Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Sunyeop Kim,Insung Kim,Seonggyeom Kim,Seokhie Hong

DOI: https://doi.org/10.1007/s11128-024-04536-1

IF: 1.965

2024-10-01

Quantum Information Processing

Abstract:Shor's algorithm solves the elliptic curve discrete logarithm problem (ECDLP) in polynomial time. To optimize Shor's algorithm for binary elliptic curves, reducing the cost of binary field multiplication is essential because it is the most cost-critical arithmetic operation. In this paper, we propose Toffoli gate count-optimized, space-efficient (i.e., no ancilla qubits are used) quantum circuits for binary field ( ) multiplication. To achieve this, we leverage the Karatsuba-like formulae and demonstrate that its application can be implemented without the need for ancillary qubits. We optimize these circuits in terms of CNOT gate count and depth. Building upon the Karatsuba-like formulae, we develop a space-efficient CRT-based multiplication technique utilizing two types of out-of-place multiplication algorithms to reduce the CNOT gate count. Our quantum circuits exhibit an extremely low Toffoli gate count of , where represents the iterative logarithmic function that grows very slowly. When compared to recent Karatsuba-based space-efficient quantum circuit, our approach requires only (10–25 %) of the Toffoli gate count and Toffoli depth for cryptographic field sizes in the range of n  = 233–571. To the best of our knowledge, this represents the first successful utilization of the Karatsuba-like formulae and CRT-based multiplication in quantum circuits.

physics, multidisciplinary,quantum science & technology, mathematical

John Proos,Christof Zalka

DOI: https://doi.org/10.48550/arXiv.quant-ph/0301141

2004-01-23

Abstract:We show in some detail how to implement Shor's efficient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits. In this paper we only consider elliptic curves over GF($p$) and not yet the equally important ones over GF($2^n$) or other finite fields. The main technical difficulty is to implement Euclid's gcd algorithm to compute multiplicative inverses modulo $p$. As the runtime of Euclid's algorithm depends on the input, one difficulty encountered is the ``quantum halting problem''.

Quantum Physics

Daniel Litinski,Naomi Nickerson

DOI: https://doi.org/10.48550/arXiv.2211.15465

2022-11-28

Quantum Physics

Abstract:In existing general-purpose architectures for surface-code-based fault-tolerant quantum computers, the cost of a quantum computation is determined by the circuit volume, i.e., the number of qubits multiplied by the number of non-Clifford gates. We introduce an architecture using non-2D-local connections in which the cost does not scale with the number of qubits, and instead only with the number of logical operations. Each logical operation has an associated active volume, such that the cost of a quantum computation can be quantified as a sum of active volumes of all operations. For quantum computations with thousands of logical qubits, the active volume can be orders of magnitude lower than the circuit volume. Importantly, the architecture does not require all-to-all connectivity between N logical qubits. Instead, each logical qubit is connected to O(log N) other sites. As an example, we show that, using the same number of logical qubits, a 2048-bit factoring algorithm can be executed 44 times faster than on a general-purpose architecture without non-local connections. With photonic qubits, long-range connections are available and we show how photonic components can be used to construct a fusion-based active-volume quantum computer.

Élie Gouzien,Diego Ruiz,Francois-Marie Le Régent,Jérémie Guillaud,Nicolas Sangouard

DOI: https://doi.org/10.1103/PhysRevLett.131.040602

2023-08-05

Abstract:Cat qubits provide appealing building blocks for quantum computing. They exhibit a tunable noise bias yielding an exponential suppression of bit flips with the average photon number and a protection against the remaining phase errors can be ensured by a simple repetition code. We here quantify the cost of a repetition code and provide valuable guidance for the choice of a large scale architecture using cat qubits by realizing a performance analysis based on the computation of discrete logarithms on an elliptic curve with Shor's algorithm. By focusing on a 2D grid of cat qubits with neighboring connectivity, we propose to implement 2-qubit gates via lattice surgery and Toffoli gates with off-line fault-tolerant preparation of magic states through projective measurements and subsequent gate teleportations. All-to-all connectivity between logical qubits is ensured by routing qubits. Assuming a ratio between single- and two-photon losses of 1e-5 and a cycle time of 500 ns, we show concretely that such an architecture can compute a 256-bit elliptic curve logarithm in 9 h with 126133 cat qubits and on average 19 photons by cat state. We give the details of the realization of Shor's algorithm so that the proposed performance analysis can be easily reused to guide the choice of architecture for others platforms.

Quantum Physics

Mark Webber,Vincent Elfving,Sebastian Weidt,Winfried K. Hensinger

DOI: https://doi.org/10.1116/5.0073075

2022-03-01

AVS Quantum Science

Abstract:We investigate how hardware specifications can impact the final run time and the required number of physical qubits to achieve a quantum advantage in the fault tolerant regime. Within a particular time frame, both the code cycle time and the number of achievable physical qubits may vary by orders of magnitude between different quantum hardware designs. We start with logical resource requirements corresponding to a quantum advantage for a particular chemistry application, simulating the FeMo-co molecule, and explore to what extent slower code cycle times can be mitigated by using additional qubits. We show that in certain situations, architectures with considerably slower code cycle times will still be able to reach desirable run times, provided enough physical qubits are available. We utilize various space and time optimization strategies that have been previously considered within the field of error-correcting surface codes. In particular, we compare two distinct methods of parallelization: Game of Surface Code's Units and AutoCCZ factories. Finally, we calculate the number of physical qubits required to break the 256-bit elliptic curve encryption of keys in the Bitcoin network within the small available time frame in which it would actually pose a threat to do so. It would require 317 × 106 physical qubits to break the encryption within one hour using the surface code, a code cycle time of 1 μs, a reaction time of 10 μs, and a physical gate error of 10 − 3. To instead break the encryption within one day, it would require 13 × 106 physical qubits.

Rini Wisnu Wardhani,Dedy Septono Catur Putranto,Jaehan Cho,Howon Kim

DOI: https://doi.org/10.1109/access.2024.3489552

IF: 3.9

2024-11-09

IEEE Access

Abstract:This paper provides a detailed analysis and estimation of the quantum resources required for depth-optimized elliptic curve point multiplication (ECPM), with a focus on qubits, Toffoli gates, CNOT gates, and circuit depth. The proposed ECPM quantum circuit, which is tailored for binary elliptic curve cryptanalysis using Shor's algorithm, incorporates improved arithmetic operations into optimized point addition (PA) and point doubling (PD) processes. The quantum resources required for single-step and full-step ECPM implementations (comprising PD +2 PA) were systematically evaluated to enable in-depth cryptanalysis of binary elliptic curve cryptography using Shor's algorithm. The proposed approach offers a significant improvement in resource efficiency compared to circuits that rely solely on the existing PA, which typically require ( )PA operations. The execution of a full iteration of quantum cryptanalysis using the Shor circuit was estimated to require Toffoli gates, approximately qubits, and a circuit depth of approximately . Comparisons with leading Toffoli gate-level analysis results validate our findings, which demonstrate reduced quantum resource usage. In addition, key findings related to techniques for solving discrete logarithm problems are summarized, drawing from influential previous studies and current advancements.

computer science, information systems,telecommunications,engineering, electrical & electronic

Archisman Ghosh,Jose Maria Bermudo Mera,Angshuman Karmakar,Debayan Das,Santosh Ghosh,Ingrid Verbauwhede,Shreyas Sen

2023-05-18

Abstract:The hard mathematical problems that assure the security of our current public-key cryptography (RSA, ECC) are broken if and when a quantum computer appears rendering them ineffective for use in the quantum era. Lattice based cryptography is a novel approach to public key cryptography, of which the mathematical investigation (so far) resists attacks from quantum computers. By choosing a module learning with errors (MLWE) algorithm as the next standard, National Institute of Standard & Technology (NIST) follows this approach. The multiplication of polynomials is the central bottleneck in the computation of lattice based cryptography. Because public key cryptography is mostly used to establish common secret keys, focus is on compact area, power and energy budget and to a lesser extent on throughput or latency. While most other work focuses on optimizing number theoretic transform (NTT) based multiplications, in this paper we highly optimize a Toom-Cook based multiplier. We demonstrate that a memory-efficient striding Toom-Cook with lazy interpolation, results in a highly compact, low power implementation, which on top enables a very regular memory access scheme. To demonstrate the efficiency, we integrate this multiplier into a Saber post-quantum accelerator, one of the four NIST finalists. Algorithmic innovation to reduce active memory, timely clock gating and shift-add multiplier has helped to achieve 38% less power than state-of-the art PQC core, 4x less memory, 36.8% reduction in multiplier energy and 118x reduction in active power with respect to state-of-the-art Saber accelerator (not silicon verified). This accelerator consumes 0.158mm2 active area which is lowest reported till date despite process disadvantages of the state-of-the-art designs.

Cryptography and Security

Archimedes Pavlidis,Dimitris Gizopoulos

DOI: https://doi.org/10.48550/arXiv.1207.0511

2013-11-05

Abstract:We present a novel and efficient in terms of circuit depth design for Shor's quantum factorization algorithm. The circuit effectively utilizes a diverse set of adders based on the quantum Fourier transform (QFT) Draper's adders to build more complex arithmetic blocks: quantum multiplier/accumulators by constants and quantum dividers by constants. These arithmetic blocks are effectively architected into a generic modular quantum multiplier which is the fundamental block for modular exponentiation circuit, the most computational intensive part of Shor's algorithm. The proposed modular exponentiation circuit has a depth of about $2000n^{2}$ and requires $9n+2$ qubits, where $n$ is the number of bits of the classical number to be factored. The total quantum cost of the proposed design is $1600n^{3}$. The circuit depth can be further decreased by more than three times if the approximate QFT implementation of each adder unit is exploited.

Quantum Physics

Brittanney Amento,Rainer Steinwandt,Martin Roetteler

DOI: https://doi.org/10.48550/arXiv.1209.6348

2012-09-28

Abstract:Elliptic curves over finite fields GF(2^n) play a prominent role in modern cryptography. Published quantum algorithms dealing with such curves build on a short Weierstrass form in combination with affine or projective coordinates. In this paper we show that changing the curve representation allows a substantial reduction in the number of T-gates needed to implement the curve arithmetic. As a tool, we present a quantum circuit for computing multiplicative inverses in GF(2^n) in depth O(n log n) using a polynomial basis representation, which may be of independent interest.

Quantum Physics,Data Structures and Algorithms,Emerging Technologies

Craig Gidney,Martin Ekerå

DOI: https://doi.org/10.22331/q-2021-04-15-433

2021-04-13

Abstract:We significantly reduce the cost of factoring integers and computing discrete logarithms in finite fields on a quantum computer by combining techniques from Shor 1994, Griffiths-Niu 1996, Zalka 2006, Fowler 2012, Ekerå-Håstad 2017, Ekerå 2017, Ekerå 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of $10^{-3}$, a surface code cycle time of 1 microsecond, and a reaction time of 10 microseconds. We account for factors that are normally ignored such as noise, the need to make repeated attempts, and the spacetime layout of the computation. When factoring 2048 bit RSA integers, our construction's spacetime volume is a hundredfold less than comparable estimates from earlier works (Van Meter et al. 2009, Jones et al. 2010, Fowler et al. 2012, Gheorghiu et al. 2019). In the abstract circuit model (which ignores overheads from distillation, routing, and error correction) our construction uses $3 n + 0.002 n \lg n$ logical qubits, $0.3 n^3 + 0.0005 n^3 \lg n$ Toffolis, and $500 n^2 + n^2 \lg n$ measurement depth to factor $n$-bit RSA integers. We quantify the cryptographic implications of our work, both for RSA and for schemes based on the DLP in finite fields.

Quantum Physics

Francis Afzal,Mohsen Akhlaghi,Stefanie J. Beale,Olinka Bedroya,Kristin Bell,Laurent Bergeron,Kent Bonsma-Fisher,Polina Bychkova,Zachary M. E. Chaisson,Camille Chartrand,Chloe Clear,Adam Darcie,Adam DeAbreu,Colby DeLisle,Lesley A. Duncan,Chad Dundas Smith,John Dunn,Amir Ebrahimi,Nathan Evetts,Daker Fernandes Pinheiro,Patricio Fuentes,Tristen Georgiou,Biswarup Guha,Rafael Haenel,Daniel Higginbottom,Daniel M. Jackson,Navid Jahed,Amin Khorshidahmad,Prasoon K. Shandilya,Alexander T. K. Kurkjian,Nikolai Lauk,Nicholas R. Lee-Hone,Eric Lin,Rostyslav Litynskyy,Duncan Lock,Lisa Ma,Iain MacGilp,Evan R. MacQuarrie,Aaron Mar,Alireza Marefat Khah,Alex Matiash,Evan Meyer-Scott,Cathryn P. Michaels,Juliana Motira,Narwan Kabir Noori,Egor Ospadov,Ekta Patel,Alexander Patscheider,Danny Paulson,Ariel Petruk,Adarsh L. Ravindranath,Bogdan Reznychenko,Myles Ruether,Jeremy Ruscica,Kunal Saxena,Zachary Schaller,Alex Seidlitz,John Senger,Youn Seok Lee,Orbel Sevoyan,Stephanie Simmons,Oney Soykal,Leea Stott,Quyen Tran,Spyros Tserkis,Ata Ulhaq,Wyatt Vine,Russ Weeks,Gary Wolfowicz,Isao Yoneda

2024-06-04

Abstract:Commercially impactful quantum algorithms such as quantum chemistry and Shor's algorithm require a number of qubits and gates far beyond the capacity of any existing quantum processor. Distributed architectures, which scale horizontally by networking modules, provide a route to commercial utility and will eventually surpass the capability of any single quantum computing module. Such processors consume remote entanglement distributed between modules to realize distributed quantum logic. Networked quantum computers will therefore require the capability to rapidly distribute high fidelity entanglement between modules. Here we present preliminary demonstrations of some key distributed quantum computing protocols on silicon T centres in isotopically-enriched silicon. We demonstrate the distribution of entanglement between modules and consume it to apply a teleported gate sequence, establishing a proof-of-concept for T centres as a distributed quantum computing and networking platform.

Quantum Physics

Siddhant Singh,Fenglei Gu,Sébastian de Bone,Eduardo Villaseñor,David Elkouss,Johannes Borregaard

2024-08-06

Abstract:Connecting multiple smaller qubit modules by generating high-fidelity entangled states is a promising path for scaling quantum computing hardware. The performance of such a modular quantum computer is highly dependent on the quality and rate of entanglement generation. However, the optimal architectures and entanglement generation schemes are not yet established. Focusing on modular quantum computers with solid-state quantum hardware, we investigate a distributed surface code's error-correcting threshold and logical failure rate. We consider both emission-based and scattering-based entanglement generation schemes for the measurement of non-local stabilizers. Through quantum optical modeling, we link the performance of the quantum error correction code to the parameters of the underlying physical hardware and identify the necessary parameter regime for fault-tolerant modular quantum computation. In addition, we compare modular architectures with one or two data qubits per module. We find that the performance of the code depends significantly on the choice of entanglement generation scheme, while the two modular architectures have similar error-correcting thresholds. For some schemes, thresholds nearing the thresholds of non-distributed implementations ($\sim0.4 \%$) appear feasible with future parameters.

Quantum Physics

Igor L. Markov,Mehdi Saeedi

DOI: https://doi.org/10.1103/PhysRevA.87.012310

2013-01-15

Abstract:A major obstacle to implementing Shor's quantum number-factoring algorithm is the large size of modular-exponentiation circuits. We reduce this bottleneck by customizing reversible circuits for modular multiplication to individual runs of Shor's algorithm. Our circuit-synthesis procedure exploits spectral properties of multiplication operators and constructs optimized circuits from the traces of the execution of an appropriate GCD algorithm. Empirically, gate counts are reduced by 4-5 times, and circuit latency is reduced by larger factors.

Quantum Physics,Data Structures and Algorithms,Emerging Technologies

S. N. Saadatmand,Tyler L. Wilson,Mark Field,Madhav Krishnan Vijayan,Thinh P. Le,Jannis Ruh,Arshpreet Singh Maan,Ioana Moflic,Athena Caesura,Alexandru Paler,Mark J. Hodson,Simon J. Devitt,Josh Y. Mutus

2024-06-10

Abstract:The development of fault-tolerant quantum computers (FTQCs) is gaining increased attention within the quantum computing community. Like their digital counterparts, FTQCs, equipped with error correction and large qubit numbers, promise to solve some of humanity's grand challenges. Estimates of the resource requirements for future FTQC systems are essential to making design choices and prioritizing R&D efforts to develop critical technologies. Here, we present a resource estimation framework and software tool that estimates the physical resources required to execute specific quantum algorithms, compiled into their graph-state form, and laid out onto a modular superconducting hardware architecture. This tool can predict the size, power consumption, and execution time of these algorithms at as they approach utility-scale according to explicit assumptions about the system's physical layout, thermal load, and modular connectivity. We use this tool to study the total resources on a proposed modular architecture and the impact of tradeoffs between and inter-module connectivity, latency and resource requirements.

Quantum Physics

Sophia Fuhui Lin,Joshua Viszlai,Kaitlin N. Smith,Gokul Subramanian Ravi,Charles Yuan,Frederic T. Chong,Benjamin J. Brown

DOI: https://doi.org/10.1145/3620665.3640362

2024-03-23

Abstract:Fabrication errors pose a significant challenge in scaling up solid-state quantum devices to the sizes required for fault-tolerant (FT) quantum applications. To mitigate the resource overhead caused by fabrication errors, we combine two approaches: (1) leveraging the flexibility of a modular architecture, (2) adapting the procedure of quantum error correction (QEC) to account for fabrication defects. We simulate the surface code adapted to qubit arrays with arbitrarily distributed defects to find metrics that characterize how defects affect fidelity. We then determine the impact of defects on the resource overhead of realizing a fault-tolerant quantum computer, on a chiplet-based modular architecture. Our strategy for dealing with fabrication defects demonstrates an exponential suppression of logical failure where error rates of non-faulty physical qubits are ~0.1% in a circuit-based noise model. This is a typical regime where we imagine running the defect-free surface code. We use our numerical results to establish post-selection criteria for building a device from defective chiplets. Using our criteria, we then evaluate the resource overhead in terms of the average number of fabricated physical qubits per logical qubit. We find that an optimal choice of chiplet size, based on the defect rate and target fidelity, is essential to limiting any additional error correction overhead due to defects. When the optimal chiplet size is chosen, at a defect rate of 1% the resource overhead can be reduced to below 3X and 6X respectively for the two defect models we use, for a wide range of target performance. We also determine cutoff fidelity values that help identify whether a qubit should be disabled or kept as part of the error correction code.

Quantum Physics

Harashta Tatimma Larasati,Howon Kim

2023-06-13

Abstract:In the past years, research on Shor's algorithm for solving elliptic curves for discrete logarithm problems (Shor's ECDLP), the basis for cracking elliptic curve-based cryptosystems (ECC), has started to garner more significant interest. To achieve this, most works focus on quantum point addition subroutines to realize the double scalar multiplication circuit, an essential part of Shor's ECDLP, whereas the point doubling subroutines are often overlooked. In this paper, we investigate the quantum point doubling circuit for the stricter assumption of Shor's algorithm when doubling a point should also be taken into consideration. In particular, we analyze the challenges on implementing the circuit and provide the solution. Subsequently, we design and optimize the corresponding quantum circuit, and analyze the high-level quantum resource cost of the circuit. Additionally, we discuss the implications of our findings, including the concerns for its integration with point addition for a complete double scalar multiplication circuit and the potential opportunities resulting from its implementation. Our work lays the foundation for further evaluation of Shor's ECDLP.

Quantum Physics,Cryptography and Security

Enrique Martin-Lopez,Anthony Laing,Thomas Lawson,Roberto Alvarez,Xiao-Qi Zhou,Jeremy L. O'Brien

DOI: https://doi.org/10.1038/nphoton.2012.259

2012-10-24

Abstract:Quantum computational algorithms exploit quantum mechanics to solve problems exponentially faster than the best classical algorithms. Shor's quantum algorithm for fast number factoring is a key example and the prime motivator in the international effort to realise a quantum computer. However, due to the substantial resource requirement, to date, there have been only four small-scale demonstrations. Here we address this resource demand and demonstrate a scalable version of Shor's algorithm in which the n qubit control register is replaced by a single qubit that is recycled n times: the total number of qubits is one third of that required in the standard protocol. Encoding the work register in higher-dimensional states, we implement a two-photon compiled algorithm to factor N=21. The algorithmic output is distinguishable from noise, in contrast to previous demonstrations. These results point to larger-scale implementations of Shor's algorithm by harnessing scalable resource reductions applicable to all physical architectures.

Quantum Physics

Hyeonhak Kim,Seokhie Hong

2023-03-12

Abstract:In previous research, quantum resources were concretely estimated for solving Elliptic Curve Discrete Logarithm Problem(ECDLP). In [1], the quantum algorithm was optimized for the binary elliptic curves and the main optimization target was the number of the logical qubits. The division algorithm was mainly optimized in [1] since every ancillary qubit is used in the division algorithm. In this paper, we suggest a new quantum division algorithm on the binary field which uses a smaller number of qubits. For elements in a field of $2^n$, we can save $\lceil n/2 \rceil - 1$ qubits instead of using $8n^2+4n-12+(16n-8)\lfloor\log(n)\rfloor$ more Toffoli gates, which leads to a more space-efficient quantum algorithm for binary elliptic curves.

Quantum Physics,Cryptography and Security

Stephen C. Wein,Timothée Goubault de Brugière,Luka Music,Pascale Senellart,Boris Bourdoncle,Shane Mansfield

2024-12-12

Abstract:We present three schemes for constructing a (2,2)-Shor-encoded 6-ring photonic resource state for fusion-based quantum computing, each relying on a different type of photon source. We benchmark these architectures by analyzing their ability to achieve the best-known loss tolerance threshold for fusion-based quantum computation using the target resource state. More precisely, we estimate their minimum hardware requirements for fault-tolerant quantum computation in terms of the number of photon sources to achieve on-demand generation of resource states with a desired generation period. Notably, we find that a group of 12 deterministic single-photon sources containing a single matter qubit degree of freedom can produce the target resource state near-deterministically by exploiting entangling gates that are repeated until success. The approach is fully modular, eliminates the need for lossy large-scale multiplexing, and reduces the overhead for resource-state generation by several orders of magnitude compared to architectures using heralded single-photon sources and probabilistic linear-optical entangling gates. Our work shows that the use of deterministic single-photon sources embedding a qubit substantially shortens the path toward fault-tolerant photonic quantum computation.

Quantum Physics