Quantum algorithms for computing general discrete logarithms and orders with tradeoffs
-
Martin Ekerå
Abstract
We generalize our earlier works on computing short discrete logarithms with tradeoffs, and bridge them with Seifert's work on computing orders with tradeoffs, and with Shor's groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms. Compared to Shor's algorithm, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. Unlike Shor's algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. We analyze the probability distributions induced by our algorithm, and by Shor's and Seifert's order-finding algorithms, describe how these algorithms may be simulated when the solution is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs.
1 Introduction
As in [5, 7, 8], let 𝔾 under ⊙ be a finite cyclic group of order r generated by g, and
The discrete logarithm problem is to compute d = logg x given the group elements g and x. In cryptographic applications, the group 𝔾 is typically a subgroup of
In the general discrete logarithm problem 0 ≤ d < r, whereas d is smaller than r by some order of magnitude in the short discrete logarithm problem.
1.1 Earlier works
In 1994, in a groundbreaking publication, Shor [25, 26] introduced polynomial time quantum algorithms for factoring integers and for computing general discrete logarithms in
Ekerå [5] initiated a line of research in 2016 by introducing a modified version of Shor's algorithm for computing discrete logarithms that more efficiently solves the short discrete logarithm problem. This work is of cryptographic relevance as the short discrete logarithm problem underpins the security of many implementations of cryptosystems instantiated with safe-prime groups. A notable example is Diffie-Hellman key exchange [3] in TLS, IKE and NIST SP 800-56A [2, 9, 13].
In a follow-up work, Ekerå and Håstad [8] enabled tradeoffs in Ekerå's algorithm using ideas that directly parallel those of Seifert [24] in his work on enabling tradeoffs in Shor's order-finding algorithm; the quantum part of Shor's factoring algorithm. Ekerå and Håstad furthermore showed how the RSA integer factoring problem, that underpins the widely deployed RSA cryptosystem [21], may be reduced via [11] to a short discrete logarithm problem and attacked quantumly. This gives rise to a quantum algorithm that more efficiently solves the RSA integer factoring problem when making tradeoffs and comparing to Shor's original factoring algorithm, or to Seifert's factoring algorithm.
Ekerå [7] subsequently refined the classical post-processing in [8] to render it more efficient. With this improved post-processing, the algorithm of Ekerå and Håstad is shown in [7] to outperform Shor's and Seifert's factoring algorithms when targeting RSA integers, irrespective of whether tradeoffs are made.
A key component to this result was the development of a classical simulator for the quantum algorithm for computing short discrete logarithms: For problem instances for which the solution is classically known, this simulator allows outputs to be generated that are representative of outputs that would be generated by the quantum algorithm if executed on a quantum computer. This in turn allows the efficiency of the classical post-processing to be experimentally assessed.
1.2 Our contributions
We generalize and bridge our earlier works on computing short discrete logarithms with tradeoffs, Seifert's work on computing orders with tradeoffs and Shor's groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms.
Compared to Shor's algorithm for computing general discrete logarithms, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. Unlike Shor's algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. This allows our algorithm to outperform Shor's original algorithms with respect to the overall number of group operations that need to be evaluated quantumly in some cases even when not making tradeoffs. One cryptographically relevant example of such a case is the computation of discrete logarithms in Schnorr groups of unknown order.
We analyze the probability distributions induced by our algorithm, and by Shor's and Seifert's order-finding algorithms, describe how all of these algorithms may be simulated when the solution to the problem instance is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs.
1.2.1 On the cryptographic significance of this work
The security of virtually all currently widely deployed asymmetric cryptosystems is based on the intractability of either the discrete logarithm problem or the integer factoring problem.
In this work, we further the understanding of how hard these two key problems are to solve quantumly when not on special form. We hope that our results may prove useful when developing cost estimates for quantum attacks, and that they may inform decisions on when to mandate migration from the currently deployed asymmetric cryptosystems to post-quantum secure cryptosystems.
1.2.2 Further details and overview
Our algorithm for computing general discrete logarithms in turn consists of two algorithms;
a quantum algorithm, that upon input of a generator g of order r, and an element x = [d] g where 0 ≤ d < r, outputs a pair (j, k), and
a classical probabilistic post-processing algorithm, that upon input of a set of n pairs (j, k), produced by n runs of the quantum algorithm, computes d.
a classical probabilistic post-processing algorithm, that upon input of a set of n integers j computes the order r. Note that the same set of integers j may be used as input to both this and the above post-processing algorithm, by breaking out j from the pairs (j, k).
The quantum algorithm is identical to the algorithm in [7, 8] for computing short discrete logarithms with tradeoffs. The key difference in this work is that we admit general discrete logarithms and comprehensively analyze the probability distribution that the algorithm induces for such logarithms.
The post-processing algorithm for d is a tweaked version of the lattice-based algorithm in [7], whereas the algorithm for r is a natural generalization of the lattice-based algorithm in [7] first sketched in a pre-print of [8]. It is similar to the post-processing in [24].
The quantum algorithm is parameterized under a tradeoff factor s. This factor controls the tradeoff between the requirements that the algorithm imposes on the quantum computer, and the number of runs, n, required to attain a given minimum probability q of recovering d and r in the classical post-processing.
Following [7], we estimate n for a given problem instance, represented by d and r, and fixed s and q, by simulating the quantum algorithm. We first use simulated output to heuristically estimate n, and then verify the estimate by executing the two post-processing algorithms with respect to simulated output.
The simulator is based on a high-resolution two-dimensional histogram of the probability distribution induced by the quantum algorithm. By sampling the histogram, we generate pairs (j, k) that very closely approximate output that would be produced by the quantum algorithm if executed on a quantum computer.
To construct the histogram, we first derive a closed-form expression that approximates the probability of the quantum algorithm yielding (j, k) as output, and an upper bound on the error in the approximation. We then integrate this expression and the error bound numerically in different regions of the plane.
Our simulations show that when not making tradeoffs, a single run suffices to compute d or r with ≥ 99% success probability. When making tradeoffs, slightly more than s runs are typically required to achieve a similar success probability. In Appendix A we show that these results extend to order finding and factoring.
Note that the simulator requires d and r to be explicitly known: It cannot be used for problem instances represented by group elements g and x = [d] g.
1.2.3 Structure of this paper
The quantum algorithm is described in Section 2. In Section 3, we analyze the probability distribution it induces, and derive a closed-form expression that approximates the probability of it yielding (j, k) as output. In Sections 4 and 5, we describe how the high-resolution histogram is constructed by integrating the closed-form expression, and how the histogram is sampled to simulate the quantum algorithm.
In Section 6, we describe the two post-processing algorithms for recovering d and r from a set of n pairs (j, k). In Section 7, we use the simulator to estimate the number of runs n required to solve a given problem instance for d and r, with minimum success probability q, as a function of the tradeoff factor s.
We summarize past and new results, and discuss related applications, such as order finding and integer factoring, in Sections 8 and 9, and in the appendices.
1.3 Notation
The below notation is used throughout this paper:
u mod n denotes u reduced modulo n constrained to [0, n).
{u}n denotes u reduced modulo n constrained to [−n/2, n/2).
⌈u⌉, ⌊u⌋ and ⌊u⌉ denotes u rounded up, down and to the closest integer.
|u| denotes the Euclidean norm of the vector u = (u0, . . ., un−1) ∈ ℝn.
u ~ v is used to denote that u and v are approximately of similar size.
1.4 Randomization
Given two group elements g and x′ = [d′] g to be solved for d′, the general discrete logarithm problem may be randomized as follows:
Select a random integer t. Let x = x′ ⊙ [t] g = [d] g.
Solve g and x for d ≡ d′ + t (mod r) and optionally for r.
Compute and return d′ ≡ d − t (mod r).
Hence, we may assume without loss of generality that d is selected uniformly at random on [0, r) in the analysis of the quantum algorithm.
If r is known, t should be selected uniformly at random on [0, r), otherwise on [0, 2m+c) for m the bit length of r and c a sufficiently large integer constant for the selection of x to be indistinguishable from a uniform selection from 𝔾. Solving for r in step 2 is only necessary if r is unknown and d′ must be on [0, r) when returned.
2 The quantum algorithm
In this section we describe the quantum algorithm, that upon input of a generator g and an element x = [d] g, where 0 ≤ d < r, outputs a pair (j, k) and element y.
As stated earlier, the algorithm is parameterized under a small integer constant s ≥ 1, referred to as the tradeoff factor, that controls the tradeoff between the number of runs required and the requirements imposed on the quantum computer.
Let m be the integer such that 2m−1 ≤ r < 2m, let ℓ = ⌈m/s⌉, and let
Compute [a] g ⊙ [−b] x = [a − bd] g to the third register to obtain
Compute QFTs of size 2m+ℓ and 2ℓ of the first two registers to obtain
Observe the system to obtain (j, k) and y = [e] g where e = (a − bd) mod r.
Note that y is observed only to highlight that the system is forced to collapse to combinations of a and b such that e = (a − bd) mod r for fixed e.
The above steps may be interleaved, rather than executed sequentially, so as to allow the qubits in the first two registers to be recycled [10, 18, 19]. A single control qubit then suffices to implement the first two control registers. This is possible as the qubits in the control registers are not initially entangled; the registers are initialized to uniform superpositions of 2m+ℓ and 2ℓ values, respectively.
In Shor's algorithm for computing general discrete logarithms, the two control registers are instead of length m qubits. Both registers are initialized to uniform superpositions of r values. This makes the single control qubit optimization less straightforward to apply, and the initial superpositions harder to induce. Apart from this difference, the implementation complexity of Shor's algorithm and our algorithm may be compared in a fair manner in terms of the total exponent lengths.
In practice, the exponentiation of group elements would typically be performed by computing a group operation controlled by each bit in the exponent. Hence, a total of 2m group operations are performed in Shor's algorithm, compared to m + 2m/s in our algorithm. As s increases, this tends to m operations, providing an advantage over Shor's original algorithm by up to a factor of two at the expense of having to execute the algorithm multiple times. This reduction in the number of group operations translates into a corresponding reduction in the coherence time and circuit depth requirements of our quantum algorithm.
Note that our algorithm does not require r to be known. It suffices that the size of r is known. For comparison, Shor's algorithm requires r to be known. This explains why Shor needs to perform only 2m operations, whilst we need 3m operations when not making tradeoffs. As we shall see, we do in fact compute both d and r simultaneously, whilst Shor computes d given r.
3 The probability of observing (j, k) and y
In step 4 of the algorithm in Section 2, we obtain (j, k) and y = [e] g with probability
where the sum is over all pairs (a, b), such that 0 ≤ a < 2m+ℓ and 0 ≤ b < 2ℓ, respecting the condition e ≡ a − bd (mod r). In this section, we seek a closed-form error-bounded approximation to (1) summed over all y = [e] g ∈ 𝔾. To this end, we first perform a variable substitution to obtain contiguous summation intervals.
As a = e + bd + nr r for nr an integer such that 0 ≤ a = e + bd + nr r < 2m+ℓ, it follows that
Substituting a for e + bd + nr r in (1) and adjusting the phase therefore yields
By introducing arguments αd and αr, and corresponding angles θd and θr, where
we may write (3) as a function of αd and αr, and e, as
or of θd and θr, and e, as
This implies that the probability of observing the pair (j, k) and y = [e] g depends only on (αd, αr) and e, or equivalently on (θd, θr) and e. The probability is virtually independent of e in practice, as e can at most shift the endpoints of the summation interval in the inner sums in (4) and (5) by one step.
As was stated above, we seek a closed-form approximation to ρ(θd, θr, e) summed over all r group elements y = [e] g ∈ 𝔾. Hereinafter, we denote this probability
and we furthermore use angles and arguments interchangeably, depending on which representation best lends itself to analysis in each step of the process.
3.1 Preliminaries
To gain some intuition, we write ρ(θd, θr, e) as
and note that there are two obstacles to placing this expression on closed form:
Firstly, the summation interval in the inner sum over nr depends on the summation variable b of the outer sum. Secondly, the exponent of the summand in the outer sum over b contains a rounding operation that depends on b.
By using that ⌈(2m+ℓ − (e + bd))/r⌉ − ⌈−(e + bd)/r⌉ ≈ ⌈2m+ℓ/r⌉ we may remove the dependency between the inner and outer sums, and by using that ⌈−(e + bd)/r⌉ ≈ −(e + bd)/r we may remove the rounding operation.
By making these two approximations, and by adjusting the phase, we may derive an approximation to ρ(θd, θr, e) that is independent of e, enabling us to sum ρ(θd, θr, e) over the r values of e, corresponding to the r group elements y = [e] g ∈ 𝔾, simply by multiplying by r. This yields
where we furthermore need to assume in (6) that θd − θrd/r ≠ 0 and θr ≠ 0.
This closed-form approximation captures the general characteristics of the probability distribution induced by the quantum algorithm. However, it is seemingly non-trivial to derive a good bound for the error in this approximation.
In what follows, we use techniques similar to those employed above to derive an error-bounded closed-form approximation to ρ(θd, θr, e) such that the error is negligible in the regions of the plane where the probability mass is concentrated. As was the case above, we will find that the error-bounded approximation of ρ(θd, θr, e) is independent of e, enabling us to approximate P(θd, θr) simply by multiplying the closed-form approximation to ρ(θd, θr, e) by r.
3.1.1 Constructive interference
Before we proceed to develop the closed-form approximation, we note that for a fixed problem instance and fixed e, the sums in ρ(θd, θr, e) are over a constant number of unit vectors in the complex plane. For such sums, constructive interference arises when all vectors point in approximately the same direction.
In regions of the plane where θr and θd − θrd/r are both small, we hence expect constructive interference to arise. The probability mass is expected to concentrate in regions where constructive interference arises, and where the concentration of pairs (θd, θr) yielded by the integers pairs (j, k) is great.
In what follows, we therefore seek to derive a closed-form approximation to ρ(θd, θr, e), and an associated bound on the error in the approximation, such that the error is small when θr and θd − θrd/r are small.
3.2 Closed-form approximation with error bounds
To derive a closed-form approximation to ρ(θd, θr, e), we first observe that the sums in the expression for ρ(θd, θr, e) may be regarded as sums over the points in a region ℛ in a lattice La,b, as is illustrated in Figure 1. Note that this figure also contains other elements to which we shall return as the analysis progresses.
The lattice La,b for σ = 2, m = ℓ = 5, e = 0, r = 31 and d = 27. All red filled points are in ℛ. The region 𝒜 and its translated replicas are drawn as dashed rectangles. All blue outlined points are in 𝒜 or in one of its replicas. The gray triangles outline the points that are in 𝒜 or one of its replicas, but not in ℛ, and vice versa.
Definition 3.1
Let La,b be the lattice spanned by (d, 1) and (r, 0) so that the set of points in La,b is given by (a − e, b) = b(d, 1) + nr(r, 0) for integers b and nr.
Definition 3.2
Let ℛ be the region in La,b where 0 ≤ a < 2m+ℓ and 0 ≤ b < 2ℓ.
Definition 3.3
Let
Claim 3.4
The probability ρ(θd, θr, e) = Sℛ.
Proof
The points in ℛ are given by (a − e, b) = b(d, 1) + nr(r, 0), for 0 ≤ b < 2ℓ and nr on (2) so that 0 ≤ a = e + bd + nrr < 2m+ℓ, which implies that
by the preliminary analysis in Section 3 and so the claim follows.
In what follows, we derive a closed-form approximation to ρ(θd, θr, e) = Sℛ, and an associated error bound, in three steps.
3.2.1 Preliminaries
Before proceeding as outlined above, we first introduce some preliminary claims.
Claim 3.5
For u, v ∈ ℂ and Δ = u − v it holds that
Proof
First verify that
where the overlines denote complex conjugates. This implies that
and so the claim follows.
Claim 3.6
|eiϕ − 1| ≤ |ϕ| for any ϕ ∈ ℝ.
Proof. It suffices to show that |eiϕ − 1|2 = 2(1 − cos ϕ) ≤ ϕ2 from which the claim follows as cos ϕ ≥ 1 − ϕ2/2 for any ϕ ∈ ℝ.
3.2.2 Bounding |sℛ|
Before proceeding to the first approximation step, we furthermore bound |sℛ| in this section, as this bound is needed in the following analysis.
Lemma 3.7
The sum sℛ is bounded by |sℛ| ≤ 22ℓ+1.
Proof
By Claim 3.4 the sum
where the outer sum over b is over 2ℓ values and the inner sum over nr is over at most 2ℓ+1 values by Claim 3.8 below. As sℛ is a sum of at most 22ℓ+1 complex unit vectors, it follows that |sℛ| ≤ 22ℓ+1, and so the lemma follows.
Claim 3.8
For Δ = ⌈(2m+ℓ − (e + bd))/r⌉ − ⌈−(e + bd)/r⌉, it holds that
Proof
For some f1, f2 ∈ [0, 1), it holds that
where t = ⌊f1 + f2⌋ ∈ {0, 1} as f1 + f2 ∈ [0, 2). Furthermore, recall that r ≥ 2m−1. Hence, it follows that 2m+ℓ/r ≤ 2ℓ+1, so Δ = ⌈2m+ℓ/r⌉ − t ≤ 2ℓ+1, and so the claim follows.
3.2.3 Approximating Sℛ by S𝒜T𝒜
In the first approximation step, we approximate Sℛ by first summing the points in a small region 𝒜 in ℛ, and by then replicating and translating the points in 𝒜, and the associated sum over these points, so as to approximately cover ℛ, see Figure 1.
Definition 3.9
Let 𝒜 be the region in La,b where 0 ≤ a < 2m+ℓ and 0 ≤ b < 2σ for σ an integer parameter selected on 0 < σ < ℓ.
Definition 3.10
Let
Claim 3.11
Proof
The points in 𝒜 are given by (a − e, b) = b(d, 1) + nr(r, 0) for 0 ≤ b < 2σ and nr on (2) so that 0 ≤ a = e + bd + nrr < 2m+ℓ, which implies that
in analogy with the analysis in Section 3, but with b on 0 ≤ b < 2σ as opposed to 0 ≤ b < 2ℓ, and so the claim follows.
To replicate and translate the points in 𝒜 so as to approximately cover ℛ, we furthermore introduce t𝒜 and T𝒜, as defined below:
Definition 3.12
Let
The error when approximating Sℛ by S𝒜T𝒜 may now be bounded as follows:
Lemma 3.13
The error when approximating sℛ by s𝒜t𝒜 is bounded by
Proof
The exponential sum t𝒜 replicates and translates the partial sum over 𝒜 so as to approximately cover ℛ as is illustrated in Figure 1. Every time the region is replicated, it is translated by a vector in La,b that corresponds to ei(θd 2σ + θr⌈−2σd/r⌉).
The error that arises when sℛ is approximated by s𝒜t𝒜 is hence due to points that are in ℛ but excluded from the sum, and conversely to points not in ℛ that are erroneously included in the sum. Hereinafter these points will be referred to as the erroneous points.
The erroneous points fall within the two gray triangles in Figure 1. Both triangles are of horizontal side length 2ℓ and vertical side length 2ℓ−σ (2σd mod r), as the region 𝒜 is replicated and translated 2ℓ−σ times in total, and as it is shifted horizontally by 2σ and vertically by 2σd mod r every time it is translated.
To upper-bound the number of lattice points in each triangle, note that the lattice points are on 2ℓ vertical lines, evenly separated horizontally by a distance of one. The points on each vertical line are evenly separated vertically by a distance of r, with varying starting positions on each line. For h(b) = 2ℓ−σ (2σd mod r)(b/2ℓ) the height of each triangle at b, we have that at most
lattice points are then on the vertical line that cuts through the triangle at b, as may be seen by maximizing over all possible starting points. By summing N(b) over all 2ℓ lines, we thus obtain an upper bound of
on the number of points in each triangle, where we have used that 22ℓ−σ−1 ≥ 2ℓ as σ is an integer on 0 < σ < ℓ.
As there are two triangles, the total number of erroneous points is upper-bounded by 2 · 22ℓ−σ = 22ℓ−σ+1. Each erroneous point corresponds to a unit vector in the complex sum sℛ − s𝒜t𝒜, which implies |sℛ − s𝒜t𝒜| ≤ 22ℓ−σ+1, and so the lemma follows.
Lemma 3.14
The error when approximating Sℛ by S𝒜T𝒜 is bounded by
Proof
By Claim 3.5, it holds that
as |sℛ − s𝒜t𝒜| ≤ 22ℓ−σ+1 by Lemma 3.13 and |sℛ| ≤ 22ℓ+1 by Lemma 3.7.
From the above, and Definitions 3.3, 3.10 and 3.12, we have that
and so the lemma follows.
As t𝒜 is a geometric sum T𝒜 = |t𝒜|2 may be placed on closed form. It remains to derive a closed-form approximation to S𝒜. In what follows, we do this in two additional approximation steps.
3.2.4 Approximating S𝒜 by
S A ′
In the second approximation step, we derive a closed-form approximation to S𝒜, by first approximating S𝒜 by the product
Definition 3.15
Let
Lemma 3.16
The error when approximating s𝒜 by
Proof
As s𝒜 and
Lemma 3.17
The sum
Proof
In the expression for
Lemma 3.18
The error when approximating S𝒜 by
Proof
By Claim 3.5, it holds that
as
From the above, and Definitions 3.10 and 3.15, we have that
and so the lemma follows.
The trailing sum in
3.2.5 Approximating
S A ′ S A ″
For θd and θr such that the angles θdb + θr − ⌈(e + bd)/r⌉ ≈ (θd − θrd/r) b in the leading sum in
Definition 3.19
Let
Lemma 3.20
The difference between
Proof
First observe that
By using Claim 3.6 and the triangle inequality, it follows that
where we use that ⌈−x⌉ = − ⌊x⌋ and ⌊(e + bd)/r⌋ ≤ b. To verify the latter claim, note that f1 = e/r ∈ [0, 1) and f2 = bd/r ∈ [0, b) as e, d ∈ [0, r). This implies that ⌊(e + bd)/r⌋ = ⌊f1 + f2⌋ ∈ [0, b] as f1 + f2 ∈ [0, b + 1).
By combining the above results, we now have that
and so the lemma follows.
Lemma 3.21
The error when approximating
Proof
By Claim 3.5, it holds that
as
From the above, and Definitions 3.15 and 3.19, we have that
and so the lemma follows.
This yields an approximation
3.2.6 Main approximability result
By combining the previous results, the main approximability result follows:
Theorem 3.22
The probability P(θd, θr) of observing a specific pair (j, k) with angle pair (θd, θr), summed over all y ∈ 𝔾, may be approximated by
assuming θd2σ + θr ⌈−2σd/r⌉ ≠ 0 and θr ≠ 0 when placing the expression on closed form. The approximation error
Proof
The probability ρ(θd, θr, e) of observing a specific pair (j, k), with angle pair (θd, θr), and some group element y = [e] g ∈ 𝔾, is Sℛ by Claim 3.4.
The error when approximating Sℛ by S𝒜T𝒜 is bounded by
by Lemma 3.14. The error when approximating S𝒜T𝒜 by
by Lemma 3.18. The error when approximating
by Lemma 3.21. By the triangle inequality
Neither of these three error terms, nor the expression for
where we use that r < 2m, and that T𝒜 ≤ 22(ℓ−σ) as it is the square norm of a sum of 2ℓ−σ unit vectors by Definition 3.12, and so the theorem follows.
In Appendix C we demonstrate the soundness of this approximation.
4 The distribution of pairs (αd, αr)
In this section, we identify and count all pairs (j, k) that yield (αd, αr) and analyze the distribution and density of pairs (αd, αr) in the plane.
Definition 4.1
An argument pair (αd, αr) is said to be admissible if there exists an integer pair (j, k), for j on 0 ≤ j < 2m+ℓ and k on 0 ≤ k < 2ℓ, such that
Definition 4.2
Let κd denote the greatest integer such that 2κd divides d, and let κr denote the greatest integer such that 2κr divides r.
Definition 4.3
Let Lα be the lattice generated by the rows in
and γ = max(0, κr − (ℓ + κd)).
Lemma 4.4
The admissible argument pairs (αd, αr) are vectors in Lα in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. There are 2m+2ℓ−κr+γ distinct admissible argument pairs, each occurring with multiplicity 2κr−γ.
Proof
As αr ≡ rj (mod 2m+ℓ), the set of integers j that yield αr are given by
as tr runs through all integers on 0 ≤ tr < 2κr. As αd ≡ dj + 2mk (mod 2m+ℓ), we need
for k an integer on 0 ≤ k < 2ℓ, to ensure compatibility. As 2m−γ is the largest power of two to divide both 2m and 2m+ℓ−κr+κd, by the definition of γ, the congruence relation αd ≡ (αr/2κr)d (r/2κr)−1 (mod 2m−γ) must hold.
As tr and k run through all pairwise combinations, the set of 2ℓ+κr arguments αd generated by (7) is equal to that generated by
as tγ, or equivalently
To go from (7) to (8), first note that B runs through all values in [2m, 2m+ℓ). If γ = 0, term A introduces multiplicity by repeating the sequence generated by B with various offsets. These offsets are of no significance to this analysis, as we only account for which values occur in the set and with what multiplicity.
If γ > 0, term A runs through all values in [2m−γ, 2m−γ+κr). As κr ≥ γ when γ > 0, term A runs through all values in the subrange [2m−γ, 2m). When A assumes values greater than or equal to 2m, it introduces multiplicity by repeating the sequence of all values on [2m−γ, 2m+ℓ) generated by A and B with various offsets.
This implies that (A + B) mod 2m+ℓ runs through all 2m+ℓ/2m−γ = 2ℓ+γ values on [2m−γ, 2m+ℓ) with multiplicity 2ℓ+κr/2ℓ+γ = 2κr−γ, and this is exactly what is stated in (8). To go from (8) to (9) is trivial.
As there are 2m+2ℓ admissible argument pairs, and as each pair occurs with multiplicity 2κr−γ, there are 2m+2ℓ−κr+γ distinct admissible argument pairs.
The lattice Lα is constructed from (9), as the admissible arguments αr are multiples of 2κr, and as the admissible
In Figure 2 the distribution of admissible argument pairs (αd, αr) in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1 is depicted for various combinations of d and r.
The distribution of admissible argument pairs (αd, αr) in the region where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1 for m = 4 and ℓ = 3, and example combinations of d and r, as indicated. The lattice may be constructed by replicating the fundamental parallelogram (blue) or a rectangle (gray) of size 2m−γ × 2m+κr−γ.
4.1 Pairs (j, k) yielding (αd, αr)
In this section we identify all pairs (j, k) that yield (αd, αr).
Lemma 4.5
The set of integer pairs (j, k), for j on 0 ≤ j < 2m+ℓ and k on 0 ≤ k < 2ℓ, that yield the admissible argument pair (αd, αr) is given by
as tr runs through all integer multiples of 2γ on 0 ≤ tr < 2κr.
Proof
As αr ≡ rj (mod 2m+ℓ), solving for j yields
for tr an integer 0 ≤ tr < 2κr.
As αd ≡ dj + 2mk (mod 2m+ℓ), for compatibility 2m must divide 2m+ℓ−κr dtr for all tr ≠ 0. As 2m+ℓ+κd−κr is the greatest power of two to divide 2m+ℓ−κr d, it follows that tr must be a multiple of 2γ, and so the lemma follows.
4.2 The density of pairs (αd, αr)
In this section we analyze the density of admissible argument pairs (αd, αr) in the argument plane.
Claim 4.6
The density of admissible argument pairs (αd, αr) in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1 is 2−m when accounting for multiplicity.
Proof
There are 2m+2ℓ admissible argument pairs (αd, αr), when accounting for multiplicity, in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. This region is of area 22(m+ℓ). The density is hence 2m+2ℓ/22(m+ℓ) = 2−m, and so the claim follows.
To construct the histogram for the probability distribution, the argument plane is divided into small rectangular subregions. Lemma 4.7 below bounds the error when approximating the density in such subregions by 2−m.
Lemma 4.7
Let D be the density of admissible argument pairs (αd, αr), when accounting for multiplicity, in a rectangle R of area A and circumference C in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. Then
for λ1 the norm of the shortest non-zero vector w1 ∈ Lα, and λ2 the norm of the shortest non-zero vector w2 ∈ Lα that is linearly independent to w1.
Proof
By Lemma 4.4, the admissible argument pairs (αd, αr) are vectors in Lα in the region of the argument plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. Each admissible argument pair occurs with multiplicity 2κr−γ.
The fundamental parallelogram in Lα contains a single lattice vector. It is spanned by w1 and w2, and has area det Lα = λ2 |w⊥| = 2m+κr−γ, where w⊥ is the component in w1 perpendicular to w2. This implies λ2 ≥ λ1 ≥ |w⊥|. To bound the number of argument pairs (αd, αr) ∈ R, we lower- and upper-bound the number of fundamental parallelograms that can at most fit into R, as described below, paying particular attention to the border areas:
To upper-bound the number of vectors in R, we extend each side of R by 2 λ2 length units, to ensure that any parallelogram that is only partly in R is included in the count, and divide the area of the resulting rectangle by the area of the fundamental parallelogram. This yields (A + 2Cλ2 + 4 (2 λ2)2) / det Lα.
Conversely, to lower-bound the number of vectors in R, we retract each side of R by 2λ2 length units, to ensure that all parallelograms that are only partly in the rectangle are excluded from the count, and divide the area of the resulting rectangle by det Lα. This yields (A − 2Cλ2 + 4 (2λ2)2) / det Lα.
By combining the upper and lower bounds, dividing by the area A of R, and multiplying by 2κr−γ to account for multiplicity, the lemma follows.
For known d and r, Lemma 4.7 above provides a bound on the error when approximating the density in a rectangle in Lα by 2−m as λ2 may then be computed. To bound the error for general problem instances, and when d and r are unknown, we introduce the following less tight lemma:
Lemma 4.8
Let D be the density of admissible argument pairs (αd, αr), when accounting for multiplicity, in a rectangle of side lengths ld and lr in the αd and αr directions, respectively, in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. Then
Proof
By Lemma 4.4, the admissible argument pairs (αd, αr) are vectors in Lα in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. Each admissible argument pair occurs with multiplicity 2κr−γ.
The vectors in Lα are on horizontal lines (for fixed αr) evenly separated by a vertical distance of 2κr. The number of such lines that intersect the rectangle is upper-bounded by ⌊lr/2κr⌋ + 1 ≤ lr/2κr + 1 and lower-bounded by ⌊lr/2κr⌋ ≥ lr/2κr − 1 as may be seen by positioning the rectangle to maximize or minimize the number of lines that intersect the rectangle.
On each line, the vectors in Lα are evenly spaced by a distance of 2m−γ with varying starting positions. The number of vectors in Lα that fall within the rectangle on each line is upper-bounded by ⌊ld/2m−γ⌋ + 1 ≤ ld/2m−γ + 1 and lower-bounded by ⌊ld/2m−γ⌋ ≥ ld/2m−γ − 1, when not accounting for multiplicity, as may be seen by positioning the line to maximize or minimize the number of vectors that fall within the rectangle.
Hence the number of lattice vectors in the rectangle is upper-bounded by
and lower-bounded by
as each vector corresponds to a pair that occurs with multiplicity 2κr−γ. By combining these bounds, and dividing by the rectangle area ldlr, the lemma follows.
For unknown d and r, Lemma 4.8 above provides an error bound, assuming only some bounds on the parameters κr and γ. Asymptotically, the error in the approximation tends to zero as the side lengths of the rectangle tend to infinity. For rectangular subregions of specific dimensions, it may furthermore be shown that the error is zero, as is demonstrated in the following lemma:
Lemma 4.9
The density of admissible argument pairs (αd, αr) in a rectangle of side lengths positive integer multiples of 2m−γ and 2m−γ+κr in αd and αr, respectively, in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1, is 2−m when accounting for multiplicity.
Proof
By Lemma 4.4, the admissible argument pairs (αd, αr) are vectors in Lα in the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1. Each admissible argument pair occurs with multiplicity 2κr−γ.
From the definition of Lα in Lemma 4.4, it follows that the lattice is cyclic with period 2m−γ in αd and 2m−γ+κr in αr. This is illustrated in Figure 2 where rectangular regions of these dimensions are highlighted in gray. The highlighted regions all extend from the origin in Figure 2 but the starting point may of course be arbitrarily selected. This implies that the lattice Lα may be generated by replicating and translating any rectangle of side lengths positive multiples of 2m−γ and 2m−γ+κr in αd and αr, respectively, see Figure 2, throughout the plane. The same holds if the rectangle is replicated and translated cyclically throughout the region of the plane where −2m+ℓ−1 ≤ αd, αr < 2m+ℓ−1.
The number of rectangles that fit in the region when replicated and translated cyclically is
as the area of the region is 22(m+ℓ) and the area of the rectangle is 22(m−γ)+κr. The total number of lattice vectors in the region is 22m+ℓ, so each rectangle contains 2m+2ℓ/22(ℓ+γ)−κr = 2m−2γ+κr vectors when accounting for multiplicity. By dividing by the area of the rectangle, we see that the density of points in each rectangle is 2m−2γ+κr/22(m−γ)+κr = 2−m, and so the lemma follows.
5 Simulating the quantum algorithm
In close analogy with [7], we now proceed to construct a high-resolution histogram for the probability distribution induced by the quantum algorithm, for given d and r, and to sample it to simulate the quantum algorithm.
5.1 Constructing the histogram
Except for the fact that the probability distribution is two-dimensional, and that we need to account for the closed-form expression being an approximation, we exactly follow [7] to construct the high-resolution histogram: We subdivide the argument plane into regions and subregions, and integrate the closed-form probability approximation
First, we subdivide each quadrant of the argument plane into (30 + μ)2 rectangular regions where μ = min(ℓ − 2, 11). Each region thus formed is uniquely identified by (ηd, ηr) ∈ ℤ2 by requiring that for all (αd, αr) in the region
and furthermore that sgn(αd) = sgn(ηd) and sgn(αr) = sgn(ηr), where ηd and ηr are such that
see the illustration in Figure 3.
The subdivision of the plane into regions and subregions. The gray box illustrates Simpson's rule applied to a subregion. The probability is computed in the blue corner points, the four red border mid-points and the red center-point.
Then, we subdivide each region into rectangular subregions identified by an integer pair (ξd, ξr) by requiring that for all (αd, αr) in the subregion
where 0 ≤ ξd, ξr < 2ν for ν ∈ {6, 7, 8, 9} a resolution parameter adaptively selected as a function of the probability mass and variance in each region.
For each subregion, we compute the approximate probability mass contained within the subregion, and an associated error bound, by applying Simpson's rule in two dimensions, followed by Richardson extrapolation to cancel the linear error term, and division by 2m to account for the density of pairs.
Simpson's rule is hence applied 22ν (1 + 22) times in each region. Each application requires
The optimal σ may be found by searching exhaustively. A computationally more efficient method for selecting σ is to use the heuristic in Appendix C.5.3. We use the heuristic in all cases except when s is large in relation to m causing the error in the closed-form approximation to be large. For such m and s we accept an extra computational burden to get slightly better σ and slightly smaller errors.
In what follows, we refer to the total probability mass captured as the sum of the integral of
In order to save space when storing the histogram, we discard regions that capture insignificant shares of the probability mass. Note furthermore that for m and s such that the total approximation error is large, the error may often be reduced at the expense of capturing a smaller fraction of the probability mass by simply discarding selected regions where the error is large. The errors we report in this paper are without accounting for such additional filtering.
Note that this method of constructing the histogram assumes κd and κr to be small in relation to m. Note also that it follows from Section 4.2 that it is sound to approximate the density by 2−m in the four regions of interest in the plane. For the m and s that we consider, the error in the density approximation is negligible.
5.2 Understanding the probability distribution
To illustrate the distribution that arises, a histogram is plotted in the signed logarithmic argument plane in Figure 4 for m = 2048 and s = 30, and for d and r selected as explained in Section 7.3. It captures approximately 99.99% of the probability mass. The total approximation error is less than 10−3.
The probability distribution for general discrete logarithms computed as in Section 5.1 for m = 2048, s = 30, and d and r selected as in Section 7.3. To facilitate printing, the resolution has been reduced in this figure.
The histogram plotted in Figure 4 captures the characteristic appearance of the probability distribution when d and r are both of length m bits and not divisible by large powers of two.
The probability mass is located in the regions where (|αd|, |αr|) ~ (2m, 2m), whereas for random pairs (j, k) the arguments would both be of size ~ 2m+ℓ. This implies that a single run of the quantum algorithm yields ~ ℓ ~ m/s bits of information on d and r, respectively.
The distribution is symmetric, in that the top right and lower left quadrants are mirrored, as are the top left and lower right quadrants. It hence suffices to compute only two quadrants to construct the histogram. To see why this is, note that flipping the sign of both arguments in the expression for
If the size of d in relation to r is gradually reduced, the tail along the diagonal gradually disappears, as the cancellation effect weakens when d/r is reduced in size. When d is approximately of length m − 5 bits, the tail is nearly gone, and all four quadrants are nearly mirrored. Further reducing d has no significant effect on the distribution. Varying r on the interval 2m−1 < r < 2m only slightly affects the distribution. Scaling m and s has virtually no effect on the distribution, for as long as m/s does not become so small so as to cause constructive interference not to arise, or the plot to be cropped.
The marginal distribution along the αr axis in Figure 4 is virtually identical to the distribution induced by r when performing order finding, see Appendix A and Figure A1 for comparison. In Appendix D we prove this correspondence analytically by summing
![Figure 5 The probability distribution for short discrete logarithms computed as in Appendix B from the closed-form expression in [7], for m = 2048 and s = 30, and d selected as in Section 7.3. The resolution has been reduced in this figure.](/document/doi/10.1515/jmc-2020-0006/asset/graphic/j_jmc-2020-0006_fig_005.jpg)
The probability distribution for short discrete logarithms computed as in Appendix B from the closed-form expression in [7], for m = 2048 and s = 30, and d selected as in Section 7.3. The resolution has been reduced in this figure.
The above observations imply that the lattice-based post-processing algorithm introduced in [7] may be used to solve sets of pairs (j, k) for both short and general d, with minor modifications, see Section 6.1. An analogous lattice-based algorithm may be used to solve sets of integers j for r, see Section 6.2. The hardest instances to solve are those where d is large in relation to r, and r is large in relation to 2m, as in Figure 4, due to the tail that then extends along the diagonal.
5.3 Sampling the probability distribution
Except for the fact that the probability distribution is two-dimensional, we exactly follow [7] to sample the distribution: To sample an argument pair (αd, αr), we first sample a subregion and then sample (αd, αr) from this subregion.
To sample the subregion, we first order all subregions in the histogram by probability, and compute the cumulative probability up to and including each subregion in the resulting ordered sequence. Then, we sample a pivot uniformly at random from [0, 1), and return the first subregion in the ordered sequence for which the cumulative probability is greater than or equal to the pivot. Note that this procedure may fail: This occurs if the pivot is greater than the total cumulative probability.
To sample an argument pair (αd, αr) from the subregion, we first sample a point
To sample an integer pair (j, k) from the distribution, we first sample (αd, αr) as described above, and then sample (j, k) uniformly at random from the set of all integer pairs (j, k) yielding (αd, αr) using Lemma 4.5. More specifically, we first sample an integer tr uniformly at random from the set of all admissible values for tr and then compute (j, k) from (αd, αr) and tr as described in Lemma 4.5.
6 The classical post-processing algorithms
In this section, we describe how d and r are classically recovered from a set {(j1, k1), . . ., (jn, kn)} of pairs produced by performing n independent runs of the quantum algorithm.
6.1 Recovering d from a set of n pairs
To recover d, we exactly follow [7], and use the set of n pairs to form a vector
and a D-dimensional integer lattice Lj with basis matrix
where D = n + 1. For some constants m1, . . ., mn ∈ ℤ, the vector
is such that the distance
To recover d, it hence suffices to find
where Γ is the Gamma function, whilst the fundamental parallelepiped in Lj, that by definition contains a single lattice vector, is of volume det Lj = 2(m+ℓ)n.
Heuristically, the hypersphere is hence expected to contain approximately vd = VD(Rd)/det Lj lattice vectors. The exact number depends on the placement of the hypersphere in ℤD, and on the shape of the fundamental parallelepiped in Lj.
6.1.1 Estimating the minimum n required to solve for d
The radius Rd depends on (ji, ki) via αd,i for 1 ≤ i ≤ n. For fixed n and probability qd, we exactly follow [7] and estimate the minimum radius
by sampling αd,i from the probability distribution. For details on how the estimate is computed, see Section 6.3. It follows from (10) that
This provides a heuristic bound on the number of lattice vectors vd that at most have to be enumerated to solve for d, and that holds with probability at least qd.
6.1.2 Selecting n and solving for d
A simple strategy when solving for d is to select n as described in Section 6.1.1 such that vd is below a bound equal to the maximum number of vectors that it is computationally feasible to enumerate with probability qd. This strategy minimizes n at the expense of performing potentially computationally expensive post-processing.
Another strategy is to select n such that vd < 2 with probability qd, so that there is only one vector in the hypersphere by the heuristic. In theory, this enables us to find
Note that this complication arises only for general discrete logarithms. It does not arise in [7] when post-processing short discrete logarithms, as the order then does not enter into the equation. Note furthermore that the fact that the order now does play a part may be leveraged in the post-processing, see the next sections.
6.1.3 Selecting n and solving for d by exhausting subsets
The greatest argument αd,i essentially determines the bound on Rd and hence on vd. A plausible strategy is therefore to make n runs, but to independently post-process all subsets of n − t pairs from the resulting n pairs, for t a constant.
To select n when using this strategy, we specify a bound B on the number of vectors vd that we accept to enumerate in each lattice of dimension n − t + 1, and follow Section 6.1.1 to select the minimum n respecting this bound with probability at least qd, including only the smallest n − t arguments αd,i when bounding Rd.
With probability qd, the post-processing then heuristically requires at most B lattice vectors to be enumerated in at most
6.1.4 Optimizations when r is known
Note that when r is known, the argument αr,i = {rji}2m+ℓ is known for 1 ≤ i ≤ n, and αr,i provides information on αd,i as the arguments are pairwise correlated. When constructing subsets of n − t pairs from the n pairs (ji, ki), the pairs should be included in ascending order sorted by |αr,i|. In general, pairs such that |αr,i| exceeds some bound may be rejected as large |αr,i| identify erroneous runs.
6.2 Recovering r from a set of n pairs
To recover r, we instead use that
centered at the origin. In close analogy with [7] and the previous section, we may recover
This generalization was hinted at in the pre-print of [8]. Furthermore, it is similar to the method employed by Seifert in [24], where he uses what he refers to as simultaneous Diophantine approximation techniques to generalize Shor's [25] continued fractions expansion-based post-processing to higher dimensions. In the case of Shor's original order-finding algorithm, the fact that the problem of finding a continued fraction may be perceived as a lattice problem is observed in [14].
We prefer to describe the post-processing in terms of a shortest vector problem, as this gives us two lattice problems in the same lattice Lj, and as we may re-use the tools previously introduced to estimate the number of runs n required to solve the problem.
6.2.1 Estimating the minimum n required to solve for r
The radius Rr depends on ji via αr,i for 1 ≤ i ≤ n. For fixed n and probability qr, we proceed in analogy with [7] and estimate the minimum radius
by sampling αr,i from the probability distribution. For details on how the estimate is computed, see Section 6.3. It follows from (12) that
This provides a heuristic bound on the number of lattice vectors vr that at most have to enumerated to solve for r, and that holds with probability at least qr.
6.2.2 Selecting n and solving for r
One strategy when solving for r is to use the heuristic to select n such that vr is below a bound equal to the maximum number of vectors that it is computationally feasible to enumerate, with probability qr. This strategy minimizes n at the expense of performing potentially computationally expensive post-processing.
Another strategy is to select n such that vr < 2 with probability qr, so that there is only one lattice vector in the hypersphere by the heuristic. In theory, this enables us to find
In practice, the heuristic is good when r is prime, as is typically the case when computing discrete logarithms in cryptographic settings. If r is composite, the heuristic is still good, but it may be necessary to perform a small search to find r if r has one or more small prime factors, see Section 6.2.3. If r has many small prime factors, and n is close to one, an additional classical post-processing step may be required to solve efficiently for r, as there may then exist an artificially short non-zero vector in Lj. This additional step is described in Section 6.2.4.
A third strategy is to independently post-process subsets of the pairs output by the quantum computer, in analogy with the procedure described in Section 6.1.3.
6.2.3 Handling composite r
Assume that r is composite. Let gcd(αr,1, . . ., αr,n, r) = 2κr o for o odd. Let t be the greatest integer on [0, κr] for which
for all i ∈ [1, n]. Then
For q an odd prime divisor of r, the probability of q also dividing αr,i for all i ∈ [1, n] is approximately q−n. This implies that r may in general be recovered from r/(2to) by exhausting t and o, as the search space is expected to be small: It is only if r has very many small odd prime divisors, and if n is close to one, that problems may potentially arise. Such problematic cases may be handled efficiently by introducing an additional classical post-processing step, see the next section.
6.2.4 Handling partially smooth r
Let 𝒫 be the set of all prime factors ≤ cm, for c ≥ 1 some small constant, and let υq be the greatest integer such that qυq < 2m. Furthermore, for r′ = r/(2to) let
where bracket notation is used to denote generalized exponentiations. Computing
As previously explained, when r is partially very smooth, the classical post-processing algorithm is likely to return r′ = r/(2to), where o may be large, but where all prime factors of o are small. Assume that all prime factors of 2to are ≤ cm. It must then be that
allowing r = 2to · r′ to be recovered. Computing
6.2.5 Computing discrete logarithms when r is partially smooth
If r is partially very smooth, it may be hard to determine d, as there may exist an artificially short vector
Provided we classically solve the discrete logarithm problem in the residual subgroups of small prime power orders fef dividing 2to, which can be done efficiently, the full logarithm d may then be found via the Chinese remainder theorem. This was originally observed by Pohlig and Hellman [20].
6.3 Estimating
R ˜ d R ˜ r
To estimate
If we fail to sample one or more argument pairs in a set, we closely follow [7] and over-estimate
Let p be the total probability mass covered by the histogram. The probability of all n pairs in a set being in regions covered by the histogram is then pn. When sampling N sets, the expected number of sets with finite Rd and Rr is Npn. As Nqd and Nqr entries, respectively, in the two lists must be finite for the algorithm to produce an estimate, it follows that it is required that qd, qr > pn, with some margin to account for the sampling variance, for estimates to be produced.
7 Estimating the number of runs required
We now have the necessary framework in place to compute concrete estimates for the number of runs n required to attain a given minimum success probability q when recovering both d and r for tradeoff factor s for specific problem instances.
In this section, we describe and exemplify the procedure by computing estimates for a a set of concrete problem instances selected in a randomized manner. We furthermore consider how to conjecturally obtain worst case estimates of n.
7.1 Estimating n
To estimate n for a problem instance given by d and r, and for tradeoff factor s, we proceed as follows:
For n = s + 1, s + 2, . . . we first estimate
For selected problem instances, we verify the above initial estimate of n by simulating the quantum algorithm and post-processing the simulated output. More specifically, with the initial estimate of n as our starting point, we sample M = 103 sets of n pairs (j, k), as explained in Section 5.3, and test whether recovery of both d and r is successful for at least ⌈Mq⌉ sets when executing the post-processing algorithms in Sections 6.1 and 6.2 without enumerating Lj. Depending on the outcome of the test, we either increment or decrement n, and repeat the process, recursively, until the smallest n such that the test passes has been identified. We record this n alongside the initial estimate of n.
In practice, we compute the closest vector in Lj by reducing the lattice basis and applying Babai's [1] nearest plane algorithm. The shortest non-zero vector in Lj is the shortest non-zero vector in the reduced basis. Enumeration is performed using Kannan's [12] original approach, as this is sufficient for our purposes. Note however that there are more efficient approaches in the literature.
To reduce the basis, we closely follow [7] and employ LLL and BKZ [15, 16, 22, 23], as implemented in fpLLL v5.0, with default parameters and a block size of min(n + 1, 10) for all combinations of m, s and n. We first compute a LLL reduction. If it yields no solution, we proceed to compute a BKZ reduction.
7.2 Selecting m and s
Since the cost of estimating n for a given problem instance is non-negligible, we seek to minimize the number of problem instances considered, whilst selecting problem instances that are representative of those that underpin the currently most widely deployed asymmetric cryptosystems.
To this end, for m ∈ {128, 256, 384, 512, 1024, . . . , 8192}, we pick a single combination of d and r using the method described in Section 7.3, and estimate n for a subset of tradeoff factors s ∈ {1, 2, . . . , 8, 10, 20, . . . , 50, 80}, such that the total approximation error is negligible.
In terms of group size, the above choices of m capture most currently widely deployed elliptic curve groups, Schnorr groups and safe-prime groups.
7.3 Selecting d and r given m
For each value of m, we select d and r such that 2m−1 < d < r < 2m in a randomized manner.
For as long as d and r do not have very special properties, such as being divisible by large powers of two or being otherwise smooth, the exact values of d and r are of no great significance, however: It is the size of d in relation to r, and the size of r in relation to 2m, that primarily affects the appearance of the distribution and hence the estimates. To avoid having to tabulate d and r for the m we consider, we read d and r from the decimal expansion of Catalan's constant
Specifically, we let
7.4 Experiments and results
The estimates of n in Table 1 were produced by executing the procedure described in the previous sections. As may be seen in the table, n asymptotically tends to s + 1 as m tends to infinity for fixed s. For fixed m, it holds that n = s + 1 up to some cutoff point in s.
The estimated number of runs n required to solve for both a general discrete logarithm d and group order r, selected as described in Section 7.3, with ≥ 99% success probability and without enumerating the lattice. For details, see Section 7.4. For A the initial and B the simulated estimate, we print B / A, unless B = A; we then only print A. Dash indicates no estimate. For ɛ the total approximation error, an asterisk indicates that 10−4 ≤ ɛ < 10−3. For all other estimates ɛ < 10−4.
| group and logarithm size m | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 128 | 256 | 384 | 512 | 1024 | 2048 | 4096 | 8192 | ||
| tradeoff factor s | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 2 | *3 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |
| 3 | – | 4 | 4 | 4 | 4 | 4 | 4 | 4 | |
| 4 | – | * 5 | 5 | 5 | 5 | 5 | 5 | 5 | |
| 5 | – | – | 6 | 6 | 6 | 6 | 6 | 6 | |
| 6 | – | – | * 7 | 7 | 7 | 7 | 7 | 7 | |
| 7 | – | – | – | 8 | 8 | 8 | 8 | 8 | |
| 8 | – | – | – | * 10 | 9 | 9 | 9 | 9 | |
| 10 | – | – | – | – | 11 | 11 | 11 | 11 | |
| 20 | – | – | – | – | – | 22 | 21 | 21 | |
| 30 | – | – | – | – | – | * 35 | 33 / 32 | 31 | |
| 40 | – | – | – | – | – | – | 44 | 42 | |
| 50 | – | – | – | – | – | – | 57 | 54 / 53 | |
| 80 | – | – | – | – | – | – | – | – / 88 | |
The estimates are for not enumerating the lattice Lj. By enumerating a bounded number of vectors in the lattice, n may potentially be further reduced. In particular, our experiments show that a single run suffices to solve with probability q ≥ 99% for s = 1, provided we accept to enumerate up to ~ 1.3 · 103 vectors.
As may furthermore be seen in the table, the initial estimates of n are in general verified by the simulations. In general vd > vr. Hence vd determines the initial estimate for n. Note however that when the heuristic estimate of vd is close to two, minor discrepancies between the initial estimates and the simulations may arise.
This phenomenon is discussed in [7]: For large tradeoff factors s in relation to m, increasing or decreasing n typically has a small effect on vd and vr. This may lead to slight instabilities in the estimates, as vd may be close to two for several values of n. Discrepancies may also arise, especially for large n, if we fail to find the closest and shortest non-zero vectors in Lj, or if sampling fails. Such discrepancies may be amplified by the difference in the sample sizes N and M.
7.5 Generalizing the results to compute worst case estimates
Recall from Section 5.2 that the larger d is permitted to grow in relation to r, and the larger r is permitted to grow in relation to 2m, the harder it in general becomes to solve for d and r, assuming neither d nor r to be divisible by large powers of two. This may be seen by computing estimates for various combinations of d and r, or simply by examining the appearance of the two-dimensional distribution for various d and r.
Furthermore, recall from Section 5.2 that the marginal distributions along the αd and αr axes in the two-dimensional distribution for general discrete logarithms may be seen to correspond to the distributions induced by the quantum algorithms for computing short discrete logarithms with tradeoffs, and orders with tradeoffs, respectively. Both correspondences may be observed numerically by comparing distributions computed for specific problem instances. The correspondence in αr may furthermore be shown analytically, see Appendix D.
As vd > vr in general when d is large in relation to r, and neither d nor r are divisible by large powers of two, we therefore in general expect estimates of n for computing the general discrete logarithm d in a group of m bit order r to agree with estimates of n for computing the short discrete logarithm d, when m is taken as the upper bound on the bit length of d. For d and r selected as in Section 7.3, this correspondence may be observed in practice by comparing the estimates in Table 1 to those in Table B1 in Appendix B.
The above implies that we may conjecturally claim to obtain worst case estimates of n for general discrete logarithms by computing estimates of n for maximal short discrete logarithms d = 2m − 1 when m is taken as an upper bound on the bit length of d. Such estimates are provided in Table B2 in Appendix B.
Note that when comparing estimates of n for general discrete logarithms to those for short discrete logarithms and orders, the comparison must of course be restricted to combinations of m and s such that the total approximation error is negligible. It is reasonable to presume that the correspondence between the distributions would continue to hold even if s was to be permitted to grow a bit past the point where the total approximation error becomes non-negligible for a given m, since the error bound is by no means tight. However, we can not demonstrate the correspondence for such m and s.
8 Order finding with tradeoffs
The algorithm for computing general discrete logarithms in this paper does not require the group order to be known, as neither the quantum algorithm nor the classical post-processing algorithm makes explicit use of the order. If the order of the group is unknown, it may be computed from the same set of pairs (j, k) output by the quantum computer as is used to compute the logarithm.
This implies that the algorithm may be used as an order-finding algorithm. When only the order is of interest, only j need to be computed, as k is not used by the post-processing algorithm that recovers the order. The second stage of the quantum algorithm where k is computed need therefore not be executed when the goal is to perform order finding. If the second stage is removed, the quantum algorithm reduces to the algorithm proposed by Seifert [24]. For s = 1 this algorithm in turn reduces to Shor's order-finding algorithm.
This provides a link between our works on computing discrete logarithms, Seifert's work on order finding, and Shor's original work. As for post-processing, Seifert generalizes Shor's continued fractions-based post-processing algorithm to higher dimensions. We instead use lattice-based post-processing.
In Appendix A, we provide a description of Shor's and Seifert's quantum algorithms for order finding, a complete analysis of the probability distributions that they induce, and estimates for the number of runs n required to solve various problem instances for r when using lattice-based post-processing.
9 Summary and conclusion
We generalize and bridge our earlier works on computing short discrete logarithms with tradeoffs, Seifert's work on computing orders with tradeoffs and Shor's groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms.
Compared to Shor's algorithm for computing general discrete logarithms, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. The runs are independent, and may hence be executed in parallel.
Unlike Shor's algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. This allows it to outperform Shor's original algorithms with respect to the overall number of group operations that need to be evaluated quantumly in some cases even when not making tradeoffs. One cryptographically relevant example of such a case is the computation of discrete logarithms in Schnorr groups of unknown order.
We analyze the probability distributions induced by our algorithm, and by Shor's and Seifert's order-finding algorithms, describe how all of these algorithms may be simulated when the solution is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs.
When solving using lattice-based post-processing without enumerating Lj, the number of runs n required for a fixed tradeoff factor s tends to s + 1 asymptotically as m tends to infinity. By enumerating, n may be further reduced. Notably, when not making tradeoffs, a single run suffices to solve with at least 99% success probability, provided a small number of lattice vectors are enumerated.
Throughout this work, we have assumed the bit length of r to be known. However, it should be straight-forward to generalize the analysis to handle situations where only an upper bound on the bit length of r is known.
Acknowledgement
I am grateful to Johan Håstad for valuable comments and advice, and to Lennart Brynielsson and other colleagues for their comments on early versions of this manuscript. Funding and support for this work was provided by the Swedish NCSA that is a part of the Swedish Armed Forces. Computations were performed at PDC at KTH. Access was provided by SNIC.
References
[1] L. Babai, On Lovász’ lattice reduction and the nearest lattice point problem, Combinatorica 6 (1986), no. 1, 1–13.10.1007/BFb0023990Suche in Google Scholar
[2] E. Barker et al., Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography, NIST SP 800–56A (2018), rev. 3.10.6028/NIST.SP.800-56Ar3Suche in Google Scholar
[3] W. Diffie and M.E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory 22 (1976), no. 6, 644–654.10.1109/TIT.1976.1055638Suche in Google Scholar
[4] G. Einarsson, Probability Analysis of a Quantum Computer, ArXiv quant-ph/0303074 (2003).Suche in Google Scholar
[5] M. Ekerå, Modifying Shor's algorithm to compute short discrete logarithms, IACR ePrint Archive Report 2016/1128 (2016).Suche in Google Scholar
[6] M. Ekerå, On completely factoring any integer efficiently in a single run of an order finding algorithm, ArXiv 2007.10044 (2020).10.1007/s11128-021-03069-1Suche in Google Scholar
[7] M. Ekerå, On post-processing in the quantum algorithm for computing short discrete logarithms, Des. Codes, Cryptogr. 88 (2020), no. 11, 2313–2335.10.1007/s10623-020-00783-2Suche in Google Scholar
[8] M. Ekerå and J. Håstad, Quantum algorithms for computing short discrete logarithms and factoring RSA integers. In: Lange T., Takagi T. (Eds) Post-Quantum Cryptography, PQCrypto 2017, LNCS (2017), no. 10346, 347–363.10.1007/978-3-319-59879-6_20Suche in Google Scholar
[9] D. Gillmor, Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS), RFC 7919 (2016).10.17487/RFC7919Suche in Google Scholar
[10] R.B. Griffiths and C.-S. Niu, Semiclassical Fourier Transform for Quantum Computation, Phys. Rev. Lett. 76 (1996), no. 17, 3228–3231.10.1103/PhysRevLett.76.3228Suche in Google Scholar
[11] J. Håstad, A. Schrift and A. Shamir, The Discrete Logarithm Modulo a Composite Hides O(n) bits, J. Comput. Syst. Sci. 47 (1993), no. 3, 376–404.10.1016/0022-0000(93)90038-XSuche in Google Scholar
[12] R. Kannan, Improved algorithms for integer programming and related lattice problems. In: Proceedings of the 15th Symposium on the Theory of Computing, STOC ’83 (1983), 99—108.10.1145/800061.808749Suche in Google Scholar
[13] T. Kivinen and M. Kojo, More Modular Exponentiation (MODP) Diffie-Hellman groups for Internet Key Exchange, RFC 3526 (2003).10.17487/rfc3526Suche in Google Scholar
[14] A. Koenecke and P. Wocjan, Recovering the period in Shor's algorithm with Gauss’ algorithm for lattice basis reduction, ArXiv 1210.3003 (2013).Suche in Google Scholar
[15] A. Korkine and G. Zolotareff, Sur les formes quadratiques, Math. Ann. 6 (1873), no. 3, 366–389.10.1007/BF01442795Suche in Google Scholar
[16] H.W. Lenstra, A.K. Lenstra and L. Lovász, Factoring Polynomials with Rational Coefficients, Math. Ann. 261 (1982), no. 4, 515–534.10.1007/BF01457454Suche in Google Scholar
[17] G.L. Miller, Riemann's hypothesis and tests for primality, J. Comput. Syst. Sci. 13 (1976), no. 3, 300–317.10.1145/800116.803773Suche in Google Scholar
[18] M. Mosca and A. Ekert: The Hidden Subgroup Problem and Eigenvalue Estimation on a Quantum Computer. In: Proceeding from the First NASA International Conference, QCQC ’98, LNCS (1999), no. 1509, 174–188.10.1007/3-540-49208-9_15Suche in Google Scholar
[19] S. Parker and M.B. Plenio, Efficient Factorization with a Single Pure Qubit and log N Mixed Qubits, Phys. Rev. Lett. 85 (2000), no. 14, 3049–3052.10.1103/PhysRevLett.85.3049Suche in Google Scholar
[20] S.C. Pohlig and M.E. Hellman, An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance, IEEE Trans. Inf. Theory 24 (1978), no. 1, 106–110.10.1109/TIT.1978.1055817Suche in Google Scholar
[21] R.L. Rivest, A. Shamir and L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Commun. ACM 21 (1978), no. 2, 120–126.10.21236/ADA606588Suche in Google Scholar
[22] C.-P. Schnorr, A hierarchy of polynomial time lattice basis reduction algorithms, Theor. Comput. Sci. 53 (1987), no. 2–3, 201–224.10.1016/0304-3975(87)90064-8Suche in Google Scholar
[23] C.-P. Schnorr and M. Euchner: Lattice basis reduction: Improved practical algorithms and solving subset sum problems, Math. Program. 66 (1994), no. 1–3, 181–199.10.1007/3-540-54458-5_51Suche in Google Scholar
[24] J.-P. Seifert, Using fewer qubits in Shor's factorization algorithm via simultaneous Diophantine approximation. In: Naccache, D. (ed.) CT-RSA 2001, LNCS (2001), no. 2020, 319–327.10.1007/3-540-45353-9_24Suche in Google Scholar
[25] P.W. Shor, Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, SFCS ’94 (1994), 124–13410.1109/SFCS.1994.365700Suche in Google Scholar
[26] P.W. Shor: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 (1997), no. 5, 1484–1509.10.1137/S0097539795293172Suche in Google Scholar
A Order finding with tradeoffs
In this appendix, we recall Shor's [25] and Seifert's [24] order-finding algorithms, analyze the probability distributions they induce, show how they may be simulated, and estimate the number of runs n required to solve for r when using lattice-based post-processing.
A.1 The quantum algorithm
Given a generator g of a finite cyclic group of order r of length ~ m bits, Shor's order-finding algorithm [25] outputs an integer j that yields ~ m bits on r. Seifert [24] enabled tradeoffs in Shor's algorithm by modifying it to yield ~ m/s bits on r in each run, for s the tradeoff factor. For s = 1 Seifert's algorithm reverts to Shor's algorithm. This allows us to conveniently describe both algorithms below:
Let m be the integer such that 2m−1 < r < 2m, let ℓ = ⌈m/s⌉, and let
Compute [a] g and store the result in the second register to obtain
Compute a QFT of size 2m+ℓ of the first register to obtain
Observe the system to obtain j and y = [e] g where e = a mod r.
Note that Seifert's interpretation of the advantage of his algorithms is that he saves control qubits. This is not the case when recycling control qubits; see the discussion in Section 2 for a more modern interpretation of the advantage.
A.2 The probability of observing j and y
Above, in step 4, the integer j and element y = [e] g are obtained with probability
where the sum is over all a on 0 ≤ a < 2m+ℓ such that a ≡ e (mod r).
In this section, we seek to place (A1) on closed form. To this end, we first perform a variable substitution to obtain a contiguous summation interval. As all a that fulfill the condition that a ≡ e (mod r) are on the form a = e + nrr where 0 ≤ nr ≤ (2m+ℓ − 1 − e)/r, substituting a for e + nrr in (A1) and adjusting the phase yields
where αr = {rj}2m+ℓ and θr = θ(αr) = 2παr/2m+ℓ. Summing over all e yields
for β such that β ≡ 2m+ℓ (mod r), as for all e on 0 ≤ e < β it then holds that
whereas for all e on β ≤ e < r, it holds that
Note that β ≢ 0 (mod r) since we require r to be on 2m−1 < r < 2m.
A.2.1 Closed-form expressions
Assuming θr ≠ 0, we may write (A2) on closed form as
Otherwise, if θr = 0, we may write (A2) on closed form as
This step of the analysis is similar to a step in the analysis of Einarsson [4].
A.3 Distribution of integers j
In this section we analyze the distribution of integers j that yield αr.
Definition A.1
Let κr denote the greatest integer such that 2κr divides r.
Definition A.2
An argument αr is admissible if there exists an integer j on 0 ≤ j < 2m+ℓ such that αr = {rj}2m+ℓ.
Claim A.3
All admissible arguments αr = {rj}2m+ℓ are multiples of 2κr.
Proof
As 2κr | r and the modulus is a power of two the claim follows.
Lemma A.4
The set of integers j on 0 ≤ j < 2m+ℓ that yield the admissible argument αr is given by
as tr runs trough all integers on 0 ≤ tr < 2κr. Each admissible argument αr hence occurs with multiplicity 2κr.
Proof
As αr ≡ rj (mod 2m+ℓ), the lemma follows by solving for j.
A.4 Simulating the quantum algorithm
In this section, we first construct a high-resolution histogram for the probability distribution induced by the quantum algorithm for known r. We then proceed to sample the histogram to simulate the quantum algorithm.
A.4.1 Constructing the histogram
To construct the histogram, we exactly follow [7]: We divide the argument axis into regions and subregions and integrate the closed-form probability expression numerically in each subregion.
First, we subdivide the negative and positive sides of the argument axis into 30 + μ regions where μ = min(ℓ − 2, 11). Each region thus formed may be uniquely identified by an integer ηr by requiring that for all αr in the region
where m − 30 ≤ |ηr| < m + μ − 1. Then, we subdivide each region into subregions identified by an integer ξr by requiring that for all αr in the subregion
for ξr an integer on 0 ≤ ξr < 2ν and ν a resolution parameter.
For each subregion, we compute the approximate probability mass contained within the subregion by applying Simpson's rule, followed by Richardson extrapolation to cancel the linear error term. Simpson's rule is hence applied 2ν (1 + 2) times in each region. Each application requires the probability to be computed in up to three points (the two endpoints and the midpoint), for which purpose we use the closed-form expression developed in Section A.2.1.
Note that we should furthermore multiply by the multiplicity of arguments 2κr, see Lemma A.4 in Section A.3, and divide by 2κr to account for the density of distinct pairs in the region. However, these operations cancel. Note also that this method of constructing the histogram assumes κr to be small in relation to m.
To obtain a high degree of accuracy in the tail, we fix to ν = 11 for all regions. This enables us use this histogram as a reference when adaptively selecting the resolution for the two-dimensional histogram in Section 5.1, see Lemma D.1.
A.4.2 Understanding the probability distribution
The probability distribution is plotted on the signed logarithmic argument axis in Figure 4 for m = 2048 and s = 30, and for r selected as explained in Section 7.3. The regions form two contiguous symmetric areas on the argument axis, as is illustrated in Figure A1. As expected, the distribution plotted is virtually identical to the marginal distribution along the vertical αr axis in Figure 4.
The probability distribution induced by the order-finding algorithm, computed as in Section A.4.1, for m = 2048 and s = 30, and for r selected as in Section 7.3. To facilitate printing, the resolution has been reduced in this figure.
The probability mass is located in the regions where |αr| ~ 2m, whereas for random outputs the argument would be of size ~ 2m+ℓ. Hence, a single run of the quantum algorithm yields ~ ℓ ~ m/s bits of information on r.
A.4.3 Sampling the probability distribution
To sample an argument αr from the distribution, we exactly follow [7]: We first sample a subregion from the histogram and then sample αr uniformly at random this subregion, with the restriction that 2κr must divide αr so that αr is admissible. To sample a subregion from the histogram, we order all subregions in the histogram by probability, and compute the cumulative probability up to and including each subregion in the resulting ordered sequence, in analogy with Section 5.3.
Then, we sample a pivot uniformly at random from [0, 1), and return the first subregion in the ordered sequence for which the cumulative probability is greater than or equal to the pivot. The sampling operation fails if the pivot is greater than the cumulative probability of the last subregion in the sequence.
To sample an integer j from the distribution, we first sample an argument αr and then select an integer j yielding αr uniformly at random from the set of all such integers using Lemma A.4. More specifically, we first sample an integer tr uniformly at random on the admissible interval for tr and then compute j from αr and tr as described in Lemma A.4.
A.5 Classical post-processing
The probability distribution induced by the quantum algorithm in Section A.1 is virtually identical to the marginal distribution along the αr axis in Section 5.1. Hence, the classical post-processing algorithm in Section 6.2 may be used to solve sets of n integers j output by the quantum algorithm in Section A.1 for r.
A.6 Estimating the number of runs required
To estimate n for problem instance given by r, we exactly follow [7]:
For n = s + 1, s + 2, . . . we first estimate
Executing this procedure, for m and s selected as described in Section 7.2, both for r selected as explained in Section 7.3, and for maximal r = 2m − 1, produced the estimates in Table A1 and Table A2, respectively. Note that for A the initial and B the simulated estimate, we print B / A, unless B = A, we then only print A. Note furthermore that we have excluded m = 384 to reduce the table width.
The estimated number of runs n required to solve for an order r, selected as in Section 7.3, with ≥ 99% success probability, without enumerating the lattice.
| group size m | ||||||||
|---|---|---|---|---|---|---|---|---|
| 128 | 256 | 512 | 1024 | 2048 | 4096 | 8192 | ||
| tradeoff factor s | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |
| 3 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | |
| 4 | 6 | 5 | 5 | 5 | 5 | 5 | 5 | |
| 5 | 7 | 6 | 6 | 6 | 6 | 6 | 6 | |
| 6 | 9 | 8 | 7 | 7 | 7 | 7 | 7 | |
| 7 | 12 / 11 | 9 | 8 | 8 | 8 | 8 | 8 | |
| 8 | 16 / 15 | 11 | 10 | 9 | 9 | 9 | 9 | |
| 10 | – / 25 | 14 | 12 | 11 | 11 | 11 | 11 | |
| 20 | – | – / 54 | 28 / 29 | 24 | 22 | 21 | 21 | |
| 30 | – | – | – / 53 | 39 / 38 | 34 | 32 | 31 | |
| 40 | – | – | – | – / 58 | 48 / 47 | 44 | 42 | |
| 50 | – | – | – | – | – / 63 | 56 | 53 | |
| 80 | – | – | – | – | – | – / 95 | – / 87 | |
The estimated number of runs n required to solve for a maximal order r = 2m − 1 with ≥ 99% success probability, without enumerating the lattice.
| group size m | ||||||||
|---|---|---|---|---|---|---|---|---|
| 128 | 256 | 512 | 1024 | 2048 | 4096 | 8192 | ||
| tradeoff factor s | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |
| 3 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | |
| 4 | 6 | 5 | 5 | 5 | 5 | 5 | 5 | |
| 5 | 8 / 7 | 6 | 6 | 6 | 6 | 6 | 6 | |
| 6 | 9 | 8 | 7 | 7 | 7 | 7 | 7 | |
| 7 | 11 / 12 | 9 | 8 | 8 | 8 | 8 | 8 | |
| 8 | 17 / 16 | 11 | 10 | 9 | 9 | 9 | 9 | |
| 10 | – / 25 | 14 | 12 | 11 | 11 | 11 | 11 | |
| 20 | – | – / 55 | 30 / 29 | 23 / 24 | 22 | 21 | 21 | |
| 30 | – | – | – / 53 | 37 / 39 | 34 | 32 | 31 | |
| 40 | – | – | – | – / 59 | 48 / 47 | 44 | 42 | |
| 50 | – | – | – | – | – / 63 | 57 / 56 | 53 | |
| 80 | – | – | – | – | – | – / 95 | – / 87 | |
The tabulated estimates are for not enumerating the lattice Lj. By enumerating a bounded number of vectors in the lattice, n may potentially be further reduced. In particular, our experiments show that a single run suffices to solve with probability q ≥ 99% for s = 1, provided we accept to enumerate up to ~ 3.5 · 102 vectors.
A.7 Applications of order finding to integer factoring
Quantum algorithms for order finding may be used to factor integers, as was first proposed by Shor [25] using a reduction due to Miller [17]. To factor a composite integer N, that is odd and not a perfect prime power, Shor originally proposed to proceed as follows: Pick an integer g ∈ (1, N) and compute D = gcd(g, N). If D ≠ 1, then D is a non-trivial factor of N. In practice, small and moderate size factors of N would typically be removed before attempting to factor N via order finding. Hence, it is unlikely that factors would be found in this manner.
If D = 1, then g may be perceived as a generator of a cyclic subgroup
As gr ≡ 1 (mod N), it must be that gr − 1 ≡ 0 (mod N). If r is even and gr/2 ≢ − 1 (mod N), we have that gr/2 ± 1 ≢ 0 (mod N), whilst
so non-trivial factors of N may be found by computing gcd((gr/2 mod N) ± 1, N). This reduces the integer factoring problem to an order finding problem.
Shor originally proposed to use this reduction, and to simply re-run the whole algorithm if any of the above requirements are not fulfilled, or if the order-finding algorithm fails to yield r. In [25], Shor lower-bounds the probability of his order-finding algorithm yielding r in a single run, and of non-trivial factors of N being found given r, so as to obtain a lower bound on the overall success probability. A number of improvements have since been proposed, see the introduction to [6] for an overview.
In this appendix, we have shown that the probability of Shor's original order-finding algorithm yielding r in a single run is very close to one. Furthermore, we have estimated the number of runs required to obtain a similarly high success probability when making tradeoffs in Seifert's order-finding algorithm. In [6], it is shown that any integer N may be completely factored classically into all of its constituent prime factors with very high probability after a single call to an order-finding algorithm. Hence, the estimates we provide of the number of runs required for Shor's and Seifert's order-finding algorithms to yield r are also estimates of the number of runs required to completely factor N via these order-finding algorithms.
A.7.1 Factoring RSA integers
Note that if N is an RSA [21] integer, as is typically the case in cryptographic applications, a more efficient approach to factoring N is to use the algorithm of Ekerå and Håstad [8]. This algorithm reduces the RSA integer factoring problem to a short discrete logarithm problem via [11] and solves this problem quantumly.
As is shown in [7], the quantum part of Ekerå-Håstad's algorithm imposes less requirements on the quantum computer than Shor's or Seifert's order-finding algorithms, in each run and overall, both when making and not making tradeoffs. The probability of recovering the logarithm d is very close to one. The two prime factors of N may then be recovered deterministically from d.
B Short discrete logarithms with tradeoffs
The experiments in Appendix A for order finding are analogous with those for short discrete logarithms in [7]. For completeness, and so as to enable comparisons, we have run additional experiments for short discrete logarithms following [7], both for maximal d = 2m − 1, and for d selected as described in Section 7.2. These experiments produced the estimates in Table B1 and Table B2, respectively. Note that for A the initial and B the simulated estimate, we print B / A, unless B = A, we then only print A.
The estimated number of runs n required to solve for a short logarithm d, selected as in Section 7.3, with ≥ 99% success probability, without enumerating.
| logarithm size m | ||||||||
|---|---|---|---|---|---|---|---|---|
| 128 | 256 | 512 | 1024 | 2048 | 4096 | 8192 | ||
| tradeoff factor s | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |
| 3 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | |
| 4 | 6 | 5 | 5 | 5 | 5 | 5 | 5 | |
| 5 | 8 | 6 | 6 | 6 | 6 | 6 | 6 | |
| 6 | 10 | 8 | 7 | 7 | 7 | 7 | 7 | |
| 7 | 13 | 10 / 9 | 8 | 8 | 8 | 8 | 8 | |
| 8 | 18 | 11 | 10 | 9 | 9 | 9 | 9 | |
| 10 | – / 32 | 15 | 12 | 11 | 11 | 11 | 11 | |
| 20 | – | – / 71 | 32 / 30 | 24 | 22 | 21 | 21 | |
| 30 | – | – | – / 60 | 40 | 35 | 33 / 32 | 31 | |
| 40 | – | – | – | – / 62 | 50 / 48 | 44 | 42 | |
| 50 | – | – | – | – | – / 65 | 57 | 54 / 53 | |
| 80 | – | – | – | – | – | – / 97 | – / 88 | |
The estimated number of runs n required to solve for a maximal short logarithm d = 2m − 1 with ≥ 99% success probability, without enumerating.
| logarithm size m | ||||||||
|---|---|---|---|---|---|---|---|---|
| 128 | 256 | 512 | 1024 | 2048 | 4096 | 8192 | ||
| tradeoff factor s | 1 | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 2 | 3 | 3 | 3 | 3 | 3 | 3 | 3 | |
| 3 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | |
| 4 | 6 | 5 | 5 | 5 | 5 | 5 | 5 | |
| 5 | 8 | 6 | 6 | 6 | 6 | 6 | 6 | |
| 6 | 10 | 8 | 7 | 7 | 7 | 7 | 7 | |
| 7 | 13 | 9 | 8 | 8 | 8 | 8 | 8 | |
| 8 | 18 | 11 | 10 | 9 | 9 | 9 | 9 | |
| 10 | – / 32 | 16 / 15 | 12 | 11 | 11 | 11 | 11 | |
| 20 | – | – / 71 | 31 | 25 / 24 | 22 | 21 | 21 | |
| 30 | – | – | – / 60 | 40 | 35 | 32 | 32 / 31 | |
| 40 | – | – | – | – / 62 | 49 / 48 | 45 / 44 | 42 | |
| 50 | – | – | – | – | – / 65 | 57 | 54 / 53 | |
| 80 | – | – | – | – | – | – / 97 | – / 88 | |
C Soundness of the closed-form approximation
In this appendix, we demonstrate the fundamental soundness of the closed-form approximation to P(θd, θr) that we derived in Section 3. This appendix is rather technical and may be considered to constitute supplementary material.
C.1 Introduction and recapitulation
Recall that by Theorem 3.22, the probability P(θd, θr) of the quantum algorithm yielding (j, k), with associated angle pair (θd, θr), summed over all r group elements y = [e] g ∈ 𝔾, may be approximated by
where we have introduced some new notation in the form of the two functions
that we shall use throughout this section, and that may both be placed on closed form. The error when approximating P(θd, θr) by
again by Theorem 3.22, where the function
C.1.1 Overview of the soundness argument
In what follows, we demonstrate the fundamental soundness of the above closed-form approximation, by summing
C.2 Preliminaries
Before we proceed as outlined above, we first introduce some preliminaries.
Lemma C.1
Let φ ∈ ℝ and θ(u) = 2πu/2ω for ω > 0 an integer. Then
for integers c, ς and N such that c ≥ 0, 0 ≤ ς < ω and 0 < N ≤ 2ω−ς.
Proof
For any ϕ ∈ ℝ it holds that
Hence
as for any integer t on 0 < |t| < N ≤ 2ω−ς and ς < ω, the sum
as the denominator is non-zero, and so the lemma follows.
C.2.1 Bounding tail regions
Claim C.2
For Δ and N integers such that 1 < Δ < N it holds that
Proof
As
for z any integer such that z > 1, it follows that
where, for Δ and N integers on 1 < Δ < N, it holds that
and so the claim follows.
Claim C.3
For any ϕ ∈ ℝ such that 0 < |ϕ| ≤ π it holds that
Proof
As ϕ ≠ 0, we have by Claim C.4 below that
and so the claim follows.
Claim C.4
|eiϕ − 1| ≥ |ϕ|/2 for any ϕ ∈ ℝ such that |ϕ| ≤ π.
Proof
It suffices to show that |eiϕ − 1|2 = 2(1 − cos ϕ) ≥ ϕ2/4 from which the claim follows as cos ϕ ≤ 1 − ϕ2/8 for any ϕ ∈ ℝ such that |ϕ| ≤ π.
C.2.2 Intervals of admissible arguments and angles
To facilitate the analysis, we need notation to handle intervals of admissible angles:
Definition C.5
Let Θr(I) be the set of distinct admissible θr on the interval I.
Definition C.6
For a fixed admissible θr, let Θd(I, θr) be the set of distinct admissible θd on the interval I.
C.2.3 Parameterizing the admissible arguments and angles
Furthermore, we need a convenient method for parameterizing the distinct admissible argument pairs (αd, αr), or angle pairs (θd, θr).
Claim C.7
The admissible arguments αd and αr may be parameterized by
and the corresponding admissible angles θd and θr may be parameterized by
for integers ud ∈ [−2ℓ+γ−1, 2ℓ+γ−1) and ur ∈ [−2m+ℓ−κr−1, 2m+ℓ−κr−1) when not accounting for multiplicity.
Proof
By Lemma 4.4, the admissible argument pairs (αd, αr) are vectors in Lα in the region of the plane where αd, αr ∈ [−2m+ℓ−1, 2m+ℓ−1). The parameterization takes ur times the first row and ud times second row of the basis matrix for Lα. It furthermore uses the second row to reduce the starting point δr ur modulo 2m−γ. The claim follows from this analysis.
C.3 Establishing a baseline
We begin by proving that the sum of
C.3.1 The inner sum over g(θd, θr)
Lemma C.8
For θd ∈ Θd([−π/2σ, π/2σ), θr), the inner sum
Proof
The function g(θd, θr) is non-negative and periodic in θd for fixed θr. It cycles exactly 2σ times on the interval θd ∈ [−π, π), as may be seen in Figure C1 where g(θd, θr) is plotted continuously in θd for θr fixed to zero. Fixing a different value of θr shifts the graph cyclically along the θd axis.
The function g(θd, 0) plotted continuously in θd on the interval |θd| ≤ π for σ = 3 and sample parameters selected to make the figure readable.
This implies that we may parameterize θd in ud and ur using Claim C.7 and sum θd(ud, ur) over any consecutive sequence of 2ℓ+γ−σ values of ud for the fixed ur given by θr to sum over all θd ∈ Θd([−π/2σ, π/2σ), θr).
By using this approach and Lemma C.1 we obtain
where we have used that we may shift the interval in ud, and introduced the constant phase
and so the lemma follows.
C.3.2 The outer sum over f (θr)
Lemma C.9
For θr ∈ Θr([−π, π)), the outer sum
Proof
The function f (θr) is non-negative and periodic in θr. It cycles exactly once on the interval θr ∈ [−π, π). This implies that we may parameterize θr in ur using Claim C.7, and sum over all 2m+ℓ−κr values of ur to sum over all θr ∈ Θr([−π, π)). By using this approach and Lemma C.1, we thus obtain
by using that we may shift the interval in ur, and so the lemma follows.
C.3.3 Combined result
Lemma C.10
The combined sum over all distinct admissible angle pairs (θd, θr), in the region where θd ∈ [−π/2σ, π/2σ) and θr ∈ [−π, π), is
Proof
By combining Lemmas C.8 and C.9, we obtain
as the inner sum reduces to a constant, and so the lemma follows.
It follows from Lemma C.10 above that the sum of
The total approximation error, as upper-bounded by summing
C.4 Adapting the region to reduce the error
In this section, we show that the sum of
Definition C.11
The central region is the part of the plane where |θd| ≤ Bd and |θr| ≤ Br, for Bd = 2τ−ℓ+1π and Br = Bd/2, and for τ an integer constant such that 1 < τ < ℓ − σ − 1.
In the next section, we describe how the approximation error, as upper-bounded by summing
Note that by the above definition of Bd and Br, all argument pairs (αd, αr) such that |αd| ≤ 2m+τ and |αr| ≤ 2m+τ−1 are in the central region. Note furthermore that Br < Bd = 2τ−ℓ+1 π ≤ 2−σ−1 π, so the central region is a subregion of the region we considered in the previous section.
C.4.1 The inner sum over g(θd, θr)
Lemma C.12
For θr ∈ Θr([−Br, Br]), the inner sum
Proof
First observe that for Id = [−π/2σ, −Bd] ∪ [Bd, π/2σ] we have
as g(θd, θr) is non-negative, and as by dividing the interval
where we also used Lemma C.8. We hence seek an upper bound to
that is independent of θr, where we have used Claim C.3 to obtain (C1), by introducing the function h(θd) = 24/(2σθd)2 that is strictly decreasing in |θd|.
The situation is depicted in Figure C2, where g(θd, θr) for θr = 0 is plotted continuously in θd, for |θd| ≤ π in the top graph, and |θd| ≤ π/2σ in the middle graph.
The functions g(θd, 0) and h(θd) = 24/(2σθd)2 plotted for σ = 3, ℓ = 9 and τ = 3. The maximum cyclic shift is bounded by Br = Bd/2.
Fixing a non-zero θr ∈ Θr([−Br, Br)) shifts the top and middle graphs in Figure C2 cyclically by ⌈−2σd/r⌉ θr/2σ. As |⌈−2σd/r⌉ θr/2σ|≤ |θr| ≤ Br, the maximum cyclic shift in θd is upper-bounded by Br, see the bottom graph in Figure C2 where g(θd + Br, 0) is plotted in yellow and g(θd − Br, 0) in green.
To upper-bound (C1) it therefore suffices to sum over all distinct admissible θd on Ir = [−π/2σ, −Br] ∪ [Br, π/2σ], as this captures all distinct admissible θd in the left and right tail regions under any cyclic shift.
We have that
due to symmetry, where we have maximized the set of admissible θd over θr.
Recall that by Lemma 4.4 there is one distinct admissible argument αd on the interval [0, 2m−γ) for a given fixed αr. Hence there is one distinct admissible θd on the interval [0, 2−ℓ−γ+1 π) for a given fixed θr. All other distinct admissible θd spread out from the starting point, equidistantly separated by a distance of 2−ℓ−γ+1 π. The distinct admissible θd may occur with multiplicity; however all distinct admissible θd occur with the same multiplicity, again see Lemma 4.4.
This implies that the sum in (C2) is maximized for θr equal to zero, as both endpoints of the interval Br ≤ |θd| ≤ π/2σ are then admissible, maximizing both the number of distinct admissible θd on the interval, and the contribution from each distinct admissible θd as h(θd) is strictly decreasing in |θd|.
By Claim C.7, the distinct admissible θd may be parameterized in ud and ur where
Now θr = 0 implies ur = 0, which in turn implies 2τ−ℓπ = Bd/2 = Br ≤ 2π ud/2ℓ+γ ≤ π/2σ, or more succinctly 2τ+γ−1 ≤ ud ≤ 2ℓ+γ−σ−1, which yields
where we have used Claim C.2 and that γ ≥ 0 and τ > 1. This implies
and so the lemma follows.
C.4.2 The outer sum over f(θr)
Lemma C.13
For θr ∈ Θr([−Br, Br], the outer sum
Proof
First observe that for Ir = [−π, −Br] ∪ [Br, π] it holds that
as f(θr) is non-negative and
where, by Lemma C.9, the left hand sum
To prove the lemma, we seek an upper bound to
where we have used Claim C.3, that f (θr) is symmetric around the origin, and that the distinct admissible θr are equidistantly separated by a distance of 2κr around the origin by Lemma 4.4. The distinct admissible θr may occur with multiplicity; however all distinct admissible θr occur with the same multiplicity.
By Claim C.7, the distinct admissible θr may be parameterized in ur where θr(ur) = 2π (2κrur)/2m+ℓ, which implies 2τ−ℓπ = Br ≤ 2π (2κr ur)/2m+ℓ ≤ π, or more succinctly 2m+τ−κr−1 ≤ ur ≤ 2m+ℓ−κr−1, which yields
where we have used Claim C.2 and that γ ≥ 0 and τ > 1. This implies
and so the lemma follows.
C.4.3 Combined result
Lemma C.14
The combined sum over all distinct admissible angle pairs (θd, θr), in the central region where |θd| ≤ Bd and |θr| ≤ Br, is
Proof
From Lemmas C.12 and C.13 it follows that
and so the lemma follows.
C.5 Main soundness result
In this section, we combine results from the previous sections into our main soundness result.
C.5.1 Bounding the probability mass in the central region
Theorem C.15
The sum of
Proof
The theorem follows by combining Lemmas C.10 and C.14.
Theorem C.15 above lower-bounds the fraction of the probability mass that is located within the central region as a function of τ. The fraction of the probability mass that falls outside the central region decreases exponentially in τ.
C.5.2 Bounding the total error in the central region
Theorem C.16
The total error when approximating P(θd, θr) by
where D is the density of admissible angle pairs (θd, θr) in the region.
Proof
The error when approximating P(θd, θr) by
by Theorem 3.22. We sum
As m > 0 and τ > 1 by Definition C.11, the area of this region is
from which it follows that the region contains at most 22(m+τ+1) D admissible pairs (θd, θr), where D is the density of admissible pairs with multiplicity.
If we furthermore use that |θd| + |θr| ≤ 2τ−ℓ+2 π, this implies that
where we have used that
by Theorem C.15, and so the theorem follows.
By Lemmas 4.7 and 4.8, the density D of admissible argument pairs (αd, αr), or equivalently angle pairs (θd, θr), when accounting for multiplicity, in the region is approximately 2−m for random problem instances. Asymptotically, the density tends to 2−m as m tends to infinity for fixed s.
Furthermore, the density is exactly 2−m in rectangular regions of the plane of side length multiples of 2m−γ and 2m−γ+κr by Lemma 4.9. The region in Theorem C.16 above may be adapted to meet these requirements.
To understand the implications of the above theorem for the upper bound on the total approximation error in the central region, it remains to select σ to minimize the bound.
C.5.3 Selecting σ to minimize the bound on the total error in the central region
To select the integer parameter σ on 0 < σ < ℓ so as to minimize the bound on the total error given in Theorem C.16, we first approximate the error bound by
where we have used that D ≈ 2−m and (r/2m+ℓ) ⌈2m+ℓ/r⌉ ≈ 1, with equality in the limit as m tends to infinity for fixed s. The approximation is only good when all error terms are less than one, so the term ɛ3 is greater than ɛ4 = (ɛ3/2)2. As ɛ2 does not depend on σ, we hence seek to select σ to equate ɛ1 and ɛ3. This yields
If σ is fixed accordingly, the error bound obtained by summing
For as long as
C.5.4 Asymptotic soundness results
Theorem C.17
For fixed s and τ, and σ = ⌊(ℓ + τ + 4 − log2 π)/2⌉, the sum of
in the limit as m tends to infinity. The error
in the same limit.
Proof
The bound in (C6) follows immediately by taking the limit, as m tends to infinity for fixed s and τ, of the bound given in Theorem C.15. Analogously (C7) follows by taking the limit, as m tends to infinity for fixed s and τ, and for σ as in the formulation of this theorem, of Theorem C.16, where D tends to 2−m in the limit by Lemma 4.8, and so the theorem follows.
The above theorem states that an arbitrarily large constant fraction of the probability mass may be captured asymptotically by expanding the region in τ.
As the bound on the error when approximating P(θd, θr) by
Corollary C.18
For fixed s, for τ = ⌊ℓ/6⌉ and σ = (ℓ + τ + 4 − log2 π)/2, the sum of
in the limit as m tends to infinity. The error
in the same limit.
Proof
The bound in (C8) follows immediately by taking the limit as m tends to infinity for fixed s, and for τ as in the formulation of this corollary, of the bound given in Theorem C.15. Analogously (C9) follows by taking the limit, as m tends to infinity for fixed s, and for σ and τ as in the formulation of this corollary, of Theorem C.16, where D tends to 2−m in the limit by Lemma 4.8. This is easy to see, as the two main error terms ɛ1 and ɛ3 in (C5) tend to
where we may remove the rounding operation in the limit, and as the requirement that 1 < τ < ℓ − σ − 1 in Definition C.11 is respected in the limit. Furthermore ɛ4 < ɛ3 in the limit, and it is easy to see that ɛ2 tends to zero in the limit. The corollary follows from this analysis.
D Marginal distributions
By using results and notation from the soundness analysis in Appendix C, we may immediately derive a closed-form expression for the marginal distribution that arises when summing
Lemma D.1
For θr ∈ Θr([−π, π]), the marginal probability distribution that arises when summing
when accounting for multiplicity.
Proof
By Lemma C.8 we have that
from which the lemma follows, as the pairs (θd, θr) occur with multiplicity 2κr−γ by Lemma 4.4, and the angles θr with multiplicity 2κr by Lemma A.4.
The above expression for the marginal probability distribution is derived from the approximation
Another way to understand why this correspondence arises is to observe that when using qubit recycling, j may first be computed, after which k may be computed. At the point in time when j has been computed and read out, but the computation of k has not yet begun, we will have executed Shor's or Seifert's order-finding algorithms. Hence j, αr and θr are distributed as in these algorithms.
A closed-form analytical expression for the marginal distribution that arises when summing over all admissible θr is seemingly less straightforward to derive. Numerically, the marginal distribution may however be seen to correspond to that for short logarithms as stated in Section 5.2.
© 2021 Martin Ekerå, published by De Gruyter
This work is licensed under the Creative Commons Attribution 4.0 International License.
Artikel in diesem Heft
- Regular Articles
- Secret sharing and duality
- On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial
- On the equivalence of authentication codes and robust (2, 2)-threshold schemes
- Pseudo-free families of computational universal algebras
- Lattice Sieving in Three Dimensions for Discrete Log in Medium Characteristic
- Attack on Kayawood protocol: uncloaking private keys
- The circulant hash revisited
- On cryptographic properties of (n + 1)-bit S-boxes constructed by known n-bit S-boxes
- Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings
- Remarks on a Tropical Key Exchange System
- A note on secure multiparty computation via higher residue symbols
- Using Inclusion / Exclusion to find Bent and Balanced Monomial Rotation Symmetric Functions
- The Oribatida v1.3 Family of Lightweight Authenticated Encryption Schemes
- Isogenies on twisted Hessian curves
- Quantum algorithms for computing general discrete logarithms and orders with tradeoffs
- Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods
- Sensitivities and block sensitivities of elementary symmetric Boolean functions
- Constructing Cycles in Isogeny Graphs of Supersingular Elliptic Curves
- Revocable attribute-based proxy re-encryption
- MathCrypt 2019
- Editor’s Preface for the Second Annual MathCrypt Proceedings Volume
- A trade-off between classical and quantum circuit size for an attack against CSIDH
- Towards Isogeny-Based Password-Authenticated Key Establishment
- Algebraic approaches for solving isogeny problems of prime power degrees
- Discretisation and Product Distributions in Ring-LWE
- Approximate Voronoi cells for lattices, revisited
- (In)Security of Ring-LWE Under Partial Key Exposure
- Towards a Ring Analogue of the Leftover Hash Lemma
- The Eleventh Power Residue Symbol
- Factoring with Hints
- One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips
- A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE
Artikel in diesem Heft
- Regular Articles
- Secret sharing and duality
- On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial
- On the equivalence of authentication codes and robust (2, 2)-threshold schemes
- Pseudo-free families of computational universal algebras
- Lattice Sieving in Three Dimensions for Discrete Log in Medium Characteristic
- Attack on Kayawood protocol: uncloaking private keys
- The circulant hash revisited
- On cryptographic properties of (n + 1)-bit S-boxes constructed by known n-bit S-boxes
- Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings
- Remarks on a Tropical Key Exchange System
- A note on secure multiparty computation via higher residue symbols
- Using Inclusion / Exclusion to find Bent and Balanced Monomial Rotation Symmetric Functions
- The Oribatida v1.3 Family of Lightweight Authenticated Encryption Schemes
- Isogenies on twisted Hessian curves
- Quantum algorithms for computing general discrete logarithms and orders with tradeoffs
- Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods
- Sensitivities and block sensitivities of elementary symmetric Boolean functions
- Constructing Cycles in Isogeny Graphs of Supersingular Elliptic Curves
- Revocable attribute-based proxy re-encryption
- MathCrypt 2019
- Editor’s Preface for the Second Annual MathCrypt Proceedings Volume
- A trade-off between classical and quantum circuit size for an attack against CSIDH
- Towards Isogeny-Based Password-Authenticated Key Establishment
- Algebraic approaches for solving isogeny problems of prime power degrees
- Discretisation and Product Distributions in Ring-LWE
- Approximate Voronoi cells for lattices, revisited
- (In)Security of Ring-LWE Under Partial Key Exposure
- Towards a Ring Analogue of the Leftover Hash Lemma
- The Eleventh Power Residue Symbol
- Factoring with Hints
- One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips
- A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE
