Lo Low-de depth pth qu quantu tum m cir ircuit its for r - PowerPoint PPT Presentation

Lo Low-de depth pth qu quantu tum m cir ircuit its for r computing ting dis iscr cret ete e logarit ithms hms on bin inary ellip iptic tic curves Rainer Steinwandt (based on joint work with Martin Rötteler)

Dlog log com omputation putation on on bin binary y EC ECs • infeasibility essential for prominent schemes ECDSA: {B,K}-{163, 233, 283, 409, 571} • Shor: feasible with scalable quantum computer efficient quantum circuits for EC arithmetic What is the depth of such an “attack circuit”?

Wh Whic ich h pa part rts are re (t (tim ime-)crit )critical? ical? • Quantum Fourier T ransform: fast parallel circuits known ( Cleve-Watrous ‘00) • (Double) scalar multiplication: , Q  E(GF(2 n )) find k  P+ l  Q for fixed non-zero P Maslov-Mathew-Cheung-Pradhan ‘09: depth O(n 2 ) with polynomial basis & projective coordinates unique point representation: O(n 2 ) inversion n  log n (Amento-Rötteler- S. ’13)

Ga Gate tes s us used ed | q 1  | q 1  CNOT OT : | q 2  | q 2  | q 3  | q 3  q 1  | q 1  | q 1  Toffoli li: | q 2  | q 2  | q 3  | q 3  (q 1  q 2 )  Executing two gates in parallel: only if they operate on disjoint sets of wires

Co Comp mplete lete bin inary y Ed Edwards wards cur urves ves Bernstein et al. ’08: For n  3 each ordinary binary elliptic curve birationally equivalent to a complete binary Edwards curve: d 1 (x+y)+d 2 (x 2 +y 2 )=xy+xy(x+y)+x 2 y 2 (d 1  GF(2 n ) * , d 2  GF(2 n ) with T r(d 2 )=1). • no projective closure needed (but projective coord. allow to avoid inversion) • identity: (0,0)

Co Comp mplete lete addit dition ion la law Find P 1 +P 2 for any curve points P 1 =(x 1 ,y 1 ), P 2 =(x 2 ,y 2 ): Point addition – const. number of GF(2 n ) operations: addition, squaring, multiplication (, inversion)

Lo Low-dep depth th GF GF(2 (2 n )-arithmet arithmetic ic Design decision: polynomial basis representation • Additi tion on: : depth O(1) : matrix-vector mult. addition • Sq Squaring ng: trees+“multi -fan-out CNOT w/ |0  - input”: O(log n) n: Maslov et al.’s construction • Multi ltiplic plicatio tion: reduces to 3 matrix-vector multiplications parallelization: depth O(log n) Projec ectiv tive e po point addition: n: dep epth h O(lo log n)

Passing ssing to to af affine ine coo oordinates rdinates … ensures unique representation of group elements: Amento et al.’s GF(2 n )-inverter reduces to O(log n) matrix-vector mult. + GF(2 n )-mult.: depth O(log 2 n) final inversion to ensure uniqueness as costly as complete projective point addition

ute k  P+ l  Q Ho How w to to co comp mpute Maslov et al.’strategy – right-to-left double-and-add: R ← 0 for i = 0 to n step 1 if k i = 1 then R ← R + 2 i ·P if l i = 1 then R ← R + 2 i ·Q return R precomputed … yields depth O( n  log n) circuit … requires O(n) potentially different adder circuits

Le Left-to to-right right + Shamir/Straus’s trick R ← 0 if k n = 1 then R ← R + P if l n = 1 then R ← R + Q for i = n−1 to 0 step −1 general doubling R ← 2·R if k i = 1 then R ← R + P if l i = 1 then R ← R + Q return R … depth O( n  log n), 3 circuit types, n doublings

Paralleli rallelized zed dou ouble ble-and and-add add requires “multi -fan-out CNOT w/ |0  - input” … depth O(log 2 n), general addition circuits

Co Conc nclusion lusion Suitable field & curve arithmetic reduces depth from O(n 2 ) to O(log 2 n), maintaining polynomial size. • Can we simplify the (Edwards) addition circuits? fewer T -gates and reduced T -depth desirable • Can we avoid or simplify the inversion? “normal form as expensive as the circuit” Room to optimize dlog computation on binary ECs.