Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Brace for impact: ECDLP challenges for quantum cryptanalysis

Pierre-Luc Dallaire-Demers, William Doyle, Timothy Foo

Abstract

Precise suites of benchmarks are required to assess the progress of early fault-tolerant quantum computers at economically impactful applications such as cryptanalysis. Appropriate challenges exist for factoring but those for elliptic curve cryptography are either too sparse or inadequate for standard applications of Shor's algorithm. We introduce a difficulty-graded suite of elliptic curve discrete logarithm (ECDLP) challenges that use Bitcoin's curve y^2=x^3+7 mod p while incrementally lowering the prime field from 256 down to 6 bits. For each bit-length, we provide the prime, the prime group order, and two deterministic nothing-up-my-sleeve (NUMS) points in compressed SEC1 form. All challenges are generated by a deterministic, reproducible procedure, and no private challenge scalar is chosen in advance. We calibrate classical cost against Pollard's rho records and quantum cost against resource estimation results for Shor's algorithm. We compile Shor's ECDLP circuit to logical counts and map them to physical resources for various parameters of the surface code, the repetition cat code and the LDPC cat codes. Under explicit and testable assumptions on physical error rates, code distances, and non-Clifford supply, our scenarios place the full 256-bit instance within a 2027--2033 window. The challenge ladder thus offers a transparent ruler to track fault-tolerant progress on a cryptanalytic target of immediate relevance, and it motivates proactive migration of digital assets to post-quantum signatures.

Brace for impact: ECDLP challenges for quantum cryptanalysis

Abstract

Precise suites of benchmarks are required to assess the progress of early fault-tolerant quantum computers at economically impactful applications such as cryptanalysis. Appropriate challenges exist for factoring but those for elliptic curve cryptography are either too sparse or inadequate for standard applications of Shor's algorithm. We introduce a difficulty-graded suite of elliptic curve discrete logarithm (ECDLP) challenges that use Bitcoin's curve y^2=x^3+7 mod p while incrementally lowering the prime field from 256 down to 6 bits. For each bit-length, we provide the prime, the prime group order, and two deterministic nothing-up-my-sleeve (NUMS) points in compressed SEC1 form. All challenges are generated by a deterministic, reproducible procedure, and no private challenge scalar is chosen in advance. We calibrate classical cost against Pollard's rho records and quantum cost against resource estimation results for Shor's algorithm. We compile Shor's ECDLP circuit to logical counts and map them to physical resources for various parameters of the surface code, the repetition cat code and the LDPC cat codes. Under explicit and testable assumptions on physical error rates, code distances, and non-Clifford supply, our scenarios place the full 256-bit instance within a 2027--2033 window. The challenge ladder thus offers a transparent ruler to track fault-tolerant progress on a cryptanalytic target of immediate relevance, and it motivates proactive migration of digital assets to post-quantum signatures.

Paper Structure

This paper contains 19 sections, 18 equations, 6 figures, 11 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Bitcoin's secp256k1 as an FTQC benchmark
  3. Elliptic-curve cryptography and the ECDLP
  4. Pollard's rho for ECDLP
  5. Basics of quantum computing
  6. Shor's algorithm for ECDLP
  7. Creating the challenges
  8. Challenges calibration: Classical resources
  9. Challenges calibration: Quantum resources
  10. Logical resources
  11. Surface-code mapping
  12. Repetition cat code
  13. LDPC cat code
  14. Anchors at 6 bits and 256 bits
  15. Interpretation
  16. ...and 4 more sections

Figures (6)

  • Figure 1: Real locus of $y^{2}=x^{3}+7$. The plot is for geometric intuition only and does not reflect arithmetic over $\mathbb{F}_{p}$.
  • Figure 2: Representative FTQC applications in logical-width/Toffoli-count space. Filled markers denote achieved demonstrations; open markers denote published resource estimates. The plot is intended as an orienting map rather than a complete survey.
  • Figure 3: Classical ECDLP challenges. Prime-field records cluster near 112--113 bits; interval-restricted secp256k1 results have advanced to 129 bits on GPU clusters.
  • Figure 4: Number of classical operations and approximate runtime under a fixed single-core normalization for the ECDLP challenges using Pollard's rho; large GPU deployments shift the curve downward roughly in proportion to aggregate throughput but do not alter the $\Theta(2^{b/2})$ slope.
  • Figure 5: Logical and physical resources to break $k$-bit ECDLP with Shor's algorithm.Left: logical width vs. Toffoli count from Haner2020 following various optimization procedures. Low width (square), low T gates count (triangle), and low depth (circles). Right: repetition-cat (circles) and LDPC-cat (squares) resource estimates from Gouzien2024_elliptic_log_cat; triangles, diamonds, and stars show the conservative and aggressive surface-code baselines. Color encodes the bit‑size $k$.
  • ...and 1 more figures