On the success probability of the quantum algorithm for the short DLP

TL;DR

This paper analyzes the success probability of a variation of Shor's quantum algorithm for the short discrete logarithm problem, providing bounds and techniques to achieve near-certain success in specific cryptographic contexts.

Contribution

It establishes a lower bound on the success probability of the Eker{ a}-H{ a}stad algorithm and introduces classical post-processing methods to enhance its effectiveness.

Findings

Success probability can reach as high as 1 - 10^{-10} for short logarithms.

Limited classical search techniques significantly improve the algorithm's success rate.

Asymptotically, success probability approaches one as the bit length increases.

Abstract

Eker{\aa} and H{\aa}stad have introduced a variation of Shor's algorithm for the discrete logarithm problem (DLP). Unlike Shor's original algorithm, Eker{\aa}-H{\aa}stad's algorithm solves the short DLP in groups of unknown order. In this work, we prove a lower bound on the probability of Eker{\aa}-H{\aa}stad's algorithm recovering the short logarithm $d$ in a single run. By our bound, the success probability can easily be pushed as high as $1 - 10^{-10}$ for any short $d$. A key to achieving such a high success probability is to efficiently perform a limited search in the classical post-processing by leveraging meet-in-the-middle or random-walk techniques. These techniques may be generalized to speed up other related classical post-processing algorithms. Asymptotically, in the limit as the bit length $m$ of $d$ tends to infinity, the success probability tends to one if the limits on the search space are parameterized in $m$. Our results are directly applicable to Diffie-Hellman in safe-prime groups with short exponents, and to RSA via a reduction from the RSA integer factoring problem (IFP) to the short DLP.