Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms

  • Martin RoettelerEmail author
  • Michael Naehrig
  • Krysta M. Svore
  • Kristin Lauter
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


We give precise quantum resource estimates for Shor’s algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQ\(Ui|\rangle \). We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an n-bit prime field can be computed on a quantum computer with at most \(9n + 2\lceil \log _2(n)\rceil +10\) qubits using a quantum circuit of at most \(448 n^3 \log _2(n) + 4090 n^3\) Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor’s algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor’s factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.


Quantum cryptanalysis Elliptic curve cryptography Elliptic curve discrete logarithm problem 



We thank Christof Zalka for feedback and discussions and the anonymous reviewers for their valuable comments.


  1. 1.
    Amy, M., Maslov, D., Mosca, M., Roetteler, M.: A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. IEEE Trans. Comput. Aided Des. Integr. Circ. Syst. 32(6), 818–830 (2013)CrossRefGoogle Scholar
  2. 2.
    Beauregard, S.: Circuit for Shor’s algorithm using 2n+3 qubits. Quantum Inf. Comput. 3(2), 175–185 (2003)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Bernstein, D.J., Biasse, J.-F., Mosca, M.: A low-resource quantum factoring algorithm. In: Lange and Takagi [28], pp. 330–346Google Scholar
  4. 4.
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  5. 5.
    Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., Moeller, B.: Elliptic curve cryptography (ECC) cipher suites for Transport Layer Security (TLS). RFC 4492, RFC Editor (2006)Google Scholar
  6. 6.
    Bos, J.W., Costello, C., Miele, A.: Elliptic and hyperelliptic curves: a practical security analysis. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 203–220. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  7. 7.
    Bosma, W., Lenstra, H.W.: Complete system of two addition laws for elliptic curves. J. Number Theor. 53(2), 229–240 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Certicom Research: Standards for efficient cryptography 2: recommended elliptic curve domain parameters. Standard SEC2, Certicom (2000)Google Scholar
  9. 9.
    Crandall, R., Pomerance, C. (eds.): Prime Numbers - A Computational Perspective. Springer, New York (2005). zbMATHGoogle Scholar
  10. 10.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. RFC 5246, RFC Editor (2008)Google Scholar
  11. 11.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: the second-generation onion router. In: Blaze, M. (ed.) USENIX Security 2004, pp. 303–320. USENIX (2004)Google Scholar
  13. 13.
    ECC Brainpool: ECC brainpool standard curves and curve generation (2005).
  14. 14.
    Ekerå, M., Håstad, J.: Quantum algorithms for computing short discrete logarithms and factoring RSA integers. In: Lange and Takagi [28], pp. 347–363Google Scholar
  15. 15.
    Fowler, A.G., Mariantoni, M., Martinis, J.M., Cleland, A.N.: Surface codes: towards practical large-scale quantum computation. Phys. Rev. A 86, 032324 (2012). arXiv:1208.0928 CrossRefGoogle Scholar
  16. 16.
    Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Crypt. 78(1), 51–72 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). CrossRefGoogle Scholar
  18. 18.
    Gordon, D.M.: Discrete logarithms in GF(P) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Griffiths, R., Niu, C.: Semiclassical Fourier transform for quantum computation. Phys. Rev. Lett. 76(17), 3228–3231 (1996)CrossRefGoogle Scholar
  20. 20.
    Hamburg, M.: Ed448-Goldilocks, a new elliptic curve. IACR Cryptology ePrint Archive 2015:625 (2015)Google Scholar
  21. 21.
    Haner, T., Roetteler, M., Svore, K.M.: Factoring using \(2n\,{+}\,2\) qubits with Toffoli based modular multiplication. Quantum Inf. Comput. 18(7&8), 673–684 (2017)Google Scholar
  22. 22.
    Hollosi, A., Karlinger, G., Rossler, T., Centner, M., et al.: Die osterreichische Burgerkarte (2008).
  23. 23.
    Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  24. 24.
    Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comput. 72(242), 953–967 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Kaliski Jr., B.S.: The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)CrossRefzbMATHGoogle Scholar
  26. 26.
    Kliuchnikov, V., Maslov, D., Mosca, M.: Practical approximation of single-qubit unitaries by single-qubit quantum Clifford and \(T\) circuits. IEEE Trans. Comput. 65(1), 161–172 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Lange, T., Takagi, T. (eds.): PQCrypto 2017. LNCS, vol. 10346. Springer, Cham (2017). Google Scholar
  29. 29.
    Langley, A., Hamburg, M., Turner, S.: Elliptic curves for security. RFC 7748, RFC Editor (2016)Google Scholar
  30. 30.
    Lenstra, A.K., Lenstra, H.W. (eds.): The Development of the Number Field Sieve. LNM, vol. 1554. Springer, Heidelberg (1993). zbMATHGoogle Scholar
  31. 31.
    Maslov, D., Mathew, J., Cheung, D., Pradhan, D.K.: An O(m\({^{2}}\))-depth quantum algorithm for the elliptic curve discrete logarithm problem over GF(2\({^{m}})\) \({^{a}}\). Quantum Inf. Comput. 9(7), 610–621 (2009)MathSciNetzbMATHGoogle Scholar
  32. 32.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). Google Scholar
  33. 33.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009).
  35. 35.
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000)zbMATHGoogle Scholar
  36. 36.
    Paterson, K.G.: Formal request from TLS WG to CFRG for new elliptic curves. CFRG mailing list, 14 July 2014.
  37. 37.
    Pollard, J.M.: Monte Carlo methods for index computation mod p. Math. Comput. 32(143), 918–924 (1978)MathSciNetzbMATHGoogle Scholar
  38. 38.
    Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. Quantum Inf. Comput. 3(4), 317–344 (2003)MathSciNetzbMATHGoogle Scholar
  40. 40.
    Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  41. 41.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Selinger, P.: Quantum circuits of \(T\)-depth one. Phys. Rev. A 87, 042302 (2013)CrossRefGoogle Scholar
  43. 43.
    Selinger, P.: Efficient Clifford\(+T\) approximation of single-qubit operators. Quantum Inf. Comput. 15(1–2), 159–180 (2015)MathSciNetGoogle Scholar
  44. 44.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS 1994, pp. 124–134. IEEE Computer Society (1994)Google Scholar
  45. 45.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009). CrossRefzbMATHGoogle Scholar
  47. 47.
    Stebila, D., Green, J.: Elliptic curve algorithm integration in the Secure Shell Transport Layer. RFC 5656, RFC Editor (2009)Google Scholar
  48. 48.
    Stein, J.: Computational problems associated with Racah algebra. J. Comput. Phys. 1(3), 397–405 (1967)CrossRefzbMATHGoogle Scholar
  49. 49.
    Takahashi, Y., Tani, S., Kunihiro, N.: Quantum addition circuits and unbounded fan-out. Quantum Inf. Comput. 10(9&10), 872–890 (2010)MathSciNetzbMATHGoogle Scholar
  50. 50.
    U.S. Department of Commerce/National Institute of Standards and Technology: Digital Signature Standard (DSS). FIPS-186-4 (2013).
  51. 51.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  52. 52.
    Wecker, D., Svore, K.M.: LIQ\(Ui|\rangle \): a software design architecture and domain-specific language for quantum computing (2014).
  53. 53.
    WhatsApp Inc.: Whatsapp encryption overview. Technical White Paper (2016)Google Scholar
  54. 54.
    Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.): PKC 2006. LNCS, vol. 3958. Springer, Heidelberg (2006). zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Martin Roetteler
    • 1
    Email author
  • Michael Naehrig
    • 1
  • Krysta M. Svore
    • 1
  • Kristin Lauter
    • 1
  1. 1.Microsoft ResearchRedmondUSA

Personalised recommendations