Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms with Resource Estimation

Han Luo, Ziyi Yang, Ziruo Wang, Yuexin Su, Tongyang Li

Abstract

Solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) is critical for evaluating the quantum security of widely deployed elliptic-curve cryptosystems. Consequently, minimizing the number of logical qubits required to execute this algorithm is a key object. In implementations of Shor's algorithm, the space complexity is largely dictated by the modular inversion operation during point addition. Starting from the extended Euclidean algorithm (EEA), we refine the register-sharing method of Proos and Zalka and propose a space-efficient reversible modular inversion algorithm. We use length registers together with location-controlled arithmetic to store the intermediate variables in a compact form throughout the computation. We then optimize the stepwise update rules and give concrete circuit constructions for the resulting controlled arithmetic components. This leads to a modular inversion circuit that uses $3n + 4\lfloor \log_2 n \rfloor + O(1)$ logical qubits and $204n^2\log_2 n + O(n^2)$ Toffoli gates. By inserting this modular inversion component into the controlled affine point-addition circuit, we obtain a space-efficient algorithm for the ECDLP with $5n + 4\lfloor \log_2 n \rfloor + O(1)$ qubits and $O(n^3)$ Toffoli gates. In particular, for a 256-bit prime-field curve, our estimate reduces the logical-qubit count to 1333, compared with 2124 in the previous low-width implementation of Häner et al.

Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms with Resource Estimation

Abstract

Solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) is critical for evaluating the quantum security of widely deployed elliptic-curve cryptosystems. Consequently, minimizing the number of logical qubits required to execute this algorithm is a key object. In implementations of Shor's algorithm, the space complexity is largely dictated by the modular inversion operation during point addition. Starting from the extended Euclidean algorithm (EEA), we refine the register-sharing method of Proos and Zalka and propose a space-efficient reversible modular inversion algorithm. We use length registers together with location-controlled arithmetic to store the intermediate variables in a compact form throughout the computation. We then optimize the stepwise update rules and give concrete circuit constructions for the resulting controlled arithmetic components. This leads to a modular inversion circuit that uses logical qubits and Toffoli gates. By inserting this modular inversion component into the controlled affine point-addition circuit, we obtain a space-efficient algorithm for the ECDLP with qubits and Toffoli gates. In particular, for a 256-bit prime-field curve, our estimate reduces the logical-qubit count to 1333, compared with 2124 in the previous low-width implementation of Häner et al.

Paper Structure

This paper contains 37 sections, 1 theorem, 29 equations, 10 figures, 6 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Space-efficient, reversible algorithm design for modular inversion.
  3. Explicit quantum circuit construction and resource estimation for modular inversion.
  4. Open questions and concurrent work.
  5. Preliminaries
  6. Quantum computing and the Toffoli networks
  7. Elliptic curves and the ECDLP
  8. Shor's quantum algorithm for ECDLP
  9. Space-Efficient Extended Euclidean Algorithm
  10. The four-phase algorithm framework
  11. Space-efficient algorithm by register sharing
  12. Algorithmic optimizations
  13. Removing redundant arithmetic and shift operations.
  14. Merging location-controlled swaps.
  15. Algorithm pseudocode and overall complexity.
  16. ...and 22 more sections

Key Result

Lemma A.1

Suppose that $N_j = \sum_{i=1}^{j-1} 4(b_i + 1)$ is fixed. Then, over all possible EEA iteration indices $j$ and all admissible quotient sequences $(q_1, \ldots, q_{j-1})$, we have $t_j \ge F_{N_j/4 + 1}$, and consequently, Here, $\{F_k\}_{k\ge 0}$ denotes the Fibonacci sequence $F_0 = 0, F_1 = 1$, and $F_{k+2} = F_{k+1} + F_k$ for all $k\ge 0$. $\blacktriangleleft$$\blacktriangleleft$

Figures (10)

  • Figure 1: Toffoli gate count and CNOT gate count for modular inversion in ECDLP.
  • Figure 2: The overall quantum circuit of Shor’s algorithm for solving ECDLP using QFT. The qubits, from top to bottom, correspond to the exponent registers containing $k$ and $\ell$ in Equation \ref{['eqn:shor']} (ordered from lower-order bits to higher-order bits), and to the register that stores the elliptic curve point accumulator.
  • Figure 3: The overall quantum circuit of Shor’s algorithm for solving ECDLP using semiclassical QFT. The gates $R_{\theta_i}$ denote rotation gates with rotation angle $\theta_i = \sum_{j = 0}^{i-1} 2^{i-j}\mu_j$, where the values $\mu_j\in \{0, 1\}$ are outcomes obtained in previous measurements. By employing the semiclassical QFT, the exponent register requires only a single qubit, resulting in a reduction of $2n+1$ qubits compared to the standard implementation.
  • Figure 4: An illustration of how the two Work registers are allocated for temporary variables within a single iteration of the EEA. The upper and lower stripes represent the Work1 and Work2 registers, respectively. The symbols (h) and (l) indicate that the value $t'$ is split into its higher-order bits (h) and lower-order bits (l), which are placed at the corresponding positions on the two sides of the Work2 register.
  • Figure 5: Overall circuit implementation (Part 1) of a single iteration of our space-efficient EEA. The three dashed boxes, from left to right, represent: (1) pre-shift operations; (2) location-controlled subtraction on $r$'s; (3) location-controlled swap.
  • ...and 5 more figures

Theorems & Definitions (1)

  • Lemma A.1