A high-level comparison of state-of-the-art quantum algorithms for breaking asymmetric cryptography

TL;DR

This paper compares the costs of Regev's quantum algorithm with extensions to existing algorithms for factoring and discrete logarithms, concluding that current optimizations do not provide a clear advantage for cryptography.

Contribution

It provides a high-level comparison of quantum algorithms for cryptography, highlighting the limitations of current optimizations in achieving computational advantages.

Findings

Regev's algorithm without optimizations may have a per-run advantage.

With optimizations, Regev's algorithm does not outperform existing algorithms.

Further optimizations are needed for Regev's algorithm to be advantageous in cryptography.

Abstract

We provide a high-level cost comparison between Regev's quantum algorithm with Eker{\aa}-G\"artner's extensions on the one hand, and existing state-of-the-art quantum algorithms for factoring and computing discrete logarithms on the other. This when targeting cryptographically relevant problem instances, and when accounting for the space-saving optimizations of Ragavan and Vaikuntanathan that apply to Regev's algorithm, and optimizations such as windowing that apply to the existing algorithms. Our conclusion is that Regev's algorithm without the space-saving optimizations may achieve a per-run advantage, but not an overall advantage, if non-computational quantum memory is cheap. Regev's algorithm with the space-saving optimizations does not achieve an advantage, since it uses more computational memory, whilst also performing more work, per run and overall, compared to the existing state-of-the-art algorithms. As such, further optimizations are required for it to achieve an advantage for cryptographically relevant problem instances.