Lo Low-de depth pth qu quantu tum m cir ircuit its for r - - PowerPoint PPT Presentation

Lo Low-de depth pth qu quantu tum m cir ircuit its for r computing ting dis iscr cret ete e logarit ithms hms on bin inary ellip iptic tic curves

Rainer Steinwandt (based on joint work with Martin Rötteler)

Dlog log com

• mputation

putation on

• n bin

binary y EC ECs

• infeasibility essential for prominent schemes

ECDSA: {B,K}-{163, 233, 283, 409, 571}

• Shor: feasible with scalable quantum computer

efficient quantum circuits for EC arithmetic What is the depth of such an “attack circuit”?

Wh Whic ich h pa part rts are re (t (tim ime-)crit )critical? ical?

• Quantum Fourier T

ransform: fast parallel circuits known ( Cleve-Watrous ‘00)

• (Double) scalar multiplication:

for fixed non-zero P , QE(GF(2n)) find kP+lQ Maslov-Mathew-Cheung-Pradhan ‘09: depth O(n2) with polynomial basis & projective coordinates

unique point representation: O(n2) inversion

nlog n (Amento-Rötteler-S. ’13)

Ga Gate tes s us used ed

CNOT OT : Toffoli li: Executing two gates in parallel:

• nly if they operate on disjoint sets of wires

|q1 |q2 |q3 |q1 |q2 |q3 |q1 |q2 |q3q1 |q1 |q2 |q3(q1 q2)

Co Comp mplete lete bin inary y Ed Edwards wards cur urves ves

Bernstein et al. ’08: For n3 each ordinary binary elliptic curve birationally equivalent to a complete binary Edwards curve: d1(x+y)+d2(x2+y2)=xy+xy(x+y)+x2y2 (d1 GF(2n)*, d2GF(2n) with T r(d2)=1).

• no projective closure needed

(but projective coord. allow to avoid inversion)

• identity: (0,0)

Co Comp mplete lete addit dition ion la law

Find P1+P2 for any curve points P1=(x1,y1), P2=(x2,y2): Point addition – const. number of GF(2n) operations: addition, squaring, multiplication (, inversion)

Lo Low-dep depth th GF GF(2 (2n)-arithmet arithmetic ic

Design decision: polynomial basis representation

• Additi

tion

• n:

: depth O(1)

• Sq

Squaring ng: : matrix-vector mult. addition trees+“multi-fan-out CNOT w/ |0-input”: O(log n)

• Multi

ltiplic plicatio tion: n: Maslov et al.’s construction reduces to 3 matrix-vector multiplications parallelization: depth O(log n) Projec ectiv tive e po point addition: n: dep epth h O(lo log n)

Passing ssing to to af affine ine coo

• ordinates

rdinates

… ensures unique representation of group elements: Amento et al.’s GF(2n)-inverter reduces to O(log n) matrix-vector mult. + GF(2n)-mult.: depth O(log2 n) final inversion to ensure uniqueness as costly as complete projective point addition

Ho How w to to co comp mpute ute kP+lQ

Maslov et al.’strategy – right-to-left double-and-add: R ← 0 for i = 0 to n step 1 if ki= 1 then R ← R + 2i·P if li= 1 then R ← R + 2i·Q return R … yields depth O(nlog n) circuit … requires O(n) potentially different adder circuits precomputed

Le Left-to to-right right + Shamir/Straus’s trick

R ← 0 if kn= 1 then R ← R + P if ln= 1 then R ← R + Q for i = n−1 to 0 step −1 R ← 2·R if ki= 1 then R ← R + P if li= 1 then R ← R + Q return R … depth O(nlog n), 3 circuit types, n doublings general doubling

Paralleli rallelized zed dou

• uble

ble-and and-add add

requires “multi-fan-out CNOT w/ |0-input” … depth O(log2n), general addition circuits

Co Conc nclusion lusion

Suitable field & curve arithmetic reduces depth from O(n2) to O(log2n), maintaining polynomial size.

• Can we simplify the (Edwards) addition circuits?

fewer T

• gates and reduced T
• depth desirable
• Can we avoid or simplify the inversion?

“normal form as expensive as the circuit” Room to optimize dlog computation on binary ECs.