Quantum algorithms for computing short discrete logarithms and - PowerPoint PPT Presentation

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Ekerå 1 , 2 Johan Håstad 1 1 KTH Royal Institute of Technology, SE-100 44 Stockholm, Sweden 2 Swedish NCSA, Swedish Armed Forces, SE-107 85 Stockholm, Sweden

Introduction Our contribution ▶ We modify Shor’s algorithms to more efficiently solve ▶ the short discrete logarithm problem ▶ the RSA integer factoring problem ▶ The main hurdle is to exponentiate group elements. We shorten the exponents.

The integer factoring problem The integer factoring problem (IFP) ▶ Given an integer N compute its prime factors.

The integer factoring problem The integer factoring problem (IFP) The RSA integer factoring problem (RSA IFP) ▶ Given an integer N compute its prime factors. ▶ N = pq where p and q ̸ = p are two large primes of similar size

The integer factoring problem The integer factoring problem (IFP) The RSA integer factoring problem (RSA IFP) ▶ Given an integer N compute its prime factors. ▶ N = pq where p and q ̸ = p are two large primes of similar size ▶ We focus on the RSA IFP since it is of cryptographic significance.

The discrete logarithm problem The discrete logarithm problem (DLP) ▶ Given a generator g of some group G and x = g d compute d = log g x .

The discrete logarithm problem The discrete logarithm problem (DLP) The short discrete logarithm problem (short DLP) ▶ Given a generator g of some group G and x = g d compute d = log g x . ▶ d ≪ r where r is the order of G ▶ r may be assumed known or unknown

Reasons for studying the short DLP Reasons for studying the short DLP 1. The RSA IFP may be reduced to the short DLP. 2. The short DLP arises in some parameterizations of DLP-based schemes.

Reducing RSA IFP to a short DLP [HSS93] N . Compute 1. Let N = pq be the RSA integer to be factored. 2. Pick a random g ∈ Z ∗ x = g N ≡ g p + q − 1 since the order of Z ∗ pq − p − q + 1 . N is 3. Compute d = p + q − 1 given g and x . 4. Solve N = pq and d = p + q − 1 for p and q . ▶ An RSA IFP may be reduced to a short DLP in a group of unknown order.

Domain parameters for DLP-based schemes 2048 200 200 2048 p 200 2047 2048 — short d Group 2047 2047 p Prime p 100 200 200 200 Classical security Exponent d Order r Elliptic curve E ( F p ) Safe-prime G ⊂ F ∗ ∗ 100 ∗ 100 Schnorr G ⊂ F ∗ ∗ 100 ∗ ballpark figure — various models exist for estimating these security levels ▶ The short DLP arises when short exponents are used with safe-prime groups. ▶ Important to understand quantum implications of parameterization choices.

Shor’s algorithms [Shor94] Shor’s algorithms p . ▶ Shor’s algorithms solve the IFP and the DLP in F ∗ ▶ May be generalized to solve the DLP in any finite cyclic group.

Shor’s algorithm for the DLP [Shor94] 2. Compute two QFTs of size r . l operations 1 1 QFT QFT t qubits l qubits l qubits 1. Compute the superposition 3. Observe frequencies j and k . l operations 1 r a = 0 | a ⟩ | j ⟩ ∑ r − 1 r − 1 r − 1 ∑ ∑ √ r � � a , b , g a x − b ⟩ a = 0 b = 0 b = 0 | b ⟩ where ⟨ g ⟩ = G of order r ∼ 2 l . | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b g a g a g a g a g a g a g a g a g a g a g a g a g a g a g a 4. Solve dj + k ≡ 0 ( mod r ) . �

Shor’s algorithm for the DLP [Shor94] 2. Compute two QFTs of size r . l operations 1 1 QFT QFT t qubits l qubits l qubits 1. Compute the superposition 3. Observe frequencies j and k . l operations 1 r a = 0 | a ⟩ | j ⟩ ∑ r − 1 r − 1 r − 1 � a , b , g a x − b ≡ g ( a − bd ) mod r ⟩ ∑ ∑ √ r � a = 0 b = 0 b = 0 | b ⟩ where ⟨ g ⟩ = G of order r ∼ 2 l . | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b g a g a g a g a g a g a g a g a g a g a g a g a g a g a g a 4. Solve dj + k ≡ 0 ( mod r ) . �

Shor’s algorithm for the DLP [Shor94] 4. Solving for d yields l operations 1 QFT QFT t qubits l qubits l qubits 2 l 1 2 l 1. Compute the superposition l operations 3. Observe frequencies j and k . 1 r 2. Compute two QFTs of size 2 l . r − 1 r − 1 a = 0 | a ⟩ � a , b , g a x − b ≡ g ( a − bd ) mod r ⟩ ∑ ∑ � ∑ r − 1 | j ⟩ a = 0 b = 0 √ r where ⟨ g ⟩ = G of order r ∼ 2 l . b = 0 | b ⟩ | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b g a g a g a g a g a g a g a g a g a g a g a g a g a g a g a ⌊ kr ⌉ z − 1 ( mod r ) where z = { jr } 2 l − jr d ≡ ∈ Z . �

Shor’s algorithm for the DLP [Shor94] 200 l qubits l qubits t qubits QFT QFT 100 200 200 l operations Classical security Exponent d Order r Prime p Group 1 1 l operations p 2048 2 l 2047 1 r 200 200 2048 p 200 2047 2048 2. Compute two QFTs of size 2 l . 3. Observe frequencies j and k . 4. Solving for d yields — short d 2 l 2047 1. Compute the superposition Elliptic curve E ( F p ) Safe-prime G ⊂ F ∗ ∗ 100 ∗ 100 Schnorr G ⊂ F ∗ ∗ 100 r − 1 r − 1 � a , b , g a x − b ≡ g ( a − bd ) mod r ⟩ ∑ ∑ � a = 0 | a ⟩ a = 0 b = 0 | j ⟩ ∑ r − 1 where ⟨ g ⟩ = G of order r ∼ 2 l . √ r b = 0 | b ⟩ | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ ⌊ kr ⌉ z − 1 ( mod r ) where z = { jr } 2 l − jr x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b g a g a g a g a g a g a g a g a g a g a g a g a g a g a d ≡ ∈ Z . �

Shor’s algorithm for the DLP [Shor94] 200 l l t qubits QFT QFT p 100 200 200 1 l Classical security 1. Compute the superposition Exponent d l 1 Order r Prime p 2048 2047 2047 200 1 r 200 200 2048 p 2 l Group 2. Compute two QFTs of size 2 l . 3. Observe frequencies j and k . 4. Solving for d yields 2047 2048 2 l — short d Elliptic curve E ( F p ) Safe-prime G ⊂ F ∗ ∗ 100 ∗ 100 r − 1 r − 1 Schnorr G ⊂ F ∗ ∗ 100 � a , b , g a x − b ≡ g ( a − bd ) mod r ⟩ ∑ ∑ � a = 0 | a ⟩ a = 0 b = 0 | j ⟩ ∑ r − 1 where ⟨ g ⟩ = G of order r ∼ 2 l . √ r b = 0 | b ⟩ | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ x − b x − b x − b x − b g a g a g a g a ⌊ kr ⌉ z − 1 ( mod r ) where z = { jr } 2 l − jr � d ≡ ∈ Z .

Shor’s algorithm for the DLP [Shor94] 200 l qubits l qubits t qubits QFT QFT 100 200 200 l operations Classical security Exponent d Order r Prime p Group 1 1 l operations p 2048 2 l 2047 1 r 200 200 2048 p 200 2047 2048 2. Compute two QFTs of size 2 l . 3. Observe frequencies j and k . 4. Solving for d yields — short d 2 l 2047 1. Compute the superposition Elliptic curve E ( F p ) Safe-prime G ⊂ F ∗ ∗ 100 ∗ 100 Schnorr G ⊂ F ∗ ∗ 100 r − 1 r − 1 � a , b , g a x − b ≡ g ( a − bd ) mod r ⟩ ∑ ∑ � a = 0 | a ⟩ a = 0 b = 0 | j ⟩ ∑ r − 1 where ⟨ g ⟩ = G of order r ∼ 2 l . √ r b = 0 | b ⟩ | k ⟩ ∑ r − 1 √ r | identity in G ⟩ � g a x − b ⟩ ⌊ kr ⌉ z − 1 ( mod r ) where z = { jr } 2 l − jr x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b x − b g a g a g a g a g a g a g a g a g a g a g a g a g a g a d ≡ ∈ Z . �

Our algorithm for the short DLP Our improvements 1. We make the exponent length depend on d . 2. We enable tradeoffs between the exponent length and the number of runs. ▶ This parallels Seifert’s modification [Seifert01] of Shor’s order finding algorithm. ▶ We provide a full analysis of the algorithm and rigorous proofs.

Our algorithm for the short DLP [Ekerå16] — single pair 100 H H Group Prime p Order r Exponent d Classical security 200 200 200 p 1. Compute the superposition 2048 2047 2047 — short d 2048 2047 200 p 2048 200 200 m 2 m The order r may be unknown. Need a single good pair to solve for d . 1 3. Observe frequencies j and k . 2 3 m 2 m m t qubits QFT QFT 2 2 m − 1 2 m − 1 Elliptic curve E ( F p ) � a , b , g a x − b = g a − bd ⟩ ∑ ∑ � √ Safe-prime G ⊂ F ∗ ∗ 100 ∗ 100 a = 0 b = 0 Schnorr G ⊂ F ∗ ∗ 100 where ⟨ g ⟩ = G of order r and d < 2 m ≪ r . | 0 ⟩ | j ⟩ 2. Compute QFTs of size 2 2 m and 2 m . | k ⟩ | 0 ⟩ 4. Solve | { dj + 2 m k } 2 2 m | ≤ 2 m − 2 for d . | identity in G ⟩ � g a x − b ⟩ x − b x − b x − b x − b g a g a g a g a g a g a g a g a The probability of a good pair is ≥ 1 / 8. �