Cryptology ePrint Archive: Report 2016/1128

Modifying Shor’s algorithm to compute short discrete logarithms

Martin Ekerå

Abstract: We revisit Shor's algorithm for computing discrete logarithms in the multiplicative group of GF(p) on a quantum computer and modify it to compute logarithms d in groups <g> of prime order q in the special case where d <<< q. As a stepping stone to performing this modification, we first introduce a modified algorithm for computing logarithms on the general interval 0 < d < q for comparison.

We demonstrate conservative lower bounds on the success probability of our algorithms in both the general and the special case. In both cases, our algorithms initially set the index registers to a uniform superposition of all states, compared to p-1 states in Shor's original algorithm.

In the special case where d <<< q, our algorithm uses 3 ceil(log d) qubits for the two index registers and computes two QFTs of size 2^(ceil(log d)) and 2^(2 ceil(log d)), compared to 2 floor(log q) qubits for the index registers and two QFTs both of size 2^(floor(log q)) in the general case.

A quantum circuit for computing [a - bd] g is furthermore required, where 0 <= a < 2^(2 ceil(log d)) and 0 <= b < 2^(ceil(log d)) in the special case, compared to 0 <= a, b < 2^(floor(log q)) in the general case.

This implies that the complexity of computing discrete logarithms on a quantum computer can be made to depend not only on the choice of group, and on its order q, but also on the logarithm d.

In the special case where d <<< q, our algorithm does not require q to be prime. It may hence be generalized to finite abelian groups.

Category / Keywords: quantum cryptography, discrete logarithm problem, domain parameters, key exchange, elliptic curve cryptosystem, Shor's algorithm, Diffie-Hellman

Date: received 1 Dec 2016, last revised 6 Dec 2016

Contact author: ekera at kth se

Available format(s): PDF | BibTeX Citation

Note: The introduction has been updated, two minor typos have been corrected, further references have been added, and we note explicitly that the algorithm may be generalized to finite abelian groups.

Version: 20161207:165814 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]