Quantum Complexity for Discrete Logarithms and Related Problems

TL;DR

A generic model of quantum computation for group-theoretic problems, which is based on Shor's algorithm, and introduces a model for generic hybrid quantum-classical algorithms that are almost optimal in this model.

Abstract

This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group $G$ of prime order. - Any generic quantum DL algorithm must make $Ω(\log |G|)$ depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations $Q$ must make $Ω(\log |G|/\log Q)$ quantum group operations of depth $Ω(\log\log |G| - \log\log Q)$. - When the quantum memory can only store $t$ group elements and use quantum random access memory of $r$ group elements, any generic hybrid algorithm must make either $Ω(\sqrt{|G|})$ group operations in total or $Ω(\log |G|/\log (tr))$ quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol.

Figures (3)

• Figure 1: The classical group operation $O^C_{\mathbf{Q,T}}$: The single-line wires stand for quantum wires, while the double-line wires are for classical wires. $\mathbf T_i, \mathbf T_j$ denote the $i$-th and $j$-th entries of $\mathbf T$. We assume that the measurement outcome of $\mathbf Q$ indicates the $i$-th and $j$-th entries in this diagram. Recall that $O_{\mathbf{Q,T}}$ is a group operation query.
• Figure 2: The behavior of the quantum subroutine: $O_1,...,O_q$ denote the unitary operation that includes a single quantum group operation, and $C_0,....,C_{q-1}$ denote quantum algorithms that may include multiple classical group operations but no quantum group operations. $V$ denotes an arbitrary quantum algorithm. All registers are measured after $O_q$ on a computational basis.
• Figure 3: The generic hybrid algorithm with $T$ invocations of quantum subroutines: $U_1,...,U_T$ are quantum subroutines and include the measurement at the end. $A_{T+1}$ is a generic algorithm with classical group operations. $V$ denotes an arbitrary quantum algorithm.

Theorems & Definitions (39)

• Theorem 1.1
• Theorem 1.2
• Theorem 1.3
• Theorem 1.4
• Remark 1
• Remark 2
• Theorem 3.1: GGM lower bound of DL/CDH/DDH Mau05Shoup97
• Theorem 3.2: GGM lower bound of MDL Yun15
• Remark 3
• Theorem 4.1