Quantum resource estimates for computing elliptic curve discrete logarithms (1706.06752v3)

Abstract: We give precise quantum resource estimates for Shor's algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQ$Ui|\rangle$. We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an $n$-bit prime field can be computed on a quantum computer with at most $9n + 2\lceil\log_2(n)\rceil+10$ qubits using a quantum circuit of at most $448 n^3 \log_2(n) + 4090 n^3$ Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor's algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor's factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.

• The paper provides precise quantum resource estimates for executing Shor's algorithm on ECDLP, detailing qubit and Toffoli gate requirements.
• It leverages detailed circuit implementations and simulations using Microsoft Research’s LIQ$Ui|, optimizing reversible modular arithmetic operations on elliptic curves.
• The findings suggest ECC faces lower quantum resource barriers than RSA, heightening the urgency of developing quantum-resistant cryptographic systems.

Analyzing Quantum Resource Estimates for Elliptic Curve Discrete Logarithms with Shor's Algorithm

This paper addresses the complexities involved in computing discrete logarithms on elliptic curves utilising Shor's algorithm, a crucial concern given the potential threats posed by quantum computing to contemporary cryptographic protocols. Specifically, this research explores the quantum resources required to leverage Shor's algorithm for solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) effectively, while offering detailed circuit implementations and simulations through Microsoft Research's quantum computing software, LIQ$Ui|.</p> <h3 class='paper-heading'>Core Insights and Numerical Evaluations</h3> <p>The authors compute precise estimates of the quantum resources needed to execute Shor&#39;s algorithm for ECDLP over a prime field. The research showcases implementations for reversible modular arithmetic tasks, including addition, multiplication, and inversion, integral to elliptic curve point addition. The quantum circuits utilize Toffoli gate networks as the foundational reversible computing unit, with the paper aiming to balance resources like logical qubits, Toffoli gates, and circuit depth across various primes used in cryptographic practices.</p> <p>In numerical terms, it was determined that solving ECDLP on an elliptic curve within an $n$$-bit prime field requires a quantum circuit of at most$$9n + 2\lceil\log_2(n)\rceil + 10$$qubits. Moreover, for controlled elliptic curve point addition, the circuit is comprised of at most$$448 n^3 \log_2(n) + 4090 n^3$ Toffoli gates. The significance of these findings is further emphasized with comparisons to resource estimates for Shor&#39;s algorithm applied to integer factorization, indicating comparatively fewer qubits needed to target elliptic curves as opposed to RSA, underlining the potential vulnerability of ECC in a quantum context.</p> <h3 class='paper-heading'>Theoretical and Practical Implications</h3> <p>The research contributes crucial insights into the design of quantum algorithms and presents compelling evidence that elliptic curve cryptography (ECC) may be less resource-intensive on quantum platforms than RSA. This knowledge is vital in the pursuit of quantum-resistant cryptographic systems. It prompts a reevaluation of security policies currently relying on ECC as companies and governments anticipate the future of cryptographic resilience in the quantum era.</p> <h3 class='paper-heading'>Speculations on Future Developments</h3> <p>Looking forward, this research highlights several potential avenues for advancing quantum algorithms:</p> <ol> <li><strong>Exploring Alternative Coordinates and Curves:</strong> Considering projective or Jacobi coordinates for elliptic curve computations could potentially minimize expensive modular inversions, though testing this hypothesis requires further research.</li> <li><strong>Optimization of Quantum Resources:</strong> Implementing optimizations like better register sharing in modular inversion functions could reduce qubit usage, rendering ECC more tenable in a projected quantum landscape.</li> <li><strong>Developing More Efficient Quantum Simulators:</strong> Continued enhancement of quantum computing architectures like LIQ$Ui| could refine simulations of quantum circuits, further bridging the gap between theoretical models and practical quantum machines.

Counteracting Quantum Attacks: The cryptographic field must urgently explore algorithms that resist the quantum computational power exemplified by Shor's algorithm, focusing on post-quantum cryptography schemes.

In conclusion, this paper delivers essential quantitative analyses and contributes to a refined understanding of quantum resource needs for attacking ECDLP, establishing a baseline for further innovations in both quantum algorithms and secure cryptographic protocols.