10,089 research outputs found
Modifying Shor’s algorithm to compute short discrete logarithms
We revisit Shor\u27s algorithm for computing discrete logarithms in the multiplicative group of GF(p) on a quantum computer and modify it to compute logarithms d in groups of prime order q in the special case where d <<< q. As a stepping stone to performing this modification, we first introduce a modified algorithm for computing logarithms on the general interval 0 < d < q for comparison.
We demonstrate conservative lower bounds on the success probability of our algorithms in both the general and the special case. In both cases, our algorithms initially set the index registers to a uniform superposition of all states, compared to p-1 states in Shor\u27s original algorithm.
In the special case where d <<< q, our algorithm uses 3 ceil(log d) qubits for the two index registers and computes two QFTs of size 2^(ceil(log d)) and 2^(2 ceil(log d)), compared to 2 floor(log q) qubits for the index registers and two QFTs both of size 2^(floor(log q)) in the general case.
A quantum circuit for computing [a - bd] g is furthermore required, where 0 <= a < 2^(2 ceil(log d)) and 0 <= b < 2^(ceil(log d)) in the special case, compared to 0 <= a, b < 2^(floor(log q)) in the general case.
This implies that the complexity of computing discrete logarithms on a quantum computer can be made to depend not only on the choice of group, and on its order q, but also on the logarithm d.
In the special case where d <<< q, our algorithm does not require q to be prime. It may hence be generalized to finite abelian groups
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Recognising the Suzuki groups in their natural representations
Under the assumption of a certain conjecture, for which there exists strong
experimental evidence, we produce an efficient algorithm for constructive
membership testing in the Suzuki groups Sz(q), where q = 2^{2m + 1} for some m
> 0, in their natural representations of degree 4. It is a Las Vegas algorithm
with running time O{log(q)} field operations, and a preprocessing step with
running time O{log(q) loglog(q)} field operations. The latter step needs an
oracle for the discrete logarithm problem in GF(q).
We also produce a recognition algorithm for Sz(q) = . This is a Las Vegas
algorithm with running time O{|X|^2} field operations.
Finally, we give a Las Vegas algorithm that, given ^h = Sz(q) for some h
in GL(4, q), finds some g such that ^g = Sz(q). The running time is O{log(q)
loglog(q) + |X|} field operations.
Implementations of the algorithms are available for the computer system
MAGMA
Quantum Complexity for Discrete Logarithms and Related Problems
This paper studies the quantum computational complexity of the discrete
logarithm (DL) and related group-theoretic problems in the context of generic
algorithms -- that is, algorithms that do not exploit any properties of the
group encoding.
We establish a generic model of quantum computation for group-theoretic
problems, which we call the quantum generic group model. Shor's algorithm for
the DL problem and related algorithms can be described in this model. We show
the quantum complexity lower bounds and almost matching algorithms of the DL
and related problems in this model. More precisely, we prove the following
results for a cyclic group of prime order.
- Any generic quantum DL algorithm must make depth of
group operations. This shows that Shor's algorithm is asymptotically optimal
among the generic quantum algorithms, even considering parallel algorithms.
- We observe that variations of Shor's algorithm can take advantage of
classical computations to reduce the number of quantum group operations. We
introduce a model for generic hybrid quantum-classical algorithms and show that
these algorithms are almost optimal in this model. Any generic hybrid algorithm
for the DL problem with a total number of group operations must make
quantum group operations of depth .
- When the quantum memory can only store group elements and use quantum
random access memory of group elements, any generic hybrid algorithm must
make either group operations in total or quantum group operations.
As a side contribution, we show a multiple DL problem admits a better
algorithm than solving each instance one by one, refuting a strong form of the
quantum annoying property suggested in the context of password-authenticated
key exchange protocol
Security of almost ALL discrete log bits
Let G be a finite cyclic group with generator \alpha and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given \exp_{\alpha}(x), assuming that the exponentiation function \exp_{\alpha}(x) = \alpha^x is one-way. We reduce he general problem to the case that G has odd order q. If G has odd order q the security of the least-significant bits of x and of the most significant bits of the rational number \frac{x}{q} \in [0,1) follows from the work of Peralta [P85] and Long and Wigderson [LW88]. We generalize these bits and study the security of consecutive shift bits lsb(2^{-i}x mod q) for i=k+1,...,k+j. When we restrict \exp_{\alpha} to arguments x such that some sequence of j consecutive shift bits of x is constant (i.e., not depending on x) we call it a 2^{-j}-fraction of \exp_{\alpha}. For groups of odd group order q we show that every two 2^{-j}-fractions of \exp_{\alpha} are equally one-way by a polynomial time transformation: Either they are all one-way or none of them. Our key theorem shows that arbitrary j consecutive shift bits of x are simultaneously secure when given \exp_{\alpha}(x) iff the 2^{-j}-fractions of \exp_{\alpha} are one-way. In particular this applies to the j least-significant bits of x and to the j most-significant bits of \frac{x}{q} \in [0,1). For one-way \exp_{\alpha} the individual bits of x are secure when given \exp_{\alpha}(x) by the method of Hastad, N\"aslund [HN98]. For groups of even order 2^{s}q we show that the j least-significant bits of \lfloor x/2^s\rfloor, as well as the j most-significant bits of \frac{x}{q} \in [0,1), are simultaneously secure iff the 2^{-j}-fractions of \exp_{\alpha'} are one-way for \alpha' := \alpha^{2^s}. We use and extend the models of generic algorithms of Nechaev (1994) and Shoup (1997). We determine the generic complexity of inverting fractions of \exp_{\alpha} for the case that \alpha has prime order q. As a consequence, arbitrary segments of (1-\varepsilon)\lg q consecutive shift bits of random x are for constant \varepsilon >0 simultaneously secure against generic attacks. Every generic algorithm using generic steps (group operations) for distinguishing bit strings of j consecutive shift bits of x from random bit strings has at most advantage O((\lg q) j\sqrt{t} (2^j/q)^{\frac14})
Quantum Complexity for Discrete Logarithms and Related Problems
This paper studies the quantum computational complexity of the discrete logarithm and related group-theoretic problems in the context of ``generic algorithms\u27\u27---that is, algorithms that do not exploit any properties of the group encoding.
We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model, as a quantum analog of its classical counterpart. Shor\u27s algorithm for the discrete logarithm problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and (almost) matching algorithms of the discrete logarithm and related problems in this model. More precisely, we prove the following results for a cyclic group of prime order.
(1) Any generic quantum discrete logarithm algorithm must make depth of group operation queries. This shows that Shor\u27s algorithm that makes group operations is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms.
(2) We observe that some (known) variations of Shor\u27s algorithm can take advantage of classical computations to reduce the number and depth of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithm that captures these variants, and show that these algorithms are almost optimal in this model. Any generic hybrid quantum-classical algorithm for the discrete logarithm problem with a total number of (classical or quantum) group operations must make quantum group operations of depth . In particular, if , classical group operations can only save the number of quantum queries by a factor of and the quantum depth remains as .
(3) When the quantum memory can only store group elements and use quantum random access memory (qRAM) of group elements, any generic hybrid quantum-classical algorithm must make either group operation queries in total or quantum group operation queries. In particular, classical queries cannot reduce the number of quantum queries beyond .
As a side contribution, we show a multiple discrete logarithm problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol
Computing discrete logarithms in subfields of residue class rings
Recent breakthrough methods \cite{gggz,joux,bgjt} on computing discrete
logarithms in small characteristic finite fields share an interesting feature
in common with the earlier medium prime function field sieve method \cite{jl}.
To solve discrete logarithms in a finite extension of a finite field \F, a
polynomial h(x) \in \F[x] of a special form is constructed with an
irreducible factor g(x) \in \F[x] of the desired degree. The special form of
is then exploited in generating multiplicative relations that hold in
the residue class ring \F[x]/h(x)\F[x] hence also in the target residue class
field \F[x]/g(x)\F[x]. An interesting question in this context and addressed
in this paper is: when and how does a set of relations on the residue class
ring determine the discrete logarithms in the finite fields contained in it? We
give necessary and sufficient conditions for a set of relations on the residue
class ring to determine discrete logarithms in the finite fields contained in
it. We also present efficient algorithms to derive discrete logarithms from the
relations when the conditions are met. The derived necessary conditions allow
us to clearly identify structural obstructions intrinsic to the special
polynomial in each of the aforementioned methods, and propose
modifications to the selection of so as to avoid obstructions.Comment: arXiv admin note: substantial text overlap with arXiv:1312.167
Discrete logarithm computations over finite fields using Reed-Solomon codes
Cheng and Wan have related the decoding of Reed-Solomon codes to the
computation of discrete logarithms over finite fields, with the aim of proving
the hardness of their decoding. In this work, we experiment with solving the
discrete logarithm over GF(q^h) using Reed-Solomon decoding. For fixed h and q
going to infinity, we introduce an algorithm (RSDL) needing O (h! q^2)
operations over GF(q), operating on a q x q matrix with (h+2) q non-zero
coefficients. We give faster variants including an incremental version and
another one that uses auxiliary finite fields that need not be subfields of
GF(q^h); this variant is very practical for moderate values of q and h. We
include some numerical results of our first implementations
- …