TY - JOUR
T1 - Concrete quantum cryptanalysis of binary elliptic curves
AU - Souza Banegas, Gustavo
AU - Bernstein, Daniel J.
AU - van Hoof, Iggy
AU - Lange, Tanja
PY - 2021
Y1 - 2021
N2 - This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor’s polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates. For an elliptic curve over a field of 2n elements, this paper reduces the number of qubits to 7n + ⌊log2(n)⌋ + 9. At the same time this paper reduces the number of Toffoli gates to 48n3 + 8nlog2(3)+1 + 352n2 log2(n) + 512n2 + O(nlog2(3)) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography.
AB - This paper analyzes and optimizes quantum circuits for computing discrete logarithms on binary elliptic curves, including reversible circuits for fixed-base-point scalar multiplication and the full stack of relevant subroutines. The main optimization target is the size of the quantum computer, i.e., the number of logical qubits required, as this appears to be the main obstacle to implementing Shor’s polynomial-time discrete-logarithm algorithm. The secondary optimization target is the number of logical Toffoli gates. For an elliptic curve over a field of 2n elements, this paper reduces the number of qubits to 7n + ⌊log2(n)⌋ + 9. At the same time this paper reduces the number of Toffoli gates to 48n3 + 8nlog2(3)+1 + 352n2 log2(n) + 512n2 + O(nlog2(3)) with double-and-add scalar multiplication, and a logarithmic factor smaller with fixed-window scalar multiplication. The number of CNOT gates is also O(n3). Exact gate counts are given for various sizes of elliptic curves currently used for cryptography.
KW - Elliptic curves
KW - Quantum cryptanalysis
KW - Quantum gates
KW - Quantum resource estimation
KW - Shor’s algorithm
UR - http://www.scopus.com/inward/record.url?scp=85108545252&partnerID=8YFLogxK
U2 - 10.46586/tches.v2021.i1.451-472
DO - 10.46586/tches.v2021.i1.451-472
M3 - Article
SN - 2569-2925
VL - 2021
SP - 451
EP - 472
JO - IACR Transactions on Cryptographic Hardware and Embedded Systems
JF - IACR Transactions on Cryptographic Hardware and Embedded Systems
IS - 1
ER -