Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms with Resource Estimation

Abstract: Solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) is critical for evaluating the quantum security of widely deployed elliptic-curve cryptosystems. Consequently, minimizing the number of logical qubits required to execute this algorithm is a key object. In implementations of Shor's algorithm, the space complexity is largely dictated by the modular inversion operation during point addition. Starting from the extended Euclidean algorithm (EEA), we refine the register-sharing method of Proos and Zalka and propose a space-efficient reversible modular inversion algorithm. We use length registers together with location-controlled arithmetic to store the intermediate variables in a compact form throughout the computation. We then optimize the stepwise update rules and give concrete circuit constructions for the resulting controlled arithmetic components. This leads to a modular inversion circuit that uses $3n + 4\lfloor \log_2 n \rfloor + O(1)$ logical qubits and $204n^2\log_2 n + O(n^2)$ Toffoli gates. By inserting this modular inversion component into the controlled affine point-addition circuit, we obtain a space-efficient algorithm for the ECDLP with $5n + 4\lfloor \log_2 n \rfloor + O(1)$ qubits and $O(n^3)$ Toffoli gates. In particular, for a 256-bit prime-field curve, our estimate reduces the logical-qubit count to 1333, compared with 2124 in the previous low-width implementation of Häner et al.

• The paper introduces an exactly reversible quantum modular inversion circuit that meets the low-width bound without fidelity loss.
• It integrates a register-sharing extended Euclidean algorithm into a complete quantum ECDLP solution, lowering logical qubit counts and Toffoli gate complexity.
• Resource analysis shows significant reductions (e.g., 1333 qubits for ECC-256) compared to earlier circuits, impacting quantum cryptanalysis feasibility.

Space-Efficient Quantum Algorithm for ECDLP: Register-Sharing Modular Inversion and Resource Estimation

Introduction and Motivation

The quantum security of elliptic-curve cryptosystems remains contingent on the resources required to execute Shor’s algorithm for the elliptic curve discrete logarithm problem (ECDLP) in the standard fault-tolerant circuit model. Current quantum resource estimates for the ECDLP, especially for prime-field curves, show significantly higher logical qubit requirements compared to those for integer factorization at comparable classical security levels. A principal bottleneck in space efficiency is modular inversion in point addition during scalar multiplication. Previous asymptotic results, notably by Proos and Zalka, yielded promising theoretical low-width bounds via register sharing, but lacked explicit, exactly reversible circuit implementations and incurred fidelity loss due to approximate register allocation.

This work presents an explicit, exactly reversible quantum circuit for modular inversion that matches the low-width asymptotic bound, eliminates fidelity loss, and offers concrete resource estimates. The modular inversion construction is subsequently integrated into a full quantum algorithm for ECDLP, yielding the lowest known logical qubit count for cryptographically relevant curves.

Space-Efficient Modular Inversion: Algorithmic Design

The central technical contribution is a modular inversion algorithm based on a reversible extended Euclidean algorithm (EEA), implemented with a refined register-sharing methodology. The algorithmic framework employs a four-phase schedule for each EEA iteration: left-shifting, right-shifting and quotient accumulation, modular subtraction, and re-alignments, each with controlled arithmetic and data movement. All intermediate state variables—including residues, quotients, and auxiliary vectors—are maintained in overlapping sections of only two $(n+3)$-qubit working registers, with logical boundaries tracked by dedicated “Length” registers. This approach guarantees exact reversibility for arbitrary superpositions of $x \in \mathbb{F}_p$ without truncating outliers, in contrast to Proos and Zalka’s $O(\sqrt{n})$ overhead and $O(n^{-1})$ infidelity.

The variable-length segments for residues, quotients, and coefficients are allocated dynamically and precisely, consistent for all computational paths. Updates are controlled by phase bits and length vectors, ensuring deterministic space usage.

Quantum Circuit Construction

The explicit reversible quantum circuit is constructed using Toffoli and CNOT gates, optimized for the Clifford+$T$ architecture prevalent in quantum fault tolerance. Arithmetic blocks implement location-controlled addition, subtraction, and swaps—the control signals are determined by the Length registers, enabling simultaneous manipulation of multiple sections across the workspace. Circuit-level optimizations include the merging of redundant shifts and the use of active windows at each algorithmic step, restricting quantum arithmetic to only those register segments that are nontrivial for the current set of superposed computational paths.

Figure 2: Schematic low-width controlled affine Weierstrass point-addition circuit employing modular inversion by EEA as the dominant high-depth/width primitive.

Resource Analysis and Numerical Estimates

The modular inversion subroutine admits rigorous resource analysis. Logical qubit count is reduced to $3n + 4\lfloor \log_2 n \rfloor + O(1)$ for modular inversion, and to $5n + 4\lfloor \log_2 n \rfloor + O(1)$ for the full controlled point addition, achieving a concrete reduction (e.g., 1333 qubits for ECC-256) compared to prior circuit-level bests (2124 qubits). The total Toffoli gate complexity for modular inversion is $204n^2\log_2 n + O(n^2)$. Resource estimation was carried out in Qiskit, confirming analytic bounds up to $n=512$ (see Figure 2).

Figure 3: Exact Toffoli and CNOT gate counts for modular inversion in ECDLP as a function of prime modulus bit size, validating $O(n^2\log n)$ scaling.

Incorporation of this modular inversion into the standard affine-coordinate point addition yields $x \in \mathbb{F}_p$0 total Toffoli gates for ECDLP, assuming a windowed scalar multiplication schedule. This compares favorably with alternative approaches based on residue number systems (which scale as $x \in \mathbb{F}_p$1 in Toffoli count). All circuit modules are available in an open-source implementation.

Comparative Context and Claims

This work's main claim is the first explicit, fully reversible, and exactly correct quantum modular inversion implementation achieving the Proos-Zalka width bound without compromising circuit fidelity. In the context of quantum cryptanalysis, this result revises downward the quantum resource baseline for ECDLP, closing the gap with state-of-the-art RSA-factoring circuits and strengthening the case for the adoption of post-quantum schemes.

Compared to concurrent work leveraging residue number systems for alternative speed-space tradeoffs, this work's approach is orthogonal: all improvements result from the register allocation and optimized dynamic length management of the EEA in the quantum domain.

Practical and Theoretical Implications

Lower logical qubit counts for ECDLP directly influence feasibility assessments for quantum cryptanalysis of ECC-based protocols. Improved space efficiency not only reduces overheads for surface code error correction but may allow for earlier demonstration of experimental quantum ECDLP attacks once sufficiently low gate error rates are realized. The modular inversion implementation, as a primitive, is amenable to replacement within other quantum cryptanalytic circuits (including advanced factoring and DLP instances leveraging similar arithmetic bottlenecks).

On the theoretical side, this work demonstrates that prior high-level quantum algorithm resource estimates can be matched in full explicit circuit realizations. The separation of algorithmic and engineering concerns—algorithmic-level register sharing, step scheduling, low-level gate orchestration—provides a template for further reductions in space/time cost for other number-theoretic quantum algorithms.

Conclusion

This paper establishes that, through precisely controlled register sharing and exact dynamic allocation in a fully reversible quantum EEA, explicit modular inversion can be implemented with logical qubit count $x \in \mathbb{F}_p$2 and $x \in \mathbb{F}_p$3 Toffoli gates. This improvement enables the construction of an ECDLP quantum circuit with the lowest known width for relevant cryptographic curves, providing concrete evidence that the resource barrier for quantum attacks on elliptic curve cryptosystems is lower than previously believed. Future research should target further reductions in gate count, architectural optimizations, and potential extensions to hardware-optimized or error-robust circuit topologies.