Quantum algorithm for solving hyperelliptic curve discrete logarithm problem

Abstract

The discrete logarithm problem (DLP) plays an important role in modern cryptography since it cannot be efficiently solved on a classical computer. Currently, the DLP based on the hyperelliptic curve of genus 2 (HCDLP) is widely used in industry and also a research field of hot interest. At the same time, quantum computing, a new paradigm for computing based on quantum mechanics, provides the ability to solve certain hard problems that cannot be efficiently solved on classical computers. In this paper, we consider the problem of solving the HCDLP in the paradigm of quantum computing. We propose a quantum algorithm for solving the HCDLP by applying the framework of quantum algorithm designed by Shor. The key of the algorithm is the realization of divisor addition. We solve the key problem and get analytical results for divisor addition by geometric meaning of the group addition. Therefore, the procedure can be efficiently realized on a quantum computer using the basic modular arithmetic operations. Finally, we conclude that the HCDLP defined over an n-bit prime field $$\mathbb {F}_{p}$$ can be computed on a quantum computer with at most $$13n+2\lfloor \log _{2}n\rfloor +10$$ qubits using $$2624n^{3} \log _{2}n-2209.2n^{3} + 1792n^{2} \log _{2}n-3012.8n^{2}$$ Toffoli gates. For current parameters at comparable classical security levels, there are fewer qubits and Toffoli gates to solve the HCDLP than the ones to solve the DLP based on elliptic curves.