On the Design and Optimization of
a Quantum Polynomial-Time Attack
on Elliptic Curve Cryptography
D. Cheung – IQC/UWaterloo, Canada
D. Maslov (spkr) – IQC/UWaterloo, Canada
J. Mathew – UBristol, UK
D. K. Pradhan – UBristol, UK
Outline
- What is and why Elliptic Curve
Cryptography (ECC)?
- Quantum algorithm for additive
logarithm over elliptic curves
- Analysis and conclusion
page 1/16
What is ECC?
ECC is an approach to public key
cryptography based on the algebraic structure
of elliptic curves over finite fields.
Its security is based on the possibility of
efficient additive exponentiation and absence
of efficient (classical) algorithms for additive
logarithm.
ECC is typically considered over one of two
fields: GF(2m) or Fp, where p is prime.
page 2/16
What is ECC?
Elliptic curves
2


Elliptic curve is a set of points x, y  F
2
3
2
satisfying equation y  xy  x  ax  b
where a, b  F .
It is possible to define a cyclic Abelian group
structure over the points on an elliptic curve,
but for that we need to define a special
addition such that P, Q  EC  P  Q  EC.
page 3/16
What is ECC?
Define addition operation over the points on
an elliptic curve as follows
when P  Q  ( x1 , y1 ), P  Q  ( x3 , y3 ) where
2
x1  y1
2
2
x3      a, y3  x1  x3  x3 , with  
.
x1
when P  ( x1 , y1 )  Q  ( x2 , y2 ), then
2
x3      x1  x2  a, y3  x1  x3   x3  y1 ,
y1  y2
with  
.
x1  x2
page 4/16
What is ECC?
For P  ( x1 , y1 ) (P) is defined as
 P  ( x1 , x1  y1 ).
Finally, point O at infinity is defined as to
conform the additive identity properties.
According to Hasse’s theorem there are
enough points on an elliptic curve for
cryptographic purposes:


q  1  E Fq  
2


2
q 1 .
page 5/16
What is ECC?
Geometric intuition
page 6/16
Why ECC?
RSA can be broken with an integer factorization

3
2

algorithm that scales as exp 1.923 n log n .
To break ECC, the best known classical
n

2
algorithm requires O 2  search.


page 7/16
Why ECC?
Security (bits)
80
112
128
192
256
RSA key size
1024
2048
3072
7680
15360
ECC key size
160
224
256
384
512
HW: Mode
RSA-3072
ECC-283
Space-optimized 184ms, 50K gates 29ms, 6660 gates
Time-optimized 110ms, 189K gates 1.3ms, 80K gates
page 8/16
Quantum Algorithm
Quantum algorithm consists of two distinct
stages: modular (additive) exponentiation and
quantum Fourier transform.
Modular exponentiation is done by the square
(double)-and-(add)multiply algorithm.
We optimize the circuit implementation for
multiplication over GF(2m).
The best previously known such circuit has
depth O(m2), unrestricted architecture.
page 9/16
Quantum Algorithm

The problem
is to multiply a  [a

 0 , a1 ,...,
 am1 ]
and b  [b0 , b1 ,..., bm1 ]. Define d  Lb ; e  Ub .
 a0

 a1
L 

 am  2
a
 m 1
0
a0
...
0
0

am  3
am  2
a0
... a1
a1 
 0 am1 am  2 ... a2
0



am 1
a3
a2 
0
0 0


 
  U 


0
am 1 am  2 
0 0
0
0 0


0
...
0
a
a0 
m 1 


 


m
Then, ab  d  x e  d  Qe , where Q depends
on the choice of the primitive polynomial.
page 10/16
Quantum Algorithm
Example
4
4
Multiplication over GF(2 ) with P( x)  x  x  1
a3b1  a2b2  a1b3 
 
e   a3b2  a2b3 


a3b3
1

1
Q
0

0

0 0

1 0
1 1

0 1 
a0b0



 
a
b

a
b
1 0
0 1

d 
 a2b0  a1b1  a0b2 


a3b0  a2b1  a1b2  a0b3 
 

a b  d  Qe
page 11/16
Quantum Algorithm

e
Q

d
page 12/16
Quantum Algorithm
Projective representation
To avoid division, we store a point (x,y) on an
elliptic curve as (X,Y,Z): (x,y)=(X/Z,Y/Z).
In such representation, division can be
thought of as multiplication of Z coordinate
by the appropriate quantity.
The total depth of our DL algorithm over
points on an elliptic curve is O(m2).
page 13/16
Analysis
 
Quantum attack
RSA
ECC
2
O m depth, but
“requires small controlled
rotations that may prove
expensive”
Otherwise, depth

2
O m log m

  depth
Om
2
(best previously
 
3
known is O m )
  gates, Om ancillae.
Om
3
page 14/16
Analysis

3
Classical security
RSA
ECC
2
O n log n

Slower data processing
larger circuit
On 
Faster data processing
Smaller circuit
page 15/16
Conclusion
Quantum algorithm for ECC breaking is a
stronger practical argument for quantum
computing.
The possible reason for the efficiency of the
quantum attack on ECC is no necessity to
carry over the digits during the addition and
multiplication of GF field elements.
page 16/16
END
Thank you for your
attention!