TY - JOUR

T1 - The Present and Future of Discrete Logarithm Problems on Noisy Quantum Computers

AU - Aono, Yoshinori

AU - Liu, Sitong

AU - Tanaka, Tomoki

AU - Uno, Shumpei

AU - Meter, Rodney V.A.N.

AU - Shinohara, Naoyuki

AU - Nojima, R. Y.O.

N1 - Funding Information:
This work was supported by the MEXT Quantum Leap Flagship Program under Grant JPMXS0118067285 and Grant JPMXS0120319794.
Publisher Copyright:
© 2020 IEEE.

PY - 2022

Y1 - 2022

N2 - The discrete logarithm problem (DLP) is the basis for several cryptographic primitives. Since Shor's work, it has been known that the DLP can be solved by combining a polynomial-size quantum circuit and a polynomial-time classical postprocessing algorithm. The theoretical result corresponds the situation where a quantum device working with a medium number of qubits of very small errors can solve the DLP. However, all the quantum devices that we can use have a limited number of noisy qubits, as of the noisy intermediate-scale quantum (NISQ) era. Thus, evaluating the instance size that the latest quantum device can solve and giving a future prediction of the size along the progress of quantum devices are emerging research topics. This article contains two proposals to discuss the performance of quantum devices against the DLP in the NISQ era: 1) a quantitative measure based on the success probability of the postprocessing algorithm to determine whether an experiment on a quantum device (or a classical simulator) succeeded; and 2) a procedure to modify bit strings observed from a Shor's circuit to increase the success probability of a lattice-based postprocessing algorithm. In this article, we conducted our experiments with the ibm_kawasaki device and discovered that the simplest circuit (7 qubits) from a 2-bit DLP instance achieves a sufficiently high success probability to proclaim the experiment successful. Experiments on another circuit from a slightly harder 2-bit DLP instance, on the other hand, did not succeed, and we determined that reducing the noise level by half is required to achieve a successful experiment. Finally, we give a near-term prediction based on required noise levels to solve some selected small DLPs and integer factoring instances.

AB - The discrete logarithm problem (DLP) is the basis for several cryptographic primitives. Since Shor's work, it has been known that the DLP can be solved by combining a polynomial-size quantum circuit and a polynomial-time classical postprocessing algorithm. The theoretical result corresponds the situation where a quantum device working with a medium number of qubits of very small errors can solve the DLP. However, all the quantum devices that we can use have a limited number of noisy qubits, as of the noisy intermediate-scale quantum (NISQ) era. Thus, evaluating the instance size that the latest quantum device can solve and giving a future prediction of the size along the progress of quantum devices are emerging research topics. This article contains two proposals to discuss the performance of quantum devices against the DLP in the NISQ era: 1) a quantitative measure based on the success probability of the postprocessing algorithm to determine whether an experiment on a quantum device (or a classical simulator) succeeded; and 2) a procedure to modify bit strings observed from a Shor's circuit to increase the success probability of a lattice-based postprocessing algorithm. In this article, we conducted our experiments with the ibm_kawasaki device and discovered that the simplest circuit (7 qubits) from a 2-bit DLP instance achieves a sufficiently high success probability to proclaim the experiment successful. Experiments on another circuit from a slightly harder 2-bit DLP instance, on the other hand, did not succeed, and we determined that reducing the noise level by half is required to achieve a successful experiment. Finally, we give a near-term prediction based on required noise levels to solve some selected small DLPs and integer factoring instances.

KW - Discrete logarithm problem (DLP)

KW - IBM quantum

KW - Shor's algorithm

KW - lattice

KW - postprocessing method

UR - http://www.scopus.com/inward/record.url?scp=85132695376&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85132695376&partnerID=8YFLogxK

U2 - 10.1109/TQE.2022.3183385

DO - 10.1109/TQE.2022.3183385

M3 - Article

AN - SCOPUS:85132695376

VL - 3

JO - IEEE Transactions on Quantum Engineering

JF - IEEE Transactions on Quantum Engineering

SN - 2689-1808

M1 - 3102021

ER -