\documentclass[11pt]{article}
\include{lecture}
\usepackage{subfigure}
\begin{document}
\lecture{14}{10/05/10}{Computing Discrete Logarithms}{John Gamble}
Last class, we discussed how to apply order finding to efficiently factor numbers
using a quantum computer. We then outlined how this capability presents
problems to certain cryptographic systems, such as RSA. In this lecture, we will
discuss a quantum algorithm for period finding of which order-finding is a
a special case. We then develop a similar algorithm
efficiently compute the discrete logarithm. Finally, we conclude by outlining
Diffie-Hellman key exchange, whose security relies on the discrete logarithm
being difficult to compute.
\section{Period finding}
Suppose that we are given some function $f: \mathbb Z \rightarrow\{0,1\}^m$, and are
promised that it is periodic with period $r>0$. That is, for all $x$, we know that $f(x+r)=f(x)$.
Further, we are guaranteed that no value repeats between periods, so that for all $s$ such that
$0~~0$ and a generator $g$ of $\mathbb Z_M^{*}$, the group of all integers mod $M$ that are
relatively prime with $M$ under multiplication. Further, suppose that we know the order of
$\mathbb Z_M^{*}$, say $R= \left| \mathbb Z_M^{*} \right|$
\footnote{Note that this is not a further restriction, as $R$ can be computed from the Euler totient
function, and it can be shown that the totient can be efficiently computed using the factorization
algorithm.}
Note that this is a cyclic group in which
every element is a power of $g$. Further, suppose we are given some $a \in Z_M^{*}$.
Then, our goal is to find the smallest integer $l \geq 0$ such that $g^l \equiv a \mod M$.
Note that checking that we have a multiple of $l$ is efficient, as it only requires modular
exponentiation. However, classically the best known algorithms for finding $l$ are
exponential.
In order to construct an efficient quantum algorithm for this problem, consider the function
$f:\mathbb Z_R \times \mathbb Z_R \rightarrow \mathbb Z_M$, $f(x,y) = a^xg^y \mod M$. Then,
we begin with the state
\begin{equation}
\ket{\psi_1} = \frac{1}{R} \sum_{x,y=0}^{R-1} \ket{x}\ket{y}\ket{f(x,y)}.
\end{equation}
Note that $f(x,y)=a^xg^y=g^{lx+y}$. Now, suppose we observe the third register, resulting in
a value $g^b$, with $b$ chosen uniformly from $\{0,\dots,R-1\}$. Hence,
our first two registers are in the state
\begin{equation}
\ket{\psi_2} = \frac{1}{\sqrt{R}} \sum_{(x,y)\in\Lambda} \ket{x}\ket{y},
\end{equation}
where $\Lambda = \{(x,y):0\leq x,y ~~