Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A high-level comparison of state-of-the-art quantum algorithms for breaking asymmetric cryptography

Martin Ekerå, Joel Gärtner

TL;DR

The paper provides a coarse, high-level cost analysis comparing Regev’s $d$-dimensional quantum factoring approach and its extensions against established Shor-based algorithms, incorporating space-saving (Ragavan–Vaikuntanathan) and windowing optimizations. By modeling cost via the number of large modular multiplications per run and the required number of runs, the authors assess RSA factoring and discrete logarithm problems across a range of bit-lengths up to $n\in\{2048,3072,4096,6144,8192\}$, and find that Regev-based methods do not deliver an overall practical advantage for cryptographically relevant sizes, even under optimistic assumptions. While per-run improvements can occur with deeper lattice reduction (e.g., BKZ-200) or generalized Fibonacci optimizations, they are typically offset by the need for more runs or greater memory, leaving existing Shor variations superior in total cost. For general DLP in safe-prime groups, EGR may have a per-run edge asymptotically, but short DLP and Schnorr-group cases favor ES/EHS, particularly when windowing is effective. Overall, the study highlights the need for further optimizations before Regev’s approach can compete with established quantum attacks on practical cryptosystems.

Abstract

We provide a high-level cost comparison between Regev's quantum algorithm with Ekerå-Gärtner's extensions on the one hand, and existing state-of-the-art quantum algorithms for factoring and computing discrete logarithms on the other. This when targeting cryptographically relevant problem instances, and when accounting for the space-saving optimizations of Ragavan and Vaikuntanathan that apply to Regev's algorithm, and optimizations such as windowing that apply to the existing algorithms. Our conclusion is that Regev's algorithm without the space-saving optimizations may achieve a per-run advantage, but not an overall advantage, if non-computational quantum memory is cheap. Regev's algorithm with the space-saving optimizations does not achieve an advantage, since it uses more computational memory, whilst also performing more work, per run and overall, compared to the existing state-of-the-art algorithms. As such, further optimizations are required for it to achieve an advantage for cryptographically relevant problem instances.

A high-level comparison of state-of-the-art quantum algorithms for breaking asymmetric cryptography

TL;DR

The paper provides a coarse, high-level cost analysis comparing Regev’s -dimensional quantum factoring approach and its extensions against established Shor-based algorithms, incorporating space-saving (Ragavan–Vaikuntanathan) and windowing optimizations. By modeling cost via the number of large modular multiplications per run and the required number of runs, the authors assess RSA factoring and discrete logarithm problems across a range of bit-lengths up to , and find that Regev-based methods do not deliver an overall practical advantage for cryptographically relevant sizes, even under optimistic assumptions. While per-run improvements can occur with deeper lattice reduction (e.g., BKZ-200) or generalized Fibonacci optimizations, they are typically offset by the need for more runs or greater memory, leaving existing Shor variations superior in total cost. For general DLP in safe-prime groups, EGR may have a per-run edge asymptotically, but short DLP and Schnorr-group cases favor ES/EHS, particularly when windowing is effective. Overall, the study highlights the need for further optimizations before Regev’s approach can compete with established quantum attacks on practical cryptosystems.

Abstract

We provide a high-level cost comparison between Regev's quantum algorithm with Ekerå-Gärtner's extensions on the one hand, and existing state-of-the-art quantum algorithms for factoring and computing discrete logarithms on the other. This when targeting cryptographically relevant problem instances, and when accounting for the space-saving optimizations of Ragavan and Vaikuntanathan that apply to Regev's algorithm, and optimizations such as windowing that apply to the existing algorithms. Our conclusion is that Regev's algorithm without the space-saving optimizations may achieve a per-run advantage, but not an overall advantage, if non-computational quantum memory is cheap. Regev's algorithm with the space-saving optimizations does not achieve an advantage, since it uses more computational memory, whilst also performing more work, per run and overall, compared to the existing state-of-the-art algorithms. As such, further optimizations are required for it to achieve an advantage for cryptographically relevant problem instances.
Paper Structure (44 sections, 28 equations, 9 tables)

This paper contains 44 sections, 28 equations, 9 tables.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Methodology
  4. Overview
  5. Notation
  6. Existing variations of Shor's algorithm
  7. Ekerå--Håstad's variation of Shor's algorithm
  8. Implementing the algorithm
  9. Ekerå's variation of Shor's algorithm
  10. Implementing the algorithm
  11. Regev's algorithm and its extensions
  12. Implementing the algorithm
  13. Regev's original arithmetic
  14. Ragavan--Vaikuntanathan's space-saving optimizations
  15. Ekerå--Gärtner's extensions
  16. ...and 29 more sections