Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the success probability of the quantum algorithm for the short DLP

Martin Ekerå

TL;DR

The paper provides a formal, rigorous bound on the single-run success probability of Ekerå–Håstad's quantum algorithm for the short discrete logarithm in unknown-order groups, showing it can reach $1 - 10^{-10}$ with a practical classical post-processing step. It achieves this via a lattice-based approach to post-processing, introducing a $\tau$-good pair and a balanced two-dimensional lattice $\mathcal{L}^\tau(j)$, and leveraging a meet-in-the-middle enumeration to bound the cost by $O(\sqrt{N})$ group operations with $N = 2^{\Delta+\tau+1} + 2^{\tau+t+2} + 2$. The main contributions are probabilistic bounds for observing $\tau$-good pairs, $t$-balanced lattices, and an explicit upper bound on enumeration, which together guarantee a polynomial-time post-processing that scales well with the bit-length $m$ of the short exponent. The results apply to Diffie–Hellman in safe-prime groups with short exponents and to RSA via reductions to short DLP, enabling tighter practical security assessments for quantum attacks and offering concrete quantum-classical tradeoffs for implementation.

Abstract

Ekerå and Håstad have introduced a variation of Shor's algorithm for the discrete logarithm problem (DLP). Unlike Shor's original algorithm, Ekerå-Håstad's algorithm solves the short DLP in groups of unknown order. In this work, we prove a lower bound on the probability of Ekerå-Håstad's algorithm recovering the short logarithm $d$ in a single run. By our bound, the success probability can easily be pushed as high as $1 - 10^{-10}$ for any short $d$. A key to achieving such a high success probability is to efficiently perform a limited search in the classical post-processing by leveraging meet-in-the-middle techniques. Asymptotically, in the limit as the bit length $m$ of $d$ tends to infinity, the success probability tends to one if the limits on the search space are parameterized in $m$. Our results are directly applicable to Diffie-Hellman in safe-prime groups with short exponents, and to RSA via a reduction from the RSA integer factoring problem (IFP) to the short DLP.

On the success probability of the quantum algorithm for the short DLP

TL;DR

The paper provides a formal, rigorous bound on the single-run success probability of Ekerå–Håstad's quantum algorithm for the short discrete logarithm in unknown-order groups, showing it can reach with a practical classical post-processing step. It achieves this via a lattice-based approach to post-processing, introducing a -good pair and a balanced two-dimensional lattice , and leveraging a meet-in-the-middle enumeration to bound the cost by group operations with . The main contributions are probabilistic bounds for observing -good pairs, -balanced lattices, and an explicit upper bound on enumeration, which together guarantee a polynomial-time post-processing that scales well with the bit-length of the short exponent. The results apply to Diffie–Hellman in safe-prime groups with short exponents and to RSA via reductions to short DLP, enabling tighter practical security assessments for quantum attacks and offering concrete quantum-classical tradeoffs for implementation.

Abstract

Ekerå and Håstad have introduced a variation of Shor's algorithm for the discrete logarithm problem (DLP). Unlike Shor's original algorithm, Ekerå-Håstad's algorithm solves the short DLP in groups of unknown order. In this work, we prove a lower bound on the probability of Ekerå-Håstad's algorithm recovering the short logarithm in a single run. By our bound, the success probability can easily be pushed as high as for any short . A key to achieving such a high success probability is to efficiently perform a limited search in the classical post-processing by leveraging meet-in-the-middle techniques. Asymptotically, in the limit as the bit length of tends to infinity, the success probability tends to one if the limits on the search space are parameterized in . Our results are directly applicable to Diffie-Hellman in safe-prime groups with short exponents, and to RSA via a reduction from the RSA integer factoring problem (IFP) to the short DLP.
Paper Structure (27 sections, 6 theorems, 43 equations, 2 figures, 4 tables)

This paper contains 27 sections, 6 theorems, 43 equations, 2 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Overview of the introduction
  4. The short discrete logarithm problem
  5. The quantum algorithm
  6. Implementing the quantum algorithm
  7. Notes on optimizations
  8. The classical post-processing algorithm
  9. Notation
  10. Overview of the remainder of the paper
  11. Bounding the success probability
  12. Bounding the probability of observing a $\tau$-good pair
  13. Supporting claims
  14. Bounding the probability of $\mathcal{L}^\tau(j)$ being $t$-balanced
  15. Bounding the enumeration complexity
  16. ...and 12 more sections

Key Result

Lemma 1

For any given $j$, the probability of observing $k$ such that $(j, k)$ is $\tau$-good is at least for $\tau \in [0, \ell] \cap \mathbb Z$, and for $\psi'$ the trigamma function.

Figures (2)

  • Figure 1: A quantum circuit for inducing the state (\ref{['eq:superposition']}) and measuring the two control registers yielding $j$ and $k$, respectively. In this figure, ${a = \sum_{i \, = \, 0}^{m+\ell-1} 2^i a_i}$ and ${b = \sum_{i \, = \, 0}^{\ell-1} 2^i b_i}$ where ${a_i, \, b_i \in \{0, 1\}}$, see Sect. \ref{['sect:quantum-algorithm-implementation']}. The operations at the bottom are compositions under the group operation by classically pre-computed constant group elements. The bottom work register must be of sufficient length $\nu$ to store a superposition of group elements and to perform the required group operations reversibly.
  • Figure 2: A quantum circuit, equivalent to that in Fig. \ref{['fig:basic-circuit']}, for inducing the state (\ref{['eq:superposition']}) and measuring the control registers yielding $j$ and $k$, respectively. Simply shifting the QFT and measurements left, and the initialization right, in the first and second control registers, respectively, in the circuit in Fig. \ref{['fig:basic-circuit']}, yields this equivalent circuit. It first computes $j$ and then computes $k$ given $j$.

Theorems & Definitions (29)

  • Definition 1
  • Definition 2
  • Lemma 1
  • proof
  • Claim 1: from ekera-success
  • proof
  • Claim 2
  • proof
  • Claim 3: from ekera-success via Nemes nemes
  • proof
  • ...and 19 more