Simulation of Shor algorithm for discrete logarithm problems with comprehensive pairs of modulo p and order q

TL;DR

This paper tackles the quantum security implications of the discrete logarithm problem by constructing and simulating Shor’s algorithm circuits for all pairs $(p,q)$ up to 32 qubits, enabling empirical evaluation of success probabilities and the waveform of the algorithm’s performance. It confirms Ekerå’s heuristic predictions that the success probability varies periodically with $q$ and provides a detailed waveform, including local minima near powers of two and maxima nearby, across 1,860 combinations. The authors extrapolate their 32-qubit results to the 2048-bit regime using two adder strategies (Q-ADD and R-ADD) and analyze resource requirements, showing that Schnorr groups under quantum attack are effectively weaker than safe-prime groups by about a factor of two in bit-length for $p$. Collectively, the work offers concrete quantum-resource estimates and substantiates a fundamental shift in the relative security of Schnorr versus safe-prime groups under Shor’s algorithm, with practical implications for cryptographic parameter choices and future fault-tolerant implementations.

Abstract

The discrete logarithm problem (DLP) over finite fields, commonly used in classical cryptography, has no known polynomial-time algorithm on classical computers. However, Shor has provided its polynomial-time algorithm on quantum computers. Nevertheless, there are only few examples simulating quantum circuits that operate on general pairs of modulo $p$ and order $q$. In this paper, we constructed such quantum circuits and solved DLPs for all 1,860 possible pairs of $p$ and $q$ up to 32 qubits using a quantum simulator with PRIMEHPC FX700. From this, we obtained and verified values of the success probabilities, which had previously been heuristically analyzed by Ekerå. As a result, the detailed waveform shape of the success probability of Shor's algorithm for solving the DLP, known as a periodic function of order $q$, was clarified. Additionally, we generated 1,015 quantum circuits for larger pairs of $p$ and $q$, extrapolated the circuit sizes obtained, and compared them for $p=2048$ bits between safe-prime groups and Schnorr groups. While in classical cryptography, the cipher strength of safe-prime groups and Schnorr groups is the same if $p$ is equal, we quantitatively demonstrated how much the strength of the latter decreases to the bit length of $p$ in the former when using Shor's quantum algorithm. In particular, it was experimentally and theoretically shown that when a ripple carry adder is used in the addition circuit, the cryptographic strength of a Schnorr group with $p=2048$ bits under Shor's algorithm is almost equivalent to that of a safe-prime group with $p=1024$ bits.

Figures (12)

• Figure 1: Quantum circuit for solving the DLP using Shor's algorithm. Let $R_j=100\exp(-2\pi i/2^j)$. The first part of the circuit on the top is for modular exponentiation, and the second part of the circuit on the bottom is for the inverse quantum Fourier transform.
• Figure 2: Quantum circuit for solving the DLP using Shor's algorithm when the number of qubits in the control registers is set to 1 by employing the semi-classical inverse quantum Fourier transform. Let $S_j=100\exp(-2\pi i\sum_{l=2}^{j} m_{j-l}/2^l)$ and $S_j'=100\exp(-2\pi i\sum_{l=2}^{j} m_{j-l}'/2^l)$.
• Figure 3: Quantum circuit for solving the DLP using Shor's algorithm when the number of qubits in the control registers is set to 2 by employing the semi-classical inverse quantum Fourier transform and reducing the time depth of the quantum circuit. The parts enclosed by dashed lines can be executed in parallel.
• Figure 4: Box plot showing the change in success probability with the size of $q$.
• Figure 5: Box plot showing the change in success probability with the size of $p$.

Theorems & Definitions (5)

• Theorem 1
• proof
• Theorem 2
• proof
• Definition 1: Maximization problem of gate count with fixed qubit number