Abstract
This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor’s polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates. For an elliptic curve over a field of 2n elements, this paper reduces the number of qubits to 7n + ⌊log2(n)⌋ + 9. At the same time this paper reduces the number of Toffoli gates to 48n3 + 8nlog2(3)+1 + 352n2 log2(n) + 512n2 + O(nlog2(3)) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography.
Highlights
Current cryptographic systems used on the Internet rely on the Diffie-Hellman key exchange, a way to create shared secret keys over a public channel
The number of years left for RSA and elliptic-curve cryptography (ECC) depends on advances in building quantum computers, and on advances in optimizing Shor’s algorithm, and on the selected key sizes
Overheads in quantum elliptic-curve arithmetic make Shor’s algorithm more challenging to optimize for ECC, but, as pre-quantum security levels increase, RSA chooses relatively large key sizes to protect against subexponential-time non-quantum factorization attacks
Summary
Current cryptographic systems used on the Internet rely on the Diffie-Hellman key exchange, a way to create shared secret keys over a public channel. All authors would like to thank the Simons Institute for the Theory of Computing for hospitality. Optimizing quantum algorithms for concrete cryptanalysis has a lot in common with hardware design. Reversible circuits are composed of a fixed set of reversible gates – NOT, CNOT, and Toffoli – which match the functionality of NOT, XOR, and AND with the extra condition that they return enough of the inputs to make the operations reversible. This creates an additional challenge for space efficient algorithms as trivial applications of the gate translation would amass a lot of qubits
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IACR Transactions on Cryptographic Hardware and Embedded Systems
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
