Quantum algorithms for computing general discrete logarithms and orders with tradeoffs

We generalize our earlier works on computing short discrete logarithms with tradeoffs, and bridge them with Seifert\u27s work on computing orders with tradeoffs, and with Shor\u27s groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms. Compared to Shor\u27s algorithm, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. Unlike Shor\u27s algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. We analyze the probability distributions induced by our algorithm, and by Shor\u27s and Seifert\u27s order finding algorithms, describe how these algorithms may be simulated when the solution is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs

Revisiting Shor's quantum algorithm for computing general discrete logarithms

We heuristically demonstrate that Shor's algorithm for computing general discrete logarithms, modified to allow the semi-classical Fourier transform to be used with control qubit recycling, achieves a success probability of approximately 60% to 82% in a single run. By slightly increasing the number of group operations that are evaluated quantumly, and by performing a limited search in the classical post-processing, we furthermore show how the algorithm can be modified to achieve a success probability exceeding 99% in a single run. We provide concrete heuristic estimates of the success probability of the modified algorithm, as a function of the group order, the size of the search space in the classical post-processing, and the additional number of group operations evaluated quantumly. In analogy with our earlier works, we show how the modified quantum algorithm may be simulated classically when the logarithm and group order are both known. Furthermore, we show how slightly better tradeoffs may be achieved, compared to our earlier works, if the group order is known when computing the logarithm.Comment: The pre-print has been extended to show how slightly better tradeoffs may be achieved, compared to our earlier works, if the group order is known. A minor issue with an integration limit, that lead us to give a rough success probability estimate of 60% to 70%, as opposed to 60% to 82%, has been corrected. The heuristic and results reported in the original pre-print are otherwise unaffecte

Large-Scale Simulation of Shor's Quantum Factoring Algorithm

Shor's factoring algorithm is one of the most anticipated applications of quantum computing. However, the limited capabilities of today's quantum computers only permit a study of Shor's algorithm for very small numbers. Here we show how large GPU-based supercomputers can be used to assess the performance of Shor's algorithm for numbers that are out of reach for current and near-term quantum hardware. First, we study Shor's original factoring algorithm. While theoretical bounds suggest success probabilities of only 3-4 %, we find average success probabilities above 50 %, due to a high frequency of "lucky" cases, defined as successful factorizations despite unmet sufficient conditions. Second, we investigate a powerful post-processing procedure, by which the success probability can be brought arbitrarily close to one, with only a single run of Shor's quantum algorithm. Finally, we study the effectiveness of this post-processing procedure in the presence of typical errors in quantum processing hardware. We find that the quantum factoring algorithm exhibits a particular form of universality and resilience against the different types of errors. The largest semiprime that we have factored by executing Shor's algorithm on a GPU-based supercomputer, without exploiting prior knowledge of the solution, is 549755813701 = 712321 * 771781. We put forward the challenge of factoring, without oversimplification, a non-trivial semiprime larger than this number on any quantum computing device.Comment: differs from the published version in formatting and style; open source code available at https://jugit.fz-juelich.de/qip/shorgp