Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Extending Regev's factoring algorithm to compute discrete logarithms

Martin Ekerå, Joel Gärtner

TL;DR

The paper broadens Regev's $d$-dimensional quantum factoring framework to compute discrete logarithms in $\,\mathbb{Z}_p^*$ and explores extensions to order finding and complete factorization via order finding. It introduces a lattice-based post-processing pipeline, augmented by a mix of small and arbitrary group elements, to enable efficient classical recovery of logarithms from quantum samples. It analyzes determinants, generator choices, and pre-processing strategies, and provides detailed cost models and practical considerations, including error-correction robustness and resource trade-offs between circuit size, space, and success probability. The results offer a path to quantum advantages in discrete-log computations within cryptographic groups, while highlighting the dependence on assumptions about short bases and lattice properties for the relevant generators. Overall, the work emphasizes the nuanced balance between asymptotic gains and concrete, implementation-level constraints in quantum cryptanalytic algorithms.

Abstract

Regev recently introduced a quantum factoring algorithm that may be perceived as a $d$-dimensional variation of Shor's factoring algorithm. In this work, we extend Regev's factoring algorithm to an algorithm for computing discrete logarithms in a natural way. Furthermore, we discuss natural extensions of Regev's factoring algorithm to order finding, and to factoring completely via order finding. For all of these algorithms, we discuss various practical implementation considerations, including in particular the robustness of the post-processing.

Extending Regev's factoring algorithm to compute discrete logarithms

TL;DR

The paper broadens Regev's -dimensional quantum factoring framework to compute discrete logarithms in and explores extensions to order finding and complete factorization via order finding. It introduces a lattice-based post-processing pipeline, augmented by a mix of small and arbitrary group elements, to enable efficient classical recovery of logarithms from quantum samples. It analyzes determinants, generator choices, and pre-processing strategies, and provides detailed cost models and practical considerations, including error-correction robustness and resource trade-offs between circuit size, space, and success probability. The results offer a path to quantum advantages in discrete-log computations within cryptographic groups, while highlighting the dependence on assumptions about short bases and lattice properties for the relevant generators. Overall, the work emphasizes the nuanced balance between asymptotic gains and concrete, implementation-level constraints in quantum cryptanalytic algorithms.

Abstract

Regev recently introduced a quantum factoring algorithm that may be perceived as a -dimensional variation of Shor's factoring algorithm. In this work, we extend Regev's factoring algorithm to an algorithm for computing discrete logarithms in a natural way. Furthermore, we discuss natural extensions of Regev's factoring algorithm to order finding, and to factoring completely via order finding. For all of these algorithms, we discuss various practical implementation considerations, including in particular the robustness of the post-processing.
Paper Structure (31 sections, 9 theorems, 57 equations)

This paper contains 31 sections, 9 theorems, 57 equations.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Recalling Regev's factoring algorithm
  4. Recalling and adapting Regev's classical post-processing
  5. Recalling Regev's quantum algorithm
  6. Extending Regev's quantum algorithm
  7. Notes on lattice determinants
  8. Notes on the choice of small generators
  9. Computing discrete logarithms
  10. A basic algorithm that requires pre-computation
  11. Notes on safe-prime groups and Schnorr groups
  12. Notes on other options for the pre-computation
  13. Integrating the pre-computation into the algorithm
  14. Notes on reducing the circuit size by pre-computation
  15. Notes on computing multiple logarithms simultaneously
  16. ...and 16 more sections

Key Result

Lemma 1

Let $\mathcal{L} \subset \mathbb Z^d$ and $m \ge d + 4$. Let $\bm{v}_1, \ldots, \bm{v}_m$ be uniformly chosen cosets from $\mathcal{L}^* / \mathbb Z^d$. For some $\delta > 0$, let $\bm{w}_1, \ldots, \bm{w}_m \in [0,1)^d$ be such that ${\mathop{\mathrm{dist}}\nolimits}_{\mathbb R^d/\mathbb Z^d}(\bm{w Then, for any $\bm{u} \in \mathcal{L}$, there exists a vector $\bm{u}' \in \mathcal{L}'$ whose firs

Theorems & Definitions (18)

  • Claim 1: Claim 5.1 from regev23
  • Lemma 1: Lemma 4.4 from regev23
  • Lemma 2: Lemma derived from Theorem 1.1 in regev23
  • proof
  • Lemma 3: Extended quantum algorithm based on regev23rv23
  • proof
  • Lemma 4
  • proof
  • Lemma 5
  • proof
  • ...and 8 more