Lo Low-de depth pth qu quantu tum m cir ircuit its for r computing ting dis iscr cret ete e logarit ithms hms on bin inary ellip iptic tic curves Rainer Steinwandt (based on joint work with Martin Rötteler)
Dlog log com omputation putation on on bin binary y EC ECs • infeasibility essential for prominent schemes ECDSA: {B,K}-{163, 233, 283, 409, 571} • Shor: feasible with scalable quantum computer efficient quantum circuits for EC arithmetic What is the depth of such an “attack circuit”?
Wh Whic ich h pa part rts are re (t (tim ime-)crit )critical? ical? • Quantum Fourier T ransform: fast parallel circuits known ( Cleve-Watrous ‘00) • (Double) scalar multiplication: , Q E(GF(2 n )) find k P+ l Q for fixed non-zero P Maslov-Mathew-Cheung-Pradhan ‘09: depth O(n 2 ) with polynomial basis & projective coordinates unique point representation: O(n 2 ) inversion n log n (Amento-Rötteler- S. ’13)
Ga Gate tes s us used ed | q 1 | q 1 CNOT OT : | q 2 | q 2 | q 3 | q 3 q 1 | q 1 | q 1 Toffoli li: | q 2 | q 2 | q 3 | q 3 (q 1 q 2 ) Executing two gates in parallel: only if they operate on disjoint sets of wires
Co Comp mplete lete bin inary y Ed Edwards wards cur urves ves Bernstein et al. ’08: For n 3 each ordinary binary elliptic curve birationally equivalent to a complete binary Edwards curve: d 1 (x+y)+d 2 (x 2 +y 2 )=xy+xy(x+y)+x 2 y 2 (d 1 GF(2 n ) * , d 2 GF(2 n ) with T r(d 2 )=1). • no projective closure needed (but projective coord. allow to avoid inversion) • identity: (0,0)
Co Comp mplete lete addit dition ion la law Find P 1 +P 2 for any curve points P 1 =(x 1 ,y 1 ), P 2 =(x 2 ,y 2 ): Point addition – const. number of GF(2 n ) operations: addition, squaring, multiplication (, inversion)
Lo Low-dep depth th GF GF(2 (2 n )-arithmet arithmetic ic Design decision: polynomial basis representation • Additi tion on: : depth O(1) : matrix-vector mult. addition • Sq Squaring ng: trees+“multi -fan-out CNOT w/ |0 - input”: O(log n) n: Maslov et al.’s construction • Multi ltiplic plicatio tion: reduces to 3 matrix-vector multiplications parallelization: depth O(log n) Projec ectiv tive e po point addition: n: dep epth h O(lo log n)
Passing ssing to to af affine ine coo oordinates rdinates … ensures unique representation of group elements: Amento et al.’s GF(2 n )-inverter reduces to O(log n) matrix-vector mult. + GF(2 n )-mult.: depth O(log 2 n) final inversion to ensure uniqueness as costly as complete projective point addition
ute k P+ l Q Ho How w to to co comp mpute Maslov et al.’strategy – right-to-left double-and-add: R ← 0 for i = 0 to n step 1 if k i = 1 then R ← R + 2 i ·P if l i = 1 then R ← R + 2 i ·Q return R precomputed … yields depth O( n log n) circuit … requires O(n) potentially different adder circuits
Le Left-to to-right right + Shamir/Straus’s trick R ← 0 if k n = 1 then R ← R + P if l n = 1 then R ← R + Q for i = n−1 to 0 step −1 general doubling R ← 2·R if k i = 1 then R ← R + P if l i = 1 then R ← R + Q return R … depth O( n log n), 3 circuit types, n doublings
Paralleli rallelized zed dou ouble ble-and and-add add requires “multi -fan-out CNOT w/ |0 - input” … depth O(log 2 n), general addition circuits
Co Conc nclusion lusion Suitable field & curve arithmetic reduces depth from O(n 2 ) to O(log 2 n), maintaining polynomial size. • Can we simplify the (Edwards) addition circuits? fewer T -gates and reduced T -depth desirable • Can we avoid or simplify the inversion? “normal form as expensive as the circuit” Room to optimize dlog computation on binary ECs.
Recommend
More recommend
![Tsinghua University Monocular Depth-Pose Prediction [R, t] Depth and Pose RGB PoseNet](https://c.sambuz.com/691712/tsinghua-university-monocular-depth-pose-prediction-s.jpg)
