We demonstrate conservative lower bounds on the success probability of our algorithms in both the general and the special case. In both cases, our algorithms initially set the index registers to a uniform superposition of all states, compared to p-1 states in Shor's original algorithm.
In the special case where d <<< q, our algorithm uses 3 ceil(log d) qubits for the two index registers and computes two QFTs of size 2^(ceil(log d)) and 2^(2 ceil(log d)), compared to 2 floor(log q) qubits for the index registers and two QFTs both of size 2^(floor(log q)) in the general case.
A quantum circuit for computing [a - bd] g is furthermore required, where 0 <= a < 2^(2 ceil(log d)) and 0 <= b < 2^(ceil(log d)) in the special case, compared to 0 <= a, b < 2^(floor(log q)) in the general case.
This implies that the complexity of computing discrete logarithms on a quantum computer can be made to depend not only on the choice of group, and on its order q, but also on the logarithm d.
In the special case where d <<< q, our algorithm does not require q to be prime. It may hence be generalized to finite abelian groups.Category / Keywords: quantum cryptography, discrete logarithm problem, domain parameters, key exchange, elliptic curve cryptosystem, Shor's algorithm, Diffie-Hellman Date: received 1 Dec 2016, last revised 6 Dec 2016 Contact author: ekera at kth se Available format(s): PDF | BibTeX Citation Note: The introduction has been updated, two minor typos have been corrected, further references have been added, and we note explicitly that the algorithm may be generalized to finite abelian groups. Version: 20161207:165814 (All versions of this report) Short URL: ia.cr/2016/1128 Discussion forum: Show discussion | Start new discussion