Modifying Shor’s algorithm to compute

short discrete logarithms

Martin Ekerå∗
December 7, 2016

Abstract
We revisit Shor’s algorithm for computing discrete logarithms in F∗p on
a quantum computer and modify it to compute logarithms d in groups hgi
of prime order q in the special case where d ≪ q. As a stepping stone to
performing this modification, we first introduce a modified algorithm for
computing logarithms on the general interval 0 < d < q for comparison.
We demonstrate conservative lower bounds on the success probability
of our algorithms in both the general and the special case. In both cases,
our algorithms initially set the index registers to a uniform superposition
of all states, compared to p − 1 states in Shor’s original algorithm.
In the special case where d ≪ q, our algorithm uses 3 dlog2 de qubits
for the two index registers and computes two QFTs of size 2dlog2 de and
22 dlog2 de , compared to 2 blog2 qc qubits for the index registers and two
QFTs both of size 2blog2 qc in the general case.
A quantum circuit for computing [a − bd] g is furthermore required,
where 0 ≤ a < 22 dlog2 de and 0 ≤ b < 2dlog2 de in the special case, compared
to 0 ≤ a, b < 2blog2 qc in the general case.
This implies that the complexity of computing discrete logarithms on
a quantum computer can be made to depend not only on the choice of
group, and on its order q, but also on the logarithm d.
In the special case where d ≪ q, our algorithm does not require q to
be prime. It may hence be generalized to finite abelian groups.

1 Introduction
In a groundbreaking paper [10] from 1994, subsequently extended and revised
in a later publication [11], Shor introduced polynomial time quantum computer
algorithms for factoring integers over Z and for computing discrete logarithms
in the multiplicative group F∗p of the finite field Fp .
Although Shor’s algorithm for computing discrete logarithms was originally
described for F∗p , it may be generalized to any finite abelian group, provided the
group operation may be implemented efficiently using quantum circuits. This
generalization was first described by Boneh and Lipton [1]. Shor’s algorithms
may furthermore be generalized by perceiving them as algorithms for solving
special instances of the finite abelian hidden subgroup problem [4].
∗ KTH Royal Institute of Technology, SE-100 44 Stockholm, Sweden and Swedish NCSA,

Swedish Armed Forces, SE-107 85 Stockholm, Sweden. Use ekera@kth.se to e-mail author.

1
 Virtually all asymmetric cryptographic schemes that are widely deployed
today rely on the computational intractability of either the integer factoring
problem or the discrete logarithm problem in some abelian group that meets
the above criteria. Consequently the work of Shor has the potential to greatly
impact the field of asymmetric cryptography.
In this paper, we revisit Shor’s algorithm for solving the discrete logarithm
problem. In section 1.1 below, we introduce the discrete logarithm problem,
discuss the choice of groups and introduce a special case of the discrete logarithm
problem that we study in this paper along with a rationale for why it merits
study. In section 1.2 we proceed to describe our contributions and in section
1.3 we give an overview of the remainder of this paper.

1.1 The discrete logarithm problem

To formally introduce the discrete logarithm problem, let G under  be a group
generated by g, and let
x = [d] g = g  g  · · ·  g  g .
| {z }
d times

Given x, a generator g and a description of G and  the discrete logarithm

problem is to compute d = logg x.
Different groups are used to instantiate cryptographic schemes that rely on
the computational intractability of the discrete logarithm problem. Common
choices include subgroups of F∗p and elliptic curve groups E(K) on Weierstrass
form, Edwards form, twisted Edwards form or Montgomery form, where K is
some field such as Fp or F2n .
The bracket notation that we have introduced above is commonly used in
the literature to denote repeated application of the group operation regardless
of whether the group is written multiplicatively or additively.
In F∗p we have [d] g = g d mod p. In the case of elliptic curve groups [d] g
denotes repeated addition of the point g to itself d times.

1.1.1 Groups of prime order q

As was first described by Pohlig and Hellman [7], the discrete logarithm problem
in a finite abelian group may be decomposed into multiple discrete logarithm
problems in subgroups of prime order or prime power order to the parent group,
assuming the factorization of its order is known. The complexities of solving
these problems depend in general on the sizes of the subgroups.
Once the discrete logarithm problems in these subgroups have been solved,
the results may be combined using the Chinese remainder theorem to yield a
solution to the discrete logarithm problem in the parent group.
Consequently, prime order groups are used more or less exclusively when
instantiating cryptographic schemes that rely on the conjectured computational
intractability of the discrete logarithm problem. We therefore primarily consider
prime order groups in this paper.

1.1.2 Subgroups of prime order to F∗p

To compute discrete logarithms in prime order q subgroups of F∗p for large prime
p that are not on special form, the best classical algorithm is the general number

2
field sieve (GNFS). The time complexity of the GNFS when adapted to compute
1 1 2
discrete logarithms is O(exp[( 649 ) (ln p) (ln ln p) ]) as shown in Schirokauer’s
3 3 3

[9] improvements of Gordon’s [2] original adaptation.

Another option in the classical setting is to use cycle
finding algorithms
√
such as Pollard-ρ, the time complexity of which is O q , or Pollard-λ, the
√
time complexity of which is O( d). Pollard’s algorithms [8] are generic in the
sense that they solve the discrete logarithm problem in any prime order group.
In instantiations of cryptographic schemes that rely on the computational
intractability of the discrete logarithm problem, the prime p must hence be
selected sufficiently large to resist attacks based on the GNFS, whilst d and q
must only be selected sufficiently large for attacks based on the cycle finding
algorithms to have higher time complexity than attacks based on the GNFS.
Hence, it is possible to select q ≪ p. Such group are often referred to as
Schnorr groups. In instantiations, it is typically either the case that q ≪ p, or
that q ∼ p where often p = 2q + 1 is a so-called safe prime. With respect to
known classical attacks, these options offer a comparable level of security.
Since d < q < p it is possible to always select d ∼ q. However, in the case
where q ∼ p it is advantageous to select d so that d ≪ q ∼ p as opposed to
d ∼ q ∼ p, since d being small speeds up the modular arithmetic. Again, with
respect to classical attacks, these options offer a comparable level of security.
For a more in-depth analysis, see the work [6] of van Oorschot and Wiener.

1.1.3 On our interest in the special case d ≪ q

If Shor’s original algorithm is used to compute discrete logarithms in subgroups
of prime order q to F∗p on a quantum computer, the complexity of the algorithm
depends on p. This implies that the case q ≪ p is as complex as the case q ∼ p,
which is not in analogy with the classical algorithms.
If the algorithm is modified to instead compute discrete logarithms in groups
of prime order q, as in section 4, its complexity can be made to depend on p
and q so that the case q ≪ p becomes less complex than the case q ∼ p.
However, the complexity still does not depend on d. This implies that the
case d ≪ q ∼ p is more complex than the case d ∼ q ≪ p, which again is
not in analogy with the classical algorithms. This observation, coupled with
the observation that using small d is advantageous in practical implementations
for performance reasons, served as one of our motivations for modifying Shor’s
algorithm to compute discrete logarithms in the special case where d ≪ q.
Another motivation was our interest in understanding how the complexity of
computing discrete logarithms in elliptic curve groups relates to the complexity
of computing discrete logarithms in subgroups of F∗p .

1.1.4 Discrete logarithms on short intervals

In cases where d is not short in the sense that d ≪ q, but is known to be
constrained to some short interval d1 ≤ d < d2 , it must be the case that

x = [d] g = [d1 ] g  [d − d1 ] g ⇒ x0 = x  [−d1 ]g = [d − d1 ] g = [d0 ] g.

To compute d in such cases, it is hence possible to first compute x0 , to then

compute the discrete logarithm d0 , that is on the interval 0 ≤ d0 < (d2 − d1 ) and
hence short, from x0 and g, and to finally compute d = d1 + d0 .

3
 This implies that any algorithm for efficiently computing d when d ≪ q
may be used to also efficiently compute d when d is on a short interval.

1.2 Our contributions

In this paper, we revisit Shor’s algorithm for computing discrete logarithms in
F∗p on a quantum computer and modify it to compute logarithms d in groups
of prime order q in the special case where d ≪ q. As a stepping stone to per-
forming this modification, we first introduce a modified algorithm for computing
logarithms on the general interval 0 < d < q for comparison.
We provide a complete analysis of our algorithms, both in the special case
where d ≪ q and in the general case. In particular, we demonstrate conservative
lower bounds on their success probabilities using simple proof techniques.
Shor’s original algorithm for computing discrete logarithms uses two index
registers that are initialized to a superposition of p − 1 states. This translates
into a superposition of q states in the case where the group order is a prime q.
Our algorithms instead initialize these registers to a uniform superposition of
all states. This may be advantageous from an implementation perspective since
a uniform superposition of all states may be efficiently induced, for example by
applying the Hadamard transform to the zero state.
In the special case where d ≪ q, our algorithm uses 3 dlog2 de qubits for the
two index registers and requires the computation of two QFTs of size 2dlog2 de
and 22 dlog2 de respectively, compared to 2 blog2 qc qubits for the index registers
and two QFTs both of size 2blog2 qc in the general case.
A quantum circuit capable of computing [e] g = [a] g  [−b] x is furthermore
required, where x = [d] g, and where 0 ≤ a < 22 dlog2 de and 0 ≤ b < 2dlog2 de in
the special case, compared to 0 ≤ a, b < 2blog2 qc in the general case.
These results imply that the complexity of computing discrete logarithms in
prime order groups on a quantum computer can be made to depend not only
on the choice of group, and on its order q, but also on the logarithm d.
In the special case where d ≪ q, our algorithm does not require q to be
prime. Hence the algorithm generalizes to finite abelian groups.

1.3 Overview of this paper

In section 2 below we introduce some notation that is used throughout this
paper and in section 3 we provide a brief introduction to quantum computing.
In section 4 we proceed to describe our algorithm for computing discrete
logarithms in groups of prime order q in the general case where 0 < d < q, and
in section 5 we describe our modified algorithm for the special case d ≪ q. We
conclude the paper and summarize the results in section 6.

2 Notation
In this section, we introduce some notation for norms, rounding operations and
modular reduction operations that are used throughout this paper.

• bue denotes u rounded to the closest integer.

• buc denotes u rounded to the closest integer less than or equal to u.

4
 • due denotes u rounded to the closest integer greater than or equal to u.
• u mod n denotes u reduced modulo n and constrained to the interval
0 ≤ u mod n < n.

• {u}n denotes u reduced modulo n and constrained to the interval

−n/2 ≤ {u}n < n/2.

• u mod 1 = u − bue denotes the fractional part of u.

√
• | a + ib | = a2 + b2 where a, b ∈ R denotes the Euclidean norm of a + ib
which is equivalent to the absolute value of a when b is zero.
• If ~u = (u0 , . . . , un−1 ) ∈ Rn is a vector then
q
| ~u | = u20 + . . . + u2n−1

denotes the Euclidean norm of ~u.

3 Quantum computing
In this section, we provide a brief introduction to quantum computing and
introduce some notation and terminology that is used throughout this paper.
The contents of this section is to some extent a layman’s description of quantum
computing, in that it may leave out or overly simplify important details.
There is much more to be said on the topic of quantum computing. However,
such elaborations are beyond the scope of this paper. For more information, the
reader is instead referred to [3]. The extended paper [11] by Shor also contains
a very good introduction and many references to the literature.

3.1 Quantum systems

In a classical electronic computer, a register that consists of n bits may assume
any one of 2n distinct states j for 0 ≤ j < 2` . The current state of the register
may be observed at any time by reading the register.
In a quantum computer, information is represented using qubits; not bits. A
register of n qubits may be in a superposition of 2n distinct states. Each state
is denoted | j i for 0 ≤ j < 2n and a superposition of states, often referred to as
a quantum system, is written as a sum
n n
2X −1 2X −1
|Ψi = cj | j i where cj ∈ C and | cj |2 = 1
j=0 j=0

that we shall refer to as the system function.

Each complex amplitude cj may be written on the form cj = aj eiθj , where
aj ∈ R is a non-negative real amplitude and 0 ≤ θj < 2π is a phase, so the
system function may equivalently be written on the form
n n
2X −1 2X −1
iθj
|Ψi = aj e |j i where a2j = 1.
j=0 j=0

5
3.2 Measurements
Similar to reading a register in a classical computer, the qubits in a register may
be observed by measuring the quantum system.
The result of such a measurement is to collapse the quantum system, and
hence the system function, to a distinct state. The probability of the system
function | Ψ i collapsing to | j i is | cj |2 = a2j .

3.3 Quantum circuits

It is possible to operate on the qubits that make up a quantum system using
quantum circuits. Such circuits are not entirely dissimilar from the electrical
circuits used to perform operations on bit registers in classical computers.

3.3.1 Quantum operators

For a quantum circuit to be physically permissible it must be reversible and it
must preserve the normalization of the system function.
If the system function | Ψ i that describes the state of the quantum system
is perceived as a column vector of 2n complex amplitudes cj then the set of
all permissible quantum circuits is described by the set of all unitary 2n × 2n
matrices with elements in C.
Executing the circuit described by U with respect to a quantum system that
is described by the system function | Ψ i transforms the quantum system into a
new quantum system that is described by the system function U | Ψ i. Therefore
the unitary matrix U is said to be a quantum operator.

3.3.2 Constructing quantum circuits

Any two quantum operators may be arbitrarily composed under multiplication
since the product of any two unitary matrices is itself a unitary matrix. It may
furthermore be shown that large quantum operators may be built from smaller
operators by taking matrix tensor products.
A quantum circuit for a large register may hence be constructed by taking
products of and tensoring small quantum operators that act as building blocks.
A set of quantum operators is said to be universal if any circuit, up to some
degree of precision, may be constructed using only operators from the set.
The quantum algorithms in this paper are expressed in purely mathematical
terms. To be executed on a physical quantum computer, these algorithms must
first be compiled into circuits that can be realized physically by the computer.

3.4 Quantum-mechanical entanglement

Two quantum systems are said to be separable if and only if the system function
may be written as a tensor product | Ψ i = | Ψ1 i ⊗ | Ψ2 i where | Ψ1 i involves
only states from a first register and | Ψ2 i involves only states from a second
register. Otherwise, the two systems are said to be entangled.
Entangled systems are written on the form | Ψ i = | Ψ1 , Ψ2 i. Separable
systems may be written on the form | Ψ i = | Ψ1 i ⊗ | Ψ2 i = | Ψ1 i | Ψ2 i.
If | Ψ1 i and | Ψ2 i are two entangled systems, the probability distributions
that the systems represent are dependent, so that if | Ψ1 i is observed and it

6
collapses to some distinct state | j i then | Ψ2 i collapses accordingly to a system
that represents the original probability distribution conditioned on | Ψ1 i = | j i.
The ability of quantum systems to be in superpositions of many different
quantum states simultaneously, of quantum circuits to operate on all states in
a quantum system simultaneously, and of quantum systems to be entangled,
seemingly enables quantum computers to perform certain computations much
faster than is theoretically possible with classical computers.

3.5 Probability amplification

Given a quantum system in some known initial state, the purpose of a quantum
circuit is to amplify the amplitudes of a set of desired states, and to suppress
the amplitudes of all other states, so that when the system is observed, the
probability is large that it will collapse to a desired state. This concept is
commonly referred to as probability amplification.

3.5.1 The quantum Fourier transform

In Shor’s algorithms, that are the focus of this paper, the discrete quantum
Fourier transform (QFT) is used to to achieve probability amplification.
The QFT maps each state in an n qubit register to
n
2 −1
QFT 1 X 2πi jk/2n
|j i −−−→ √ e |ki
2n k = 0

so the QFT maps the system function

n n n
2X −1 2 −1 2 −1
QFT 1 X X n
|Ψi = cj | j i −−−→ √ cj e2πi jk/2 | k i .
j=0
2n j = 0 k = 0

It is easy to see that the QFT is a unitary operator and hence permissible. It
is furthermore efficient from an implementation perspective, see Shor’s original
paper [11] for more information.

3.5.2 Constructive interference

If the above system is observed, the probability of it collapsing to k is
 n 2
 2 −1 
1   X
2πi jk/2n 

n
· cj e  .
2  j=0



Perceive the terms in the sum as vectors in C. If the vectors are of approximately
the same norm and point in approximately the same direction, then the norm
of their sum is likely to be great giving rise to a large probability. For k such
that this is indeed the case, constructive interference is said to arise.
The claim below summarizes the notion of constructive interference that we
use in this paper. Note that in our case, all vectors in the sum are unit vectors.

7
 π
Claim 1. Let θj for 0 ≤ j < N be phase angles such that | θj | ≤ 4. Then
 2
 −1 iθ 
 NX
N2

 e j 
≥ .

 j=0

 2

Proof.
 2  2  2
 N −1   N −1   N −1  2
 ≥N
 X iθ  X  X 
 e j 
=  (cos θ j + i sin θ j )  ≥  cos θj

 j=0



 j=0



 j=0

 2

π
since for j on the interval 0 ≤ j < N we have | θj | ≤ 4 which implies
1
√ ≤ cos θj ≤ 1
2
and so the claim follows. 

4 Computing d in the general case

In this section we explain in detail how Shor’s original algorithm for computing
discrete logarithms in F∗p may be adapted to computing discrete logarithms in
a group G of known prime order q provided that the group operation , and in
particular the exponentiations, may be implemented efficiently using quantum
circuits. Shor describes [11] how this may be accomplished for F∗p .
Upon input of a generator g of G and an element x = [d] g where 0 < d < q
the algorithm computes the discrete logarithm d. The algorithm consists of two
parts; a quantum algorithm and a classical algorithm.
• The quantum algorithm is described in section 4.1.
It accepts as input a generator g and an element x = [d] g and produces
as output a pair (j, k) and an element [e] g that is ignored.
In section 4.1.2 we identify a subset of pairs that we call good pairs and
analyze the probability of a good pair being returned.
• The classical algorithm is described in section 4.2.
It accepts as input the pair (j, k) output by the quantum algorithm and
yields the discrete logarithm d if the pair (j, k) is good and if it fulfills
certain additional criteria that are elaborated on in section 4.2.

4.1 The quantum algorithm for computing (j, k)

In this section we provide a detailed description of the quantum algorithm that
upon input of g and x = [d] g outputs a pair (j, k).
1. Let ` be the largest positive integer such that 2` < q and let
` `
2 −1 2 −1
1 X X
|Ψi = ` · |ai|bi|0i
2 a=0
b=0

where the first two registers are of length ` qubits.

8
 2. Compute [a] g  [−b] x and store the result in the third register
` `
2 −1 2 −1
1 X X
|Ψi = ` · | a, b, [a] g  [−b] x i
2 a=0
b=0
` `
2X −1 2X −1
1
= · | a, b, [a − bd] g i .
2` a = 0
b=0

3. Compute two QFTs of size 2` of the first two registers to obtain

` `
2 −1 2 −1
1 X X QFT
|Ψi = ` · | a, b, [a − bd] g i −−−→
2 a=0
b=0
` ` ` `
2X −1 2X −1 2X −1 2X −1
1 `
· e 2πi (aj+bk)/2 | j, k, [a − bd] g i .
22` a = 0
b=0 j=0 k=0

4. Observe the system in a measurement to obtain (j, k) and [e] g.

Note that the size of the two first registers and the size of the QFT is determined
by the order q of the group. The actual choice of group only affects the memory
and time complexity of computing and storing [a] g  [−b] x.
Note furthermore that we assume in step 2 that the third register is of
sufficient length in qubits to hold the result of the computation, that is the
representation of elements of G. We also assume that the group operation,
and in particular the exponentiation operations, may be implemented efficiently
using quantum circuits and that we have sufficient ancillary qubits as required
to perform the computation.
The above algorithm is different from Shor’s original algorithm in that it is
described in general terms for a group G of prime order q, in that ` = blog2 qc
and in that the algorithm initializes the system to the uniform distribution over
all 2` states as opposed to a uniform distribution over q states.

4.1.1 Analysis of the probability distribution

Let e = a − bd mod q. When the system above is observed, the state | j, k, [e] g i
is obtained with probability
   2
1  X X 2πi
· exp (aj + bk) 

2 4`  2` 
a b

where the sum is over all pairs (a, b) that produce this specific e.
1. Since e = a − bd mod q we have a = e + bd mod q so
 
e + bd
aj + bk = ((e + bd) mod q)j + bk = ej + bdj − jq + bk
q
since u mod q = u − bu/qc q. Therefore the probability may be written
      2
1  X 2πi e + bd
· exp ej + b(dj + k) − jq  .

24`  2` q 
b

9
 2. Extracting the term containing e yields
   2  X      2
1  2πi   2πi e + bd
· exp ej  ·  exp b(dj + k) − jq  .

24`  2`  2` q 
| {z } b
=1

3. Centering b around zero yields

      2
1  X 2πi `−1 `−1

e + bd
· exp b+2 −2 (dj + k) − jq  =

24`  2` q 
b
      2
1  −πi(dj+k) 2  X 2πi `−1

e + bd
· e  · exp b−2 (dj + k) − jq  .

24` |  2 ` q 
{z } b
=1

4. This probability may be written

      2
1  X 2πi `−1

e + bd
· exp b−2 (dj + k) − {jq}2`

24`  2` q


b

since adding or subtracting multiples of 2` has no effect; it is equivalent

to shifting the phase angle by a multiple of 2π.

We will defer further analysis of the distribution to the proof of lemma 2 in

section 4.1.4 and instead proceed to introduce the notion of a good pair.

4.1.2 The notion of a good pair (j, k)

In this section, we introduce the notion of a good pair. In the following sections,
we will proceed to lower-bound the number of good pairs, to lower-bound the
probability of obtaining a good pair from a single execution of the algorithm,
and to demonstrate that d may be computed from a good pair.
It may not yet be apparent why we choose the below definition of a good
pair but we will see shortly, when we reach the proof of lemma 2 in section 4.1.4,
that there is a good rationale for selecting this particular definition.
Definition 1. A pair (j, k) where j is an integer on the interval 0 ≤ j < 2` is
said to be good if j is such that
 
| {jq}2` | ≤ 2`−4 and  {jq}2` d − fj  ≤ 2−3 for some fj ∈ Z
 
 q 

and k ≡ fj − dj (mod 2` ).

Note that k is a function of j. Hence j is distinct for each good pair.

4.1.3 Lower-bounding the number of good pairs (j, k)

Lemma 1. There are at least 2`−8 + 1 good pairs (j, k).

10
Proof. From definition 1 it follows that a pair (j, k) where j is an integer on the
interval 0 ≤ j < 2` and k = fj − dj mod 2` is good if
d
| {jq}2` | ≤ 2`−4 and | α{jq}2` − bα{jq}2` e | ≤ 2−3 where α= ∈ R.
q
To lower-bound the number of j that meet this definition, consider the points

pj = (xj , yj ) = ({jq}2` , α{jq}2` mod 1)

plotted in a two-dimensional space for 0 ≤ j < 2` where

−2` /2 ≤ xj < 2` /2 and 0 ≤ yj < 1

and partition the space into rectangles of side length 2`−4 in the x-direction and
2−3 in the y-direction. If pj1 and pj2 are any two points

{j2 q}2` − {j1 q}2` ≡ {(j2 − j1 )q}2` (mod 2` ). (1)

Furthermore, if pj1 and pj2 fall within the same rectangle

| {j2 q}2` − {j1 q}2` | ≤ 2`−4 . (2)

As two numbers that are equal modulo 2` and both less than 2`−1 are in fact
equal, equations (1) and (2) imply

| {j2 q}2` − {j1 q}2` | = | {(j2 − j1 )q}2` | ≤ 2`−4 . (3)

Analogously, if pj1 and pj2 are any two points

( α{j2 q}2` mod 1 ) − ( α{j1 q}2` mod 1 ) ≡

α ({j2 q}2` − {j1 q}2` ) (mod 1). (4)

Furthermore, if pj1 and pj2 fall within the same rectangle

| ( α{j2 q}2` mod 1 ) − ( α{j1 q}2` mod 1 ) | ≤ 2−3 . (5)

In conjunction (4) and (5) imply

| ( α{j2 q}2` mod 1 ) − ( α{j1 q}2` mod 1 ) | =

| α({j2 q}2` − {j1 q}2` ) mod 1 | ≤ 2−3

which by (3) reduces to

| α{(j2 − j1 )q}2` mod 1 | ≤ 2−3 .

Hence, if pj1 and pj2 are in the same rectangle, with j2 ≥ j1 , and we let

j 0 = j2 − j1 and k 0 = (fj 0 − dj 0 ) mod 2` where fj 0 = bα{j 0 q}2` e

then (j 0 , k 0 ) is a good pair since 0 ≤ j 0 < 2` and

| {j 0 q}2` | ≤ 2`−4 and | α{j 0 q}2` − bα{j 0 q}2` e | ≤ 2−3 .

Our goal is now to count the number of points that fulfill these conditions.

11
Let Ri denote the number of points that fall into rectangle i. There are then

Ri (Ri + 1) R2
> i (6)
2 2
pairwise combinations (pj1 , pj2 ) of the Ri points in rectangle i such that j2 ≥ j1 .
To lower-bound the number of good pairs (j, k), we therefore lower-bound
7
2 −1
1 X 2
R
2 i=0 i

which is easy using the Cauchy-Schwarz inequality since

 7
2  7
 7
 7
2X −1 2X −1 2X −1 2 −1
1 X 2
22` =  Ri  ≤  12   Ri2  ⇒ R ≥ 22`−8
i=0 i=0 i=0
2 i=0 i

as there are (2` /2`−4 ) · (1/2−3 ) = 27 rectangles.

We have demonstrated that for two points pj1 and pj2 that fall within the same
rectangle and that are such that j2 ≥ j1 the pair (j 0 , k 0 ) is a good. Furthermore,
we have shown that there are more than 22`−8 such pairs as the equality in (6)
is strict. However, these pairs appear with multiplicity.
More specifically, if j1 and j2 ≥ j1 give rise to the good pair (j 0 , k 0 ) then so
do j1 + u and j2 + u for any integer u such that 0 ≤ j1 + u ≤ j2 + u < 2` so
each good pair is counted with multiplicity at most 2` .
From this observation it follows that there are more than 22`−8 /2` = 2`−8
distinct good pairs, and so the lemma follows. 

4.1.4 Lower-bounding the probability of a good pair (j, k)

To lower-bound the probability of a good pair we first need to lower-bound the
number of pairs (a, b) that yield a certain e.
Definition 2. Let Te denote the number of pairs (a, b) such that

e ≡ a − bd (mod q)

where a, b are integers on the interval 0 ≤ a, b < 2` .

Claim 2.
q−1
X
Te = 22` .
e=0

Proof. Since a, b may independently assume 2` values, there are 22` distinct
pairs (a, b), from which the above claim follows. 

Claim 3.
q−1
X 24`
Te2 ≥ .
e=0
q

12
Proof. The claim follows from the Cauchy–Schwarz inequality and claim 2 since

q−1
!2 q−1
! q−1
! q−1
4`
X X
2
X X 24`
2 = Te ≤ 1 Te2 ⇒ Te2 ≥ .
e=0 e=0 e=0 e=0
q

We are now ready to demonstrate a lower-bound the probability of obtaining a

good pair using the above definition and claims.
Lemma 2. The probability of obtaining a specific good pair (j, k) from a single
execution of the algorithm in section 4.1 is at least
1
.
2q
Proof. The probability of observing the pair (j, k) and [e] g is
      2
1 X 2πi `−1

e + bd
· exp b−2 (dj + k) − {jq}2`  .
 
24`  2` q 
b

For a good pair k = fj − dj mod 2` so the probability then reduces to

      2
1 X 2πi `−1

e + bd
· exp b−2 fj − {jq}2`  .
 
24`  2` q 
b

If an additional constant term is inserted to shift the global phase

      2
1  πi {jq}2` dq 2  X 2πi e + bd
· e  · exp (b − 2`−1 )fj − {jq}2`  =

24` |  2 ` q 
{z } b
=1
      2
1  X 2πi e + bd d
· exp (b − 2`−1 )fj − {jq}2` + 2`−1 {jq}2`

2 4`  2 ` q q


b

then by the triangle inequality

   
 {jq}2` e + bd − (b − 2`−1 )fj − 2`−1 {jq}2` d  ≤
 
 q q
      

 {jq}2` e + bd bd   `−1 d 
− + (b − 2 ) {jq}2 ` − fj
.
 q q   q 

Since e = a − bd mod q we have that 0 ≤ e < q which implies

    
bd e + bd bd  e + bd bd 
−1≤ ≤ +1 ⇒   − ≤ 1.
q q q q q 

Furthermore, for a good pair | {jq}2` | ≤ 2`−4 and

    
 {jq}2` d − fj  ≤ 2−3 ⇒  (b − 2`−1 ) {jq}2` d − fj  ≤ 2`−4
   
 q   q 

13
where we have used that 0 ≤ b < 2` . Combining the above results yields
   
 {jq}2` e + bd − (b − 2`−1 )fj − 2`−1 {jq}2` d  ≤ | {jq}2` | + 2`−4 ≤ 2`−3
 
 q q
It therefore follows from claim 1 in section 3.5.2 that the sum
  2  2
Te2
   
1  X 2πi e + bd 1  X iθb 
· exp bf − {jq} = · e ≥

j 2`
24`  2` q 24`  2 · 24·`
   
 
b b

since | θb | ≤ 2π/8 = π/4 for all Te values of b. Summing over all e, we obtain
q−1
X Te2 24` 1 1
4`
≥ · 4`
=
e=0
2 · 2 q 2 · 2 2q

by claim 3 and so the lemma follows. 

We note that the proof of lemma 2, although developed independently, bears

some resemblance to a proof in the generalization by Boneh and Lipton [1].

4.2 Computing d from a good pair (j, k)

In this section, we specify a classical algorithm that upon input of a good pair
(j, k), that results from the execution of the quantum algorithm in section 4.1
with g and x = [d] g as input, computes and outputs d assuming j 6= 0.

1. Compute and return

 
kq −1 {jq}2` − jq
d≡ t (mod q) where t= ∈ Z.
2` 2`

Note that this is exactly the same algorithm as was originally proposed by Shor.

4.2.1 Proof of correctness

In this section we provide a proof of correctness for the above algorithm.
Lemma 3. For any good pair (j, k) such that j 6= 0 it holds that
 
kq −1 {jq}2` − jq
d≡ t (mod q) where t = ∈ Z.
2` 2`
Proof. For a good pair we have by definition 1 that
 
 {jq}2` d − fj  ≤ 2−3 ⇒ {jq}2` d − fj = δ
 
 q  q

where | δ | ≤ 2−3 is an error term, and furthermore

k ≡ fj − dj (mod 2l )

which yields
d
{jq}2` − k − dj + n2l = δ.
q

14
Multiplying by q yields

{jq}2` d − kq − djq + nq2l = δq.

Re-arranging terms and dividing by 2` yields

{jq}2` − jq kq δq
d `
− ` + nq = ` .
| 2
{z } 2 2
t∈Z

Rounding both sides to the nearest integer yields

     
kq kq δq
dt + − ` + nq = dt − ` + nq = =0
2 2 2`
and hence
 
kq
dt + − ` ≡ 0 (mod q)
2
from which the result in the lemma follows
 
kq −1
d≡ t (mod q)
2`

provided that t 6≡ 0 (mod q). Since j > 0 we have jq > 2` and | {jq}2` | ≤ 2` /2
which implies 0 < | t |. Furthermore

1 (2` − 1)q
 
 {jq}2` − jq  1 jq 1 q
|t| = 
 ≤ + ≤ + ≤ + q − ` < q.
2`  2 2` 2 2` 2 2
|{z}
>1

Hence 0 < | t | < q which implies t 6≡ 0 (mod q) and so the lemma follows. 

4.3 Main result

Theorem 1 summarizes the main result in this section.
Theorem 1. Assume that the algorithm in section 4.1 is executed once on a
quantum computer with g and x = [d] g as input, and that it yields some pair
(j, k) as output. If this pair (j, k) is then fed as input to the classical algorithm
in section 4.2, it will output d with probability at least 2−10 .
Proof. By lemma 2 the probability of obtaining a specific good pair (j, k) as a
result of a single execution of the quantum algorithm in section 4.1 is at least
1/(2q). By lemma 1 there are at least 2`−8 + 1 good pairs (j, k). By definition
1 the value of j is distinct for each good pair.
It therefore follows from lemmas 1 and 2 and from definition 1 that the
probability of obtaining some good pair (j, k) such that j 6= 0 must be at least
1
2`−8 · ≥ 2−10
2q
where we have used that 2` /q ≥ 1/2.
By lemma 3 the classical algorithm in section 4.2 returns d for all good pairs
(j, k) such that j 6= 0 and so the theorem follows. 

15
 It should be stressed that we have have not sought the best lower bound
on the success probability in this paper. Rather we have sought a lower bound
that is easy to prove and that is sufficiently good to show that the algorithm
is practical. We expect the actual success probability to be much greater than
what is indicated by the bound.

5 Computing d in the special case where d ≪ q

In this section, we describe how the algorithm in section 4 may modified to be
more efficient in the special case where d ≪ q.
More specifically, we consider the special case where q ≥ 22` + (2` − 1)d and
where d is on the interval 0 < d < 2` for some integer `. Note that ` is now
different from ` in section 4. As in section 4, the algorithm may be said to
consist of a quantum part and a classical part.

• The quantum algorithm is described in section 5.1.

It accepts as input a generator g and an element x = [d] g and produces
as output a pair (j, k) and an element [e] g that is ignored.
The algorithm in section 5.1 is similar to the algorithm in section 4.1.

– The two index registers are however now of length ` and 2` qubits,
compared to both being of length blog2 qc qubits in section 4.1.
– Consequently, when [a] g  [−b] x is now computed 0 ≤ a < 22` and
0 ≤ b < 2` compared to 0 ≤ a, b < 2blog2 qc in section 4.1.
– Furthermore, the two QFTs are now of size 2` and 22` , compared to
both being of size 2blog2 qc in section 4.1.

• The classical algorithm is described in section 5.2.

It accepts as input the pair (j, k) output by the quantum algorithm and
yields the discrete logarithm d if the pair (j, k) is good and if it fulfills
certain additional criteria that are elaborated on in section 5.2.
The algorithm in section 5.2 is quite different from the algorithm in section
4.2 in that is uses lattice-based techniques to recover d from (j, k).

5.1 The quantum algorithm for computing (j, k)

In this section we provide a detailed description of the quantum algorithm that
upon input of g and x = [d] g outputs a pair (j, k).

1. Let
2` `
2 −1 2 −1
1 X X
|Ψi = √ |ai|bi|0i
23` a = 0 b = 0

where the first and second registers are of length ` and 2` qubits.

16
 2. Compute [a] g  [−b] x and store the result in the third register
2` `
2 −1 2 −1
1 X X
|Ψi = √ | a, b, [a] g  [−b] x i
23` a = 0 b = 0
2` `
2 −1 2 −1
1 X X
=√ | a, b, [a − bd] g i .
23` a = 0 b = 0

3. Compute a QFT of size 22` of the first register and a QFT of size 2` of
the second register to obtain
2` `
2 −1 2 −1
1 X X QFT
|Ψi = √ | a, b, [a − bd] g i −−−→
23` a = 0 b = 0
2` ` 2` `
2 −1 2 −1 2 −1 2 −1
1 X X X X 2πi (aj+2` bk)/22`
√ e | j, k, [a − bd] g i .
26` a = 0 b = 0 j = 0 k = 0

4. Observe the system in a measurement to obtain (j, k) and [e] g.

Note that the size of the two first registers and the size of the QFT is now
determined by d and not by q as was the case in section 4.1.

5.1.1 Analysis of the probability distribution

When the system above is observed, the state | j, k, [e] g i, where e = a − bd, is
obtained with probability
   2
1  XX 2πi `
· exp 2` (aj + 2 bk) 
 
26`  a
2 
b

where the sum is over all pairs (a, b) that produce this specific e. Note that the
assumption that q ≥ 22` + (2` − 1)d implies that no reduction modulo q occurs
when e is computed. In what follows, we re-write the above expression for the
probability on a form that is easier to use in practice.

1. Since e = a − bd we have a = e + bd so the probability may be written

   2
1 X 2πi
· exp 2` ((e + bd)j + 2` bk) 
 
26`  2 
b

where the sum is over all b in the set { 0 ≤ b < 2` | 0 ≤ a = e + bd < 22` }.

2. Extracting the term containing e yields

   2  X   2
1 2πi 2πi
exp 2` b dj + 2` k  .
  

·  exp 2` ej  · 

26` 2  2 
| {z } b
=1

17
 3. Centering b around zero yields
   2
1 X 2πi `−1 `−1

`
· exp 2` b + 2 −2 (dj + 2 k)  =
 
26`  2 
b
  
 2  X   2
1 πi 2πi
·  exp ` (dj + 2` k)  ·  exp 2` b − 2`−1 (dj + 2` k)  .
  

26`  2  2 
| {z } b
=1

4. This probability may be written

   2
1 X 2πi `−1

`
· exp 2` b − 2 {dj + 2 k}22` 
 
26`  2 
b

since adding or subtracting multiples of 22` has no effect; it is equivalent

to shifting the phase angle by a multiple of 2π.

5.1.2 The notion of a good pair (j, k)

By claim 1 this sum should be large when | {dj + 2` k}22` | ≤ 2`−2 since this
condition implies that the angle is less than or equal to π/4.
This observation serves as our motivation for introducing the below notion
of a good pair, and for proceeding in the following sections to lower-bound the
number of good pairs and the probability of obtaining a specific good pair.
Definition 3. A pair (j, k), where j is an integer such that 0 ≤ j < 22` and
k = −b (dj mod 22` )/2` e mod 2` is said to be good if
 {dj + 2` k}22`  ≤ 2`−2 .
 

Note that k is a function of j. Hence j is distinct for each good pair.

5.1.3 Lower-bounding the number of good pairs (j, k)

Lemma 4. There are at least 22`−1 good pairs.
Proof. First note that for a good pair
 {dj + 2` k}22`  = | {dj}2` | ≤ 2`−2
 

since k = −b(dj mod 22` )/2` e mod 2` .

Let 2κ be the greatest power of two that divides d. Since d < 2` it must be that
κ ≤ ` − 1. As j runs through all integers 0 ≤ j < 22` , the function dj mod 2`
assumes the value of each multiple of 2κ exactly 2`+κ times.
Assume that κ = ` − 1. Then the only possible values are 0 and 2`−1 . Only zero
gives rise to a good pair, so with multiplicity there are 2`+κ = 22`−1 integers j
such that (j, k) is a good pair.
Assume that κ < ` − 1. Then only the 2 · 2`−κ−2 + 1 values congruent to values
on [−2`−2 , 2`−2 ] are such that | {dj}2` | ≤ 2`−2 , so with multiplicity 2`+κ there
are 2`+κ · (2 · 2`−κ−2 + 1) ≥ 22`−1 integers j such that (j, k) is a good pair. 

18
5.1.4 Lower-bounding the probability of a good pair (j, k)
To lower-bound the probability of a good pair we first need to lower-bound the
number of pairs (a, b) that yield a certain e.
Definition 4. Let Te denote the number of pairs (a, b) such that

e = a − bd

where a, b are integers on the intervals 0 ≤ a < 22` and 0 ≤ b < 2` .

Claim 4.

| e = a − bd | < 22`

Proof. The claim follows from 0 ≤ a < 22` , 0 ≤ b < 2` and 0 < d < 2` . 

Claim 5.
2`
2X −1
Te = 23` .
e = −22`

Proof. Since a, b may independently assume 22` and 2` values respectively, there
are 23` distinct pairs (a, b). From this fact and claim 4 the claim follows. 

Claim 6.
2`
2X −1
Te2 ≥ 24`−1 .
e = −22`

Proof. The claim follows from the Cauchy–Schwarz inequality and claim 5 since
 2` 2  2`   2`  2`
2X −1 2X−1 2X −1 2X −1
6` 2 2
2 =  Te  ≤  1   Te  ⇒ Te2 ≥ 24`−1 .
e = −22` e = −22` e = −22` e = −22`

We are now ready to demonstrate a lower-bound on the probability of obtaining

a good pair using the above definition and claims.
Lemma 5. The probability of obtaining a specific good pair (j, k) from a single
execution of the algorithm in section 5.1 is at least 2−2`−2 .
Proof. For a good pair
 
 2π `−1 `
 2π   π
`−1 

 22` (b − 2 ) {dj + 2 k} 2  ≤ `+2 b − 2
2`
 ≤
2 4

for any integer b on the interval 0 ≤ b < 2` . It therefore follows from claim 1 in
section 3.5.2 that the probability
  2
Te2

1  X 2πi `−1 `
· exp (b − 2 ) {dj + 2 k} ≥

22`
26`  22` 2 · 26`
 

b

19
for a specific e. Summing this over all e and using claim 6 yields
2`
2X −1
Te2
≥ 2−2`−2
2 · 26`
e = −22`

from which the lemma follows. 

5.2 Computing d from a good pair (j, k)

In this section, we specify a classical algorithm that upon input of a good pair
(j, k), that results from a single execution of the algorithm in section 5.1 with
g and x = [d] g as input, computes and outputs d.
The algorithm uses lattice-based techniques. To introduce the algorithm, we
first need to define the lattice L(j).
Definition 5. Let L(j) be the integer lattice generated by the row span of
 
4j 1
.
4 · 22` 0

The algorithm proceeds as follows to recover d from (j, k) using L(j).

1. Let ~v = (4 {−2` k}22` , 0) ∈ Z2 . For all vectors ~u ∈ L(j) such that
√
| ~u − ~v | < 2 · 2`

test if the second component of ~u is d. If so return d.

This test may be performed by checking if x = [d] g.
2. If d is not found in step 1, or when more than 23 vectors have been
explored, the algorithm fails.

5.2.1 Rationale and analysis

For any m ∈ Z the vector ~u = (4 ({dj}22` + m22` ), d) ∈ L(j). The above
algorithm
√ performs an exhaustive search of all vectors in L(j) at distance at
most 2 · 2` from ~v to find ~u for some m. It then recovers d as the second
component of ~u. The search will succeed in finding ~u if
q
2
| ~u − ~v | = 4 ({dj}22` + m 22` − {−2` k}22` ) + d2
q
2 √
= 4 ({dj + 2` k}22` ) + d2 < 2 · 2`

since d < 2` and |{dj + 2` k}22` | ≤ 2`−2 by the definition of a good pair, and
since m may be freely selected to obtain equality.
Whether the search is computationally
√ feasible depends on the number of
vectors in L(j) that lie within distance 2 · 2` of ~v . Lemma 6 below relates this
number to the norm of the shortest non-zero vector in the lattice. To introduce
the lemma, we first need some additional details.
Definition 6. Let ~s1 be the shortest non-zero vector in L(j), and let ~s2 be the
shortest non-zero vector in L(j) that is linearly independent to ~s1 .

20
 The vectors ~s1 and ~s2 form a reduced basis for L(j). Such a basis may be
computed using standard lattice basis reduction algorithms such as Lenstra-
Lenstra-Lováz (LLL) [5].
//
Definition 7. Let ~s2 be the component of ~s2 parallel to ~s1 and let ~s2⊥ be the
component of ~s2 orthogonal to ~s1 .
π 2π
Claim 7. The angle α between ~s1 and ~s2 is such that 3 ≤α≤ 3 .

//
Proof. From definition 6, it follows that | ~s2 | ≤ | ~s1 | / 2 and | ~s1 | ≤ | ~s2 |, so

// 1
| ~s2 | = | ~s2 | · | cos α | ≤ | ~s1 | /2 ≤ | ~s2 | /2 ⇒ | cos α | ≤
2
from which the claim follows, by solving for α on the interval 0 ≤ α ≤ π. 

Lemma
√ 6. For ~v ∈ R2 the number of lattice vectors ~u ∈ L(j) within distance
`
2 · 2 of ~v is lower-bounded by
$ √ % !
2 2 · 2`
max 12, +1 .
| ~s1 |

Proof. Any vector in L(j) may be written on the form i1~s1 +i2~s2 where i1 , i2 ∈ Z.
For fixed i2 ∈ Z and variable i1 ∈ Z the vectors i1~s1 + i2~s2 ∈ L(j)
√ are on a line
l in R2 . The number of vectors on l in any circle with radius 2 · 2` is at most
$ √ %
2 2 · 2`
+ 1.
| ~s1 |

The orthogonal distance between two consecutive lines on the above form is
| s⊥
2 |. The vector ~v ∈ R2 may be written on the form ~v√= a1~s1 + a2~s2 for some
a1 , a2 ∈ R. For l to at all intersect the √ circle of radius 2 · 2` around v it must
⊥ `
therefore be that | i2 − a2 | · |~s2 | ≤ 2 · 2 and this is the case for at most
$ √ %
2 2 · 2`
+ 1.
| ~s⊥
2 |

different i2 . Hence, there are at most

$ √ % ! $ √ % !
2 2 · 2` 2 2 · 2`
S= +1 +1 (7)
| ~s1 | | ~s⊥
2 |
√
vectors in L(j) within distance 2 · 2` of ~v .
From claim 7 it follows that the angle α between ~s1 and ~s2 is such that
√
π 2π 3
≤α≤ ⇒ | ~s⊥2 | = | ~
s 1 | sin α ≥ | ~s1 |
3 3 2
which inserted into equation (7) yields
$ √ % ! $r % !
2 2 · 2` 2 4 · 2`
S≤ +1 +1 . (8)
| ~s1 | 3 | ~s1 |

21
Furthermore, the area of the fundamental parallelogram in L(j) is

| ~s1 | · | ~s⊥
2 | = | det L(j) | = 4 · 2
2`
⇒ | ~s⊥ 2`
2 | = 4 · 2 /|~
s1 |

which inserted into equation (7) yields

$ √ % ! 
2 2 · 2`
 
| ~s |
S= +1 √ 1 +1 . (9)
| ~s1 | 2 · 2`

Assume that | ~s1 | > 2` . Then, equation (8) implies S ≤ 12. Conversely, assume
that | ~s1 | ≤ 2` . Then, equation (9) implies
$ √ %
2 2 · 2`
S= +1
| ~s1 |

and so the lemma follows by taking the maximum. 

To perform the search in practice, √ all vectors on the form i1~s1 + i2~s2 where
i1 , i2 ∈ Z that lie within distance of 2 · 2` of ~v are exhaustively searched. The
starting point is easily found by writing ~v = a1~s1 + a2~s2 where a1 , a2 ∈ R and
rounding a1 , a2 to the nearest integers.
Basis reduction algorithms such as LLL are practical for lattices of dimension
two so it is practical to compute ~s1 and √ ~s2 . Therefore the above algorithm is
practical if | ~s1 | is large in relation to 2 · 2` so that the search space is small.
To demonstrate that the algorithm is practical we lower-bound | ~s1 | by first
introducing the notion of good integers j.
Definition 8. An integer j on the interval 0 ≤ j < 22` is said to be bad if there
exists an integer ξ on the interval 0 < ξ < 2`−3 such that | {ξj}22` | < 2`−5 .
Otherwise, j is said to be good.

Lemma 7. If j is good then the shortest non-zero vector ~s1 ∈ L(j) has norm

| ~s1 | ≥ 2`−3 .

Proof. The shortest non-zero vector ~s1 ∈ L(j) may be written on the form
 
4j 1
= 4 (ξj + λ22` ) ξ = 4 {ξj}22` ξ
     
~s1 = ξ λ 2`
4·2 0

where λ must be used to reduce ξj modulo 22` constrained to the interval

−22` /2 ≤ {ξj}22` < 22` /2 so that | 4 {ξj}22` | is minimized. Hence
p
| ~s1 | = (4 {ξj}22` )2 + ξ 2

which implies that | ~s1 | ≥ | 4 {ξj}22` | and that | ~s1 | ≥ | ξ |. Since | {u}22` | =
| {−u}22` | for all u ∈ Z we only consider positive ξ. If j is good then | {ξj}22` | ≥
2`−5 for all 0 < ξ < 2`−3 by definition 8 and so the lemma follows. 

This implies that if j is good then the exhaustive search needs explore only
a small number of vectors to recover ~u and hence d.

22
5.2.2 Proof of correctness
Lemma 8 summarizes the above analysis and provides a proof of correctness.

Lemma 8. Assume that the algorithm in section 5.1 is executed once on a

quantum computer with g and x = [d] g as input, and that it yields some good
pair (j, k) as output that is such that the integer j is good. If this pair (j, k) is
fed as input to the classical algorithm in section 5.2 it will output d.

Proof. It follows from the analysis

√ in section 5.2.1 that if the algorithm exhausts
all vectors within distance 2 · 2` of ~v it will recover ~u and hence √ d. The search
is practical if there are not too many vectors within distance 2 · 2` of ~v .
By lemma 6 there are at most
$ √ % !
2 2 · 2`  j √ k 
max 12, + 1 ≤ max 12, 2 2 · 23 + 1 = 23
| ~s1 |
√
vectors within distance 2 · 2` of ~v where we have used that by lemma 7 the
norm | s1 | ≥ 2`−3 for good j. As per the specification, the algorithm will not
fail before having exhausted all 23 vectors, and so the lemma follows. 

5.2.3 Upper-bounding the number of bad integers j

As a final step, we need to demonstrate an upper bound on the number of bad
j, as this bound is needed to demonstrate a lower bound on the overall success
probability of the algorithm in section 5.3.

Claim 8. For a fixed ξ on the interval 0 < ξ < 2`−3 there are less than 2`−4
integers j on the interval 0 ≤ j < 22` such that | {ξj}22` | < 2`−5 .
Proof. Let 2κ be the largest power of two that divides ξ. Since ξ < 2`−3 it must
be that κ < ` − 3. As j runs through all integers 0 ≤ j < 22` , the function
ξj mod 22` assumes the value of each multiple of 2κ exactly 22`−κ times.
Only the 2 · 2`−κ−5 − 1 values congruent to values on (−2`−5 , 2`−5 ) are such
that | {ξj}22` | < 2`−5 so with multiplicity 2κ there are 2κ ·(2·2`−κ−5 −1) < 2`−4
integers j such that | {ξj}22` | < 2`−5 for a fixed ξ. 

Lemma 9. There are less than 22`−7 bad integers j.

Proof. By definition 8 there are 2`−3 − 1 values of ξ since 0 < ξ < 2`−3 and by
claim 8 there are less than 2`−4 bad integers j for a fixed ξ. In total, there are
therefore less than (2`−3 − 1) · 2`−4 < 22`−7 bad integers j. 

5.3 Main result

Theorem 2 summarizes the main result in this section.
Theorem 2. Assume that the algorithm in section 5.1 is executed once on a
quantum computer with g and x = [d] g as input, and that it yields some pair
(j, k) as output. If this pair (j, k) is fed as input to the classical algorithm in
section 5.2, it will output d with probability at least 2−3 · (1 − 2−6 ).

23
Proof. By lemma 4 there are at least 22`−1 good pairs (j, k). It follows from
definition 3 of a good pair that j is distinct. By lemma 9 there are less than
22`−7 bad j. It follows that there must be at least 22`−1 − 22`−7 good pairs (j, k)
for which j is good.
By lemma 5 the probability of obtaining a specific good pair from a single
execution of the algorithm in section 5.1 is at least 2−2`−2 . The probability of
obtaining a good pair (j, k) for which j is good must therefore be at least

2−2`−2 · (22`−1 − 22`−7 ) = 2−3 · (1 − 2−6 ).

By lemma 8 the classical algorithm in section 5.2 will upon input of a pair
(j, k) for which j is good output d and so the theorem follows. 

Again, it should be stressed that we have have not sought the best lower bound
on the success probability in this paper.

5.4 Generalizations and observations

We remark that we have not used that q is a prime in the algorithm. Hence,
the algorithm generalizes to finite abelian groups.
Furthermore, we remark that we have in fact not assumed q to be explicitly
known in the algorithm. We have only assumed that q ≥ 22` + (2` − 1)d.

5.4.1 On whether q has to be explicitly known

The above observation not withstanding, q may need to be explicitly known for
reasons that are not immediately apparent from the algorithm description.
For instance, to efficiently implement the exponentiations, the inverses [−1] x
and [−1] g may have to be pre-computed classically and [−1] x = [q −1] x for any
finite abelian group of order q. However, there may be other ways to compute
inverses, depending on the group. In the special case of subgroups of order q to
F∗p , for example, knowing p is sufficient since [−1] x = [q − 1] x = [(p − 1) − 1] x.

6 Summary and conclusion

We have revisited Shor’s algorithm for computing discrete logarithms in F∗p on a
quantum computer and modified it to compute logarithms d in groups of prime
order q in the special case where d ≪ q. More specifically, we have considered
the special case where 0 < d < 2` and q ≥ 22` + (2` − 1)d. As a stepping stone
to performing this modification, we first introduced a modified algorithm for
computing logarithms on the general interval 0 < d < q for comparison.
We have demonstrated conservative lower bounds on the success probability
in both the general and special cases using simple proof techniques.
In the special case where d ≪ q, our algorithm uses 3 dlog2 de qubits for the
two index registers and requires the computation of two QFTs of size 2dlog2 de
and 22 dlog2 de respectively, compared to 2 blog2 qc qubits for the index registers
and two QFTs both of size 2blog2 qc in the general case.
A quantum circuit capable of computing [e] g = [a] g  [−b] x is furthermore
required, where x = [d] g, and where 0 ≤ a < 22 dlog2 de and 0 ≤ b < 2dlog2 de
in the special case, compared to 0 ≤ a, b < 2blog2 qc in the general case. In

24
both cases, the choice of group operation and element representation affects the
complexity of computing and storing [e] g.
These results imply that the complexity of computing discrete logarithms in
prime order groups on a quantum computer can be made to depend not only
on the choice of group, and on its order q, but also on the logarithm d.
In the special case where d ≪ q, our algorithm does not require q to be
prime, so this result generalizes to finite abelian group. Furthermore, as per the
description of the algorithm, q does not need to be explicitly known.
The reduction in size of the first two registers is in itself not very significant
since many additional qubits will typically be required to implement the two
exponentiation operations. However, the fact that the exponents that enter into
these operations are now short, and that the QFTs are of smaller sizes, reduces
the complexity in the special case where d ≪ q.

Remarks
The quantum algorithms in this paper are described in purely mathematical
terms. It is assumed that some quantum registers are first initialized, that a
quantum circuit is then executed and that the system is then finally observed
in a measurement. The extent to which the specialized algorithm for the case
where d ≪ q provides an advantage over the general algorithm depends on how
this mathematical description is translated into a physical implementation.
Note furthermore that in the case of subgroups of prime order q to F∗p , for
fixed p and d ≪ p the general algorithm has lower complexity when d ∼ q ≪ p
than does the specialized algorithm when d ≪ q ∼ p. It is possible that the
specialized algorithm may be further optimized in this respect.

Acknowledgments
Many thanks to Johan Håstad for providing key comments, suggestions and
guidance. A note of thanks also goes to Lennart Brynielsson for correcting
several minor errors in early draft versions of this paper.
Funding and support for this work was provided by the Swedish NCSA that
is a part of the Swedish Armed Forces.

References
[1] D. Boneh, R. J. Lipton, “Quantum Cryptanalysis of Hidden Linear Func-
tions”, in proceedings from the International Cryptology Conference, Ad-
vances in Cryptology – CRYPTO ’95, volume 963, 1995, pp. 424-437.
[2] D. Gordon, “Discrete logarithms in GF(p) using the Number Field Sieve”,
in SIAM Journal on Discrete Mathematics, volume 6, 1993, pp. 124-138.
[3] M. Hirvensalo, “Quantum Computing”, 2nd edition, Natural Computing
Series, Springer Verlag, 2004.
[4] R. Josza, “Quantum Factoring, Discrete Logarithms, and the Hidden Sub-
group Problem”, in Computing in Science and Engineering, volume 3, no
2, 2001, pp. 34-43.

25
 [5] A. K. Lenstra, H. W. Lenstra, L. Lovász, “Factoring polynomials with ra-
tional coefficients”, in Mathematische Annalen, volume 261, no 4, 1982,
p.p. 515-534.

[6] P. C. van Oorschot, M. J. Wiener, “On Diffie-Hellman Key Agreement

with Short Exponents”, in proceedings from the International Conference
on the Theory and Application of Cryptographic Techniques, Advances in
Cryptology – EUROCRYPT ’96, volume 1070, 1996, pp. 332-343.

[7] S. C. Pohlig, M. E. Hellman, “An Improved Algorithm for Computing Log-

arithms over GF(p) and Its Cryptographic Significance”, in IEEE Transac-
tions on Information Theory, volume IT-24, no 1, 1978, pp. 106-110.
[8] J. M. Pollard, “Monte Carlo Methods for Index Computation (mod p)”, in
Mathematics of Computation, volume 32, no 143, 1978, pp. 918-924.

[9] O. Schirokauer, “Discrete Logarithms and Local Units”, in Philosophical

Transactions of the Royal Society of London, volume A 345, 1993, pp.
409-423.
[10] P. W. Shor, “Algorithms for Quantum Computation: Discrete Logarithms
and Factoring”, in proceeding from the 35th Annual Symposium on Foun-
dations of Computer Science, Santa Fe, NM, November 20–22, 1994, IEEE
Computer Society Press, pp. 124–134.
[11] P. W. Shor, “Polynomial-time algorithms for prime factorization and dis-
crete logarithms on a quantum computer”, in SIAM Journal of Computing,
volume 26, no 5, 1997, pp. 1484-1509.

26