Optimized quantum implementation of elliptic curve arithmetic over binary fields

Shor’s quantum algorithm for discrete logarithms applied to elliptic curve groups forms the basis of a “quantum attack” of elliptic curve cryptosystems. To implement this algorithm on a quantum computer requires the efficient implementation of the elliptic curve group operation. Such an implementation requires we be able to compute inverses in the underlying field. In [PZ03], Proos and Zalka show how to implement the extended Euclidean algorithm to compute inverses in the prime field GF(p). They employ a number of optimizations to achieve a running time of O(n), and a space-requirement of O(n) qubits (there are some trade-offs that they make, sacrificing a few extra qubits to reduce running-time). In practice, elliptic curve cryptosystems often use curves over the binary field GF(2). In this paper, we show how to implement the extended Euclidean algorithm for polynomials to compute inverses in GF(2). Working under the assumption that qubits will be an ‘expensive’ resource in realistic implementations, we optimize specifically to reduce the qubit space requirement, while keeping the running-time polynomial. Our implementation here differs from that in [PZ03] for GF(p), and we are able to take advantage of some properties of the binary field GF(2). We also optimize the overall qubit space requirement for computing the group operation for elliptic curves over GF(2) by decomposing the group operation to make it “piecewise reversible” (similar to what is done in [PZ03] for curves over GF(p)). [email protected], School of Computer Science, University of Waterloo, Waterloo, ON, Canada. [email protected], Department of Physics, University of Waterloo.