550/arXiv.1209.6348

2012-09-28

Abstract:Elliptic curves over finite fields GF(2^n) play a prominent role in modern cryptography. Published quantum algorithms dealing with such curves build on a short Weierstrass form in combination with affine or projective coordinates. In this paper we show that changing the curve representation allows a substantial reduction in the number of T-gates needed to implement the curve arithmetic. As a tool, we present a quantum circuit for computing multiplicative inverses in GF(2^n) in depth O(n log n) using a polynomial basis representation, which may be of independent interest.

Quantum Physics,Data Structures and Algorithms,Emerging Technologies

Qiqing Xia,Qianru Zhu,Huiqin Xie,Li Yang

2024-05-11

Abstract:Many quantum algorithms for attacking symmetric cryptography involve the rank problem of quantum linear equations. In this paper, we first propose two quantum algorithms for solving quantum linear systems of equations with coherent superposition and construct their specific quantum circuits. Unlike previous related works, our quantum algorithms are universal. Specifically, the two quantum algorithms can both compute the rank and general solution by one measurement. The difference between them is whether the data register containing the quantum coefficient matrix can be disentangled with other registers and keep the data qubits unchanged. On this basis, we apply the two quantum algorithms as a subroutine to parallel Simon's algorithm (with multiple periods), Grover Meets Simon algorithm, and Alg-PolyQ2 algorithm, respectively. Afterwards, we construct a quantum classifier within Grover Meets Simon algorithm and the test oracle within Alg-PolyQ2 algorithm in detail, including their respective quantum circuits. To our knowledge, no such specific analysis has been done before. We rigorously analyze the success probability of those algorithms to ensure that the success probability based on the proposed quantum algorithms will not be lower than that of those original algorithms. Finally, we discuss the lower bound of the number of CNOT gates for solving quantum linear systems of equations with coherent superposition, and our quantum algorithms reach the optimum in terms of minimizing the number of CNOT gates. Furthermore, our analysis indicates that the proposed algorithms are mainly suitable for conducting attacks against lightweight symmetric ciphers, within the effective working time of an ion trap quantum computer.

Quantum Physics

Martin Ekerå,Johan Håstad

DOI: https://doi.org/10.1007/978-3-319-59879-6_20

2017-02-01

Abstract:In this paper we generalize the quantum algorithm for computing short discrete logarithms previously introduced by Ekerå so as to allow for various tradeoffs between the number of times that the algorithm need be executed on the one hand, and the complexity of the algorithm and the requirements it imposes on the quantum computer on the other hand. Furthermore, we describe applications of algorithms for computing short discrete logarithms. In particular, we show how other important problems such as those of factoring RSA integers and of finding the order of groups under side information may be recast as short discrete logarithm problems. This immediately gives rise to an algorithm for factoring RSA integers that is less complex than Shor's general factoring algorithm in the sense that it imposes smaller requirements on the quantum computer. In both our algorithm and Shor's algorithm, the main hurdle is to compute a modular exponentiation in superposition. When factoring an n bit integer, the exponent is of length 2n bits in Shor's algorithm, compared to slightly more than n/2 bits in our algorithm.

Cryptography and Security,Quantum Physics

Cédric Pilatte

2024-04-25

Abstract:In 1994, Shor introduced his famous quantum algorithm to factor integers and compute discrete logarithms in polynomial time. In 2023, Regev proposed a multi-dimensional version of Shor's algorithm that requires far fewer quantum gates. His algorithm relies on a number-theoretic conjecture on the elements in $(\mathbb{Z}/N\mathbb{Z})^{\times}$ that can be written as short products of very small prime numbers. We prove a version of this conjecture using tools from analytic number theory such as zero-density estimates. As a result, we obtain an unconditional proof of correctness of this improved quantum algorithm and of subsequent variants.

Number Theory,Computational Complexity,Quantum Physics

Ren Taguchi,Atsushi Takayasu

DOI: https://doi.org/10.1007/s11128-024-04323-y

IF: 1.965

2024-03-26

Quantum Information Processing

Abstract:Thus far, several papers reported concrete resource estimates of Shor's quantum algorithm for solving the elliptic curve discrete logarithm problem. In this paper, we study quantum FLT-based inversion algorithms over binary elliptic curves. There are two major algorithms proposed by Banegas et al. and Putranto et al., where the former and latter algorithms achieve fewer numbers of qubits and smaller depths of circuits, respectively. We propose two quantum FLT-based inversion algorithms that essentially outperform previous FLT-based algorithms and compare the performance for NIST curves of the degree n . Specifically, for all n , our first algorithm achieves fewer qubits than Putranto et al.'s one without sacrificing the number of Toffoli gates and the depth of circuits, while our second algorithm achieves smaller depths of circuits without sacrificing the number of qubits and Toffoli gates. For example, when , the number of qubits of our first algorithm is 74 % of that of Putranto et al.'s one, while the depth of our second algorithm is 83 % of that of Banegas et al.'s one. The improvements stem from the fact that FLT-based inversions can be performed with arbitrary sequences of addition chains for although both Banegas et al. and Putranto et al. follow fixed sequences that were introduced by Itoh and Tsujii's classical FLT-based inversion. In particular, we analyze how several properties of addition chains, which do not affect the computational resources of classical FLT-based inversions, affect the computational resources of quantum FLT-based inversions and find appropriate sequences.

physics, multidisciplinary,quantum science & technology, mathematical

Gregory D. Kahanamoku-Meyer,Norman Y. Yao

2024-06-15

Abstract:The multiplication of superpositions of numbers is a core operation in many quantum algorithms. The standard method for multiplication (both classical and quantum) has a runtime quadratic in the size of the inputs. Quantum circuits with asymptotically fewer gates have been developed, but generally exhibit large overheads, especially in the number of ancilla qubits. In this work, we introduce a new paradigm for sub-quadratic-time quantum multiplication with zero ancilla qubits -- the only qubits involved are the input and output registers themselves. Our algorithm achieves an asymptotic gate count of $\mathcal{O}(n^{1+\epsilon})$ for any $\epsilon > 0$; with practical choices of parameters, we expect scalings as low as $\mathcal{O}(n^{1.3})$. Used as a subroutine in Shor's algorithm, our technique immediately yields a factoring circuit with $\mathcal{O}(n^{2+\epsilon})$ gates and only $2n + \mathcal{O}(\log n)$ qubits; to our knowledge, this is by far the best qubit count of any factoring circuit with a sub-cubic number of gates. Used in Regev's recent factoring algorithm, the gate count is $\mathcal{O}(n^{1.5+\epsilon})$. Finally, we demonstrate that our algorithm has the potential to outperform previous proposals at problem sizes relevant in practice, including yielding the smallest circuits we know of for classically-verifiable quantum advantage.

Quantum Physics

Enrique Martin-Lopez,Anthony Laing,Thomas Lawson,Roberto Alvarez,Xiao-Qi Zhou,Jeremy L. O'Brien

DOI: https://doi.org/10.1038/nphoton.2012.259

2012-10-24

Abstract:Quantum computational algorithms exploit quantum mechanics to solve problems exponentially faster than the best classical algorithms. Shor's quantum algorithm for fast number factoring is a key example and the prime motivator in the international effort to realise a quantum computer. However, due to the substantial resource requirement, to date, there have been only four small-scale demonstrations. Here we address this resource demand and demonstrate a scalable version of Shor's algorithm in which the n qubit control register is replaced by a single qubit that is recycled n times: the total number of qubits is one third of that required in the standard protocol. Encoding the work register in higher-dimensional states, we implement a two-photon compiled algorithm to factor N=21. The algorithmic output is distinguishable from noise, in contrast to previous demonstrations. These results point to larger-scale implementations of Shor's algorithm by harnessing scalable resource reductions applicable to all physical architectures.

Quantum Physics

Chao-Yang Lu,Daniel E. Browne,Tao Yang,Jian-Wei Pan

DOI: https://doi.org/10.1103/physrevlett.99.250504

IF: 8.6

2007-01-01

Physical Review Letters

Abstract:We report an experimental demonstration of a complied version of Shor's algorithm using four photonic qubits. We choose the simplest instance of this algorithm, that is, factorization of N=15 in the case that the period r=2 and exploit a simplified linear optical network to coherently implement the quantum circuits of the modular exponential execution and semiclassical quantum Fourier transformation. During this computation, genuine multiparticle entanglement is observed which well supports its quantum nature. This experiment represents an essential step toward full realization of Shor's algorithm and scalable linear optics quantum computation.

Martin Ekerå

2024-09-14

Abstract:We heuristically show that Shor's algorithm for computing general discrete logarithms achieves an expected success probability of approximately 60% to 82% in a single run when modified to enable efficient implementation with the semi-classical Fourier transform. By slightly increasing the number of group operations that are evaluated quantumly and performing a single limited search in the classical post-processing, or by performing two limited searches in the post-processing, we show how the algorithm can be further modified to achieve a success probability that heuristically exceeds 99% in a single run. We provide concrete heuristic estimates of the success probability of the modified algorithm, as a function of the group order $r$, the size of the search space in the classical post-processing, and the additional number of group operations evaluated quantumly. In the limit as $r \rightarrow \infty$, we heuristically show that the success probability tends to one. In analogy with our earlier works, we show how the modified quantum algorithm may be heuristically simulated classically when the logarithm $d$ and $r$ are both known. Furthermore, we heuristically show how slightly better tradeoffs may be achieved, compared to our earlier works, if $r$ is known when computing $d$. We generalize our heuristic to cover some of our earlier works, and compare it to the non-heuristic analyses in those works.

Cryptography and Security,Quantum Physics

Hyeonhak Kim,Seokhie Hong

2023-03-12

Abstract:In previous research, quantum resources were concretely estimated for solving Elliptic Curve Discrete Logarithm Problem(ECDLP). In [1], the quantum algorithm was optimized for the binary elliptic curves and the main optimization target was the number of the logical qubits. The division algorithm was mainly optimized in [1] since every ancillary qubit is used in the division algorithm. In this paper, we suggest a new quantum division algorithm on the binary field which uses a smaller number of qubits. For elements in a field of $2^n$, we can save $\lceil n/2 \rceil - 1$ qubits instead of using $8n^2+4n-12+(16n-8)\lfloor\log(n)\rfloor$ more Toffoli gates, which leads to a more space-efficient quantum algorithm for binary elliptic curves.

Quantum Physics,Cryptography and Security