Quantum algorithms for typical hard problems: a perspective of cryptanalysis

The public-key cryptosystems, including RSA, ElGamal, ECC and the related variants, play an ingredient role in securing the confidential communication over the Internet during the past decades. The fundamental principle of designing a secure public-key cryptosystem is to lay its security on the difficulty of certain mathematical problems. For instances, RSA [1] builds up its security on the hardness of integer factorization problem (IFP), and the security of ElGamal and ECC [2] is based on the difficulty of solving the discrete logarithm problem (DLP) and the DLP over elliptic curves (ECDLP), respectively. Even with the system parameters well optimized, the classical algorithms ever known, such as those toward IFP, DLP and ECDLP, are no longer efficient to our problem, as the resource required would grow in a sub-exponential manner over the scale of the problem.

Quantum computing is an interdisciplinary subject between quantum mechanics and computer science. Shor’s algorithm [3] and Grover’s quantum search algorithm [4] are the two most widely used quantum algorithms at present. Shor’s algorithm is applied to solve large integer factorization problem and discrete logarithm problem. Grover’s quantum search algorithm is adopted to search a number of specific targets in a disordered database. Both of them are of great significance in the perspective of cryptanalysis. Shor’s quantum algorithm manifests a serious threat toward the security of RSA, ElGamal and ECC, since both the IFP problem and the DLP problem (including the ECDLP problem) can be solved efficiently with Shor’s quantum algorithms. Grover’s quantum algorithm is also used to speed up the task of collision finding. Therefore, to secure confidential communication in the so-called post-quantum era, some new public-key cryptosystems, which aim at resisting known quantum algorithmic attacks, appear on the stage of the modern cryptography. NIST launched the competition on post-quantum cryptography in 2016, and 26 outstanding designs have been selected for the second round evaluation so far.

As one of the most well-developed branches of post-quantum cryptography, lattice cryptography enjoys a high implementation efficiency and strong security reductions. In particular, Regev built the connection between the hardness of lattice problems and the hardness of the dihedral subgroup problem in 2002 [5]. However, at present, our confidence toward lattice cryptography is based merely on a heuristic reduction from the hardness of certain lattice problem to the hardness of certain quantum difficult problem, while the reverse reduction required by the logic framework of provable security is still open. Recently, Wen et al. made the first breakthrough toward building such kind of reverse reduction. Therefore, from the perspective of cryptanalysis, it is interesting to made a survey on quantum algorithms for classical hard problems, including lattice problems, IFP, DLP, ECDLP, as well as other related variants.

The rest of the paper is organized as follows: In Sect. 2, we reviewed quantum Fourier transform, for understanding quantum algorithms mentioned in this survey. The background for basis of qubit, quantum gates and quantum circuits is not involved in this work, since we believe it can be found in other textbooks on quantum computations, such as [6, 7]. In Sect. 3, we summarized the quantum algorithms for period findings, which helps to understand why some symmetric cipher, such as RC6, tends to be insecure in the post-quantum era. Quantum algorithms for factoring integers, including Shor’s algorithm based on quantum circuit model and Jiang’s algorithm based on quantum adiabatic model, are summarized in Sect. 4. This is a key to understand why public-key cryptosystems based on difficulty of IFP are no longer secure. In Sect. 5, we explored the quantum algorithms for the DLP problem and their variants over elliptic curves, matrices of group rings, etc. This tell us why ElGamal, ECC as well the related variants are secure when large-scale quantum computers are available. Then, in Sects. 6 and 7, we introduced quantum algorithms for the hidden subgroup problem and the hidden shift problems, respectively, as two common frameworks of designs quantum algorithm. In Sect. 8, we presented quantum algorithms for the dihedral subgroup problem and its relation with lattice problems, in order to understand the potential of lattice cryptography in resisting known quantum attacks. Finally, we conclude the paper in Sect. 9.

The quantum Fourier transform (QFT), with exponential speedup compared to the classical fast Fourier transform, has played an important role in quantum computation as a vital part of many quantum algorithms [8]. The QFT over \({\mathbb {Z}}_N\), the group of integers modulo N under addition, is a unitary operator \(F_{\mathbb {Z}_N}\) that effects on a basis state as follows:where \(\omega _{N}:=e^{2\pi i/N}\) denotes a primitive Nth root of the unity. Its matrix representation isMore succinctly, it is denoted byFurther, we can derive QFT over any finite abelian group G. We know that any finite abelian group G can be expressed as a direct product of cyclic subgroups of prime power orders \(G\cong {\mathbb {Z}}_{p_1}\times \cdots \times {\mathbb {Z}}_{p_r}\). Thus, in this case the QFT over G is the quantum operator \(F_G= F_{p_1}\otimes \cdots \otimes F_{p_r}\).

Without loss of generality, assuming \(n=\lceil \log N\rceil \), then the circuit of QFT over \({\mathbb {Z}}_N\), as depicted in Fig. 1, can be implemented exactly by using \(\frac{n(n-1)}{2}\) of controlled rotation gates, plus with n Hadamard gates, leading to the gate complexity \(O(n^2)\). Recently, Su et al. [9] suggested that QFT over n-qubits can be approximate with \(O(n\log n)\) T-gates.

A function over the domain \(\mathcal {D}\) is called periodic if there is a unique and smallest \(r>0\) (called period) so that \(f(x)=f(x+r)\) holds for every \(x\in \mathcal {D}\). Say, the sine and cosine functions, respectively, have periods \(2\pi \) and \(\pi \) over \({\mathbb {R}}\). Although this definition does not require r to be integer and \(\mathcal {D}\) to be discrete, for the problems discussed in this survey, we only consider the settings of r being a positive integer and \(\mathcal {D}\) being a discrete ring, say \({\mathbb {Z}}\) or \({\mathbb {Z}}_n\) (for some \(n\in {\mathbb {N}}\)). Intuitively, without any other heuristic information on f, say regarding f as a black box, any classical algorithm for determining whether f has a period r needs to evaluate f on, in the worse case, all elements in \(\mathcal {D}\), leading to the time complexity \(\mathcal {O}(|\mathcal {D}|)\) and space complexity \(\mathcal {O}(1)\).

However, quantum computers can work exponentially faster than any classical computers toward the period finding problem. The first breakthrough on this issue can be traced back to the landmark work due to Simon [11]. Simon’s algorithm is not only the first algorithm that represents a substantial advance in relativized time complexity vs. classical computing, but also a turning point in the development of quantum computation technology considering that it contains the key ingredients of the relevant algorithms that follow, including the notably Shor’s quantum algorithm for integer factoring problem [7]. Very recently, Dong [12] proposed indistinguishable attack and key-recover attack toward one of the well-known cipher structure—the extended Feistel structures, including the typical block ciphers such as CAST256 and RC6.

Simon’s algorithm is proposed to deal with the following problem [13]: Given a Boolean function \(f:\{0,1\}^n\rightarrow \{0,1\}^n\) that satisfies the so-called Simon commitment conditionthe objective is to find \(s\in \{0,1\}^n\). Considering that \(\oplus \) is the addition over binary field, the Simon’s commitment condition is equivalent to that f has period r over \({\mathbb {Z}}_2^n\). Now, suppose that a quantum circuit \(U_f\) for implementing \({\left| {x}\right\rangle }{\left| {0}\right\rangle }\rightarrow {\left| {x}\right\rangle }{\left| {f(x)}\right\rangle }\) is at hand, then the Simon’s algorithm is depicted in Fig. 2, and a modified version due to Mosca consists of the following eight steps [13]:

To summary, the above description of Simon’s algorithm requires O(n) quantum operators over 2n qubits, plus a classical post-processing with time complexity \(O(n^3)\).

The integer factorization problem (IFP) is given an integer N, output prime numbers p, q, where \(N=pq\) . It is an important problem in number theory and has attracted significant attention due to its importance in data encryption [14]. For example, the IFP is used as the basic hardness assumption for RSA cryptosystem. Up to now, the most effective classical algorithm for solving IFP is the general number field sieve [15], while the number of operations required still grows sub-exponentially with the bit length of the integer to be factorized. Quantum computing can effectively reduce the complexity of solving certain problems, and it has attracted much attention in recent years [6]. Some tested quantum computing platforms are already available, such as cloud quantum computers from IBM [16, 17] based on nuclear magnetic resonance (NMR) [18] and D-Wave’s quantum annealing system.

Researchers are currently focusing on two main research directions to solve the IFP via quantum computing: Shor’s quantum factoring algorithm and quantum adiabatic computing (QAC).

Let \(G=\langle g \rangle \) be a cyclic group of order p and g be a generator of G. The discrete logarithmic problem (DLP) over G is to find an integer r such that \(g^r=y\) for given \(y\in G\). Diffie–Hellman key exchange protocol, ElGamal encryption and most elliptic curve cryptosystems are based on the difficulty of computing discrete logarithms. At present, the best known classical algorithm for solving DLP is the so-called index-calculate method (ICM) that requires sub-exponential classical operations.

In 1994, Shor [3] put forward a polynomial time quantum algorithm to solve the discrete logarithmic problem in group. Proos et al. [42] further extended Shor’s quantum DLP algorithm to elliptic curves [42‐44]. In 2012, Myasnikov et al. proposed a quantum algorithm for the DLP over matrices of finite group rings [45]. Childs [46] described an effective quantum algorithm for computing discrete logarithms over semigroups. Recently, further generalized Shor’s quantum DLP algorithms are proposed for different algebraic structures [47‐50].

With the identity \(g^r=y\), if we define a binary function \(f:{\mathbb {Z}}_{p-1}\times {\mathbb {Z}}_{p-1}\rightarrow {\mathbb {Z}}_p\) as follows:then f takes \((r, -1)\) as its period, considering thatTherefore, the aforementioned idea for finding period can be used to solve the discrete logarithms problems.

Now, suppose a quantum circuit \(U_f\) for implementingis at hand, then Shor’s discrete logarithm algorithm is depicted in Fig. 4. A modified version of Shor’s quantum DLP algorithm, due to Wang [51], consists of the following six steps:The complexities of Shor’s quantum DLP algorithm and some related algorithms are collected in Table 4.

Let H be the subgroup of group G, S be any set and \(f : G \rightarrow S\) a function that distinguishes cosets of H, i.e., \(\forall g_{1}, g_{2} \in G, f (g_{1}) = f (g_{2}) \Leftrightarrow g_{1}H = g_{2} H\). The hidden subgroup problem (HSP) is to find the subgroup H using f. To solve this problem classically, \(\Omega (|G|)\) queries on f are required, while it is solvable on a quantum computer using merely \(O(\log |G|)\)f-queries.

In 1995, Kitaev [52] gave a polynomial quantum algorithms to solve the abelian stabilizer problem (ASP) and prove that the integer factorization and discrete logarithm problems can be solved as special cases. In 1995, Dan and Lipton [53] first built the relationship between quantum algorithm and HSP and designed a quantum algorithm to solve the hidden linear function. In 1997, Brassard and Hoyer [54] extended the Simon’s problem to HSP. In 1998, Jozsa [55] gave a unified description of Deustch–Jozsa’s algorithm, Simon’s algorithm and Shor’s algorithm in the form of HSP. Subsequently, Mosca [56, 57] and Jozsa [58] introduced the more general abelian HSP and gave quantum Fourier transform to solve it. Abelian HSP mainly focuses on finite abelian groups, and related algorithms can be seen in [57, 59].

The algorithm of general finite abelian HSP rewrote by Damgard [60] consists of the following six steps:

Given a finite group G, a finite set R and two maps \(f,g: G\rightarrow R\), the hidden shift problem is to find some \(s\in G\) such that \(f(x) = g(x+s)\) for all \(x\in G\). At least \(\sqrt{N}\) queries are necessary for hidden shift problem by reduction from Grover’s problem. However, on quantum computer, only \(\mathcal {O}(1)\) queries can solve certain special cases of hidden shift problems. The hidden shift problem was first introduced and studied by van Dam et al. [61, 62] in 2003. The shifted Legendre symbol algorithm [63, 64] is classified as this special case, and no classical algorithm in \(\mathcal {O}(\hbox {polylog}N)\) time has been found to solve these problems. In addition, the shifted Legendre symbol problem’s quantum algorithm will destroy the specific cryptographic pseudorandom generator and it has the ability to make quantum queries to the generator [62]. There has a connection between the hidden shift problem and the hidden subgroup problem, hidden subgroup problem over dihedral group is equivalent to the hidden shift problem over \(\mathbb {Z}_{N}\), and graph isomorphism can be cast as a hidden shift problem over \(S_{n}\) [10‐12]. The study of the hidden shift problem can give an arguably more natural view to tackle the graph isomorphism problem [12]. Based on the “pretty good measurement,” Childs et al. [65] proposed a quantum algorithm for the generalized hidden shift problem: \(f\in \mathbb {Z}_{M}\times \mathbb {Z}_{N}\) satisfying \(f(b,x) = f(b+1,x+s)\) for \(b\in {\mathbb {Z}}_M\) and \(x,s\in {\mathbb {Z}}_N\). In 2010, Roetteler [66] gave an efficient quantum algorithm for solving the hidden shift problem for several classes of the so-called bent functions. Gavinsky et al. [67] gave an efficient quantum algorithm for solving the hidden shift problem for the average case Boolean functions in 2001. Ozols et al. [68] gave another quantum algorithm for the Boolean hidden shift problem based on a quantum analogue of the rejection sampling.

The quantum algorithm for a generalized hidden shift problem by Childs is as follows:Now, we need to discuss how to derive s according to three different cases.

The dihedral group is a symmetric group generated by the reflection and rotation. It contains 2N elements:where s can be viewed as a reflection about some fixed axis, and r is a rotation by an angle \(\frac{2\pi }{N}\). Moreover, \(D_N\) is isomorphic to a semidirect product of the two cyclic groups \({\mathbb {Z}}_2\) and \({\mathbb {Z}}_N\) of order 2 and N, respectively,with multiplication defined byThe homomorphism \(\phi : {\mathbb {Z}}_2\rightarrow \mathrm {Aut}({\mathbb {Z}}_N)\) is specified byAn element \((a,b)\in D_N\) is a rotation if \(a = 0\), and a reflection if \(a = 1\) [69]. Now, let us consider a hidden subgroup \(H=\{(0,0),(1,d)\}\) for some unknown \(d\in {\mathbb {Z}}_N\). That is, H is the subgroup group generated by an unknown reflection \(r=(1,d)\). The dihedral hidden subgroup problem (dHSP) with respect to H is to find d. This problem is also formulated quantum as the so-called dihedral coset problem (DCP): Given many superpositions \(\{ \frac{1}{\sqrt{2}}(|0,x_{i}\rangle + |1,x_{i}+d\rangle ): x_i\in {\mathbb {Z}}_N \}_{i\le \ell }\) (i.e., the coset of H), the objective is to find d.

In 1998, Ettingcr and Hoyer [69] were the first to study dihedral hidden subgroup problems (dHSP). They divided the dihedral group into two subgroups of rotation and reflection and searched for the hidden subgroups of each subgroup, respectively. They claimed that it is enough to solve dHSP if the generator of the hidden subgroup of the reflected subgroup is known. In 2002, Regev [5] found the connection between the unique shortest vector problem (uSVP) and dHSP and pointed out that if dHSP can be effectively solved, the unique shortest vector problem of lattice can also be effectively solved. Kuperberg [76] first proposed a sub-exponential quantum algorithm of dHSP. In 2004, Regev [5] abstracted Kuperberg’s sieve method as a pipeline, reducing the quantum space complexity of the original algorithm to polynomial level, but the time complexity is still sub-exponential. In 2011, Kuperberg [76] improved the original algorithm and Regev’s polynomial space algorithm and proposed another sub-exponential quantum algorithm of dHSP. The time complexity of the improved algorithm is slightly reduced, but in the worst case, the algorithm is Regev’s algorithm. In 2016, Roetteler [71] first raised a quantum algorithm that can solve a special type of dHSP problem in polynomial time and space complexities: When \(N=2^{m}-1\), more than \(\mathcal {O}(2^{m^{2}})\) instances are easy to solve among dHSP problem on the dihedral group \(D_{N}\) , that is, the total number of easily solved instances increases exponentially with m.

In recent years, significant progress has been made in lattice-based cryptography among the post-quantum public-key cryptography. Many lattice-based public-key encryption schemes have been proposed in light of the fact that some lattice problems [72‐74] such as unique shortest vector problem (uSVP) are the foundation of the trapdoor one-way function. However, uSVP can be reduced to a kind of non-abelian hidden subgroup problem [5]: the dihedral hidden subgroup problem. Therefore, the study on quantum algorithm for the dihedral hidden subgroup problem has great significance for the security of lattice-based cryptography.

With the rapid development of quantum computing, it broke through the defense line of the classic cryptosystems, which makes the post-quantum cryptography become the frontier of research. In order to search the novel cryptography which is resistant to quantum attack, it is of great necessity to conduct a systematical analysis of the quantum algorithms that could solve the typical hard problems. In this paper, we start from the typical hard problems: integer factorization problem, discrete logarithmic problem and dihedral hidden subgroup problems in the public-key cryptosystem (respectively, RSA, ElGamal, ECC); then, we analyze the latest development of quantum algorithms; besides, the limitation of typical cryptosystem (RSA, ElGamal, ECC) and its vulnerability to quantum attacks, as well as the explanation to the resistance of lattice cryptography to quantum attacks are all elaborated. For future research, analyzing the isogeny, multivariable and seeking for the quantum algorithms for problems such as hash collision should be of guiding significance.