Quantum resource estimates for computing elliptic curve discrete logarithms

We give precise quantum resource estimates for Shor's algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQ$Ui|\rangle$. We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an $n$-bit prime field can be computed on a quantum computer with at most $9n + 2\lceil\log_2(n)\rceil+10$ qubits using a quantum circuit of at most $448 n^3 \log_2(n) + 4090 n^3$ Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor's algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor's factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added. ASIACRYPT 201

Iterated Monodromy Groups of Quadratic Polynomials, I

We describe the iterated monodromy groups associated with post-critically finite quadratic polynomials, and explicit their connection to the `kneading sequence' of the polynomial. We then give recursive presentations by generators and relations for these groups, and study some of their properties, like torsion and `branchness'.Comment: 18 pages, 3 EPS figure

Asymptotically rigid mapping class groups and Thompson's groups

We consider Thompson's groups from the perspective of mapping class groups of surfaces of infinite type. This point of view leads us to the braided Thompson groups, which are extensions of Thompson's groups by infinite (spherical) braid groups. We will outline the main features of these groups and some applications to the quantization of Teichm\"uller spaces. The chapter provides an introduction to the subject with an emphasis on some of the authors results.Comment: survey 77

Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986 Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a \emph{special} forms to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, but they can be applied for computing \emph{both} of Weil and Tate pairings on \emph{all} pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during Weil/Tate pairings computation on \emph{general} elliptic curves. Experimental results show that our algorithm is faster about 25% in comparison with the original Miller's algorithm.Comment: 17 page

An infinite genus mapping class group and stable cohomology

We exhibit a finitely generated group \M whose rational homology is isomorphic to the rational stable homology of the mapping class group. It is defined as a mapping class group associated to a surface \su of infinite genus, and contains all the pure mapping class groups of compact surfaces of genus $g$ with $n$ boundary components, for any $g\geq 0$ and $n>0$. We construct a representation of \M into the restricted symplectic group ${\rm Sp_{res}}({\cal H}_r)$ of the real Hilbert space generated by the homology classes of non-separating circles on \su, which generalizes the classical symplectic representation of the mapping class groups. Moreover, we show that the first universal Chern class in H^2(\M,\Z) is the pull-back of the Pressley-Segal class on the restricted linear group ${\rm GL_{res}}({\cal H})$ via the inclusion ${\rm Sp_{res}}({\cal H}_r)\subset {\rm GL_{res}}({\cal H})$.Comment: 14p., 8 figures, to appear in Commun.Math.Phy

The geometry of efficient arithmetic on elliptic curves

The arithmetic of elliptic curves, namely polynomial addition and scalar multiplication, can be described in terms of global sections of line bundles on $E\times E$ and $E$, respectively, with respect to a given projective embedding of $E$ in $\mathbb{P}^r$. By means of a study of the finite dimensional vector spaces of global sections, we reduce the problem of constructing and finding efficiently computable polynomial maps defining the addition morphism or isogenies to linear algebra. We demonstrate the effectiveness of the method by improving the best known complexity for doubling and tripling, by considering families of elliptic curves admiting a $2$-torsion or $3$-torsion point