arxiv: 2604.02311 · v2 · submitted 2026-04-02 · 🪐 quant-ph

Recognition: 2 theorem links

· Lean Theorem

Space-Efficient Quantum Algorithm for Elliptic Curve Discrete Logarithms with Resource Estimation

Han Luo , Ziyi Yang , Ziruo Wang , Yuexin Su , Tongyang Li

Authors on Pith no claims yet

Pith reviewed 2026-05-13 21:17 UTC · model grok-4.3

classification 🪐 quant-ph

keywords elliptic curve discrete logarithmspace-efficient quantum algorithmreversible modular inversionShor's algorithmresource estimationlogical qubitsToffoli gatescontrolled point addition

0 comments

The pith

Refined reversible modular inversion cuts ECDLP qubit count to 5n plus four log n terms.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a lower-space version of Shor's algorithm for the elliptic curve discrete logarithm problem by redesigning the modular inversion step that dominates space use during point addition. It starts from the extended Euclidean algorithm and applies register sharing plus location-controlled arithmetic to keep intermediate values compact without extra ancillas. This produces a modular inversion circuit of 3n plus four log n qubits and then plugs it into the controlled affine point-addition routine. The result is an ECDLP circuit that runs with 5n plus four log n qubits and cubic Toffoli cost. For a 256-bit prime-field curve the estimate drops to 1333 logical qubits, below the 2124 reported in earlier low-width work.

Core claim

Starting from the extended Euclidean algorithm, length registers and location-controlled arithmetic yield a reversible modular inversion circuit using 3n + 4⌊log₂n⌋ + O(1) qubits and 204n² log₂n + O(n²) Toffoli gates; inserting this component into the controlled affine point-addition circuit produces an ECDLP algorithm with 5n + 4⌊log₂n⌋ + O(1) qubits and O(n³) Toffoli gates.

What carries the argument

Space-efficient reversible modular inversion built from length registers and location-controlled arithmetic that stores EEA intermediates compactly throughout the computation.

If this is right

The full ECDLP solver uses 5n + 4⌊log₂n⌋ + O(1) logical qubits and O(n³) Toffoli gates.
For n = 256 the qubit requirement falls to 1333, below the 2124 of the prior low-width implementation.
Modular inversion alone consumes 3n + 4⌊log₂n⌋ + O(1) qubits and 204n² log n Toffoli gates.
The same register-sharing technique can be reused inside other controlled arithmetic operations that appear in Shor's algorithm variants.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The reduced width makes concrete resource estimates for breaking 256-bit elliptic-curve keys on near-term fault-tolerant machines more realistic.
Similar length-register techniques could be tested on other number-theoretic primitives such as RSA modular exponentiation to see whether comparable savings appear.
The concrete Toffoli counts supplied allow direct comparison against other arithmetic circuit libraries for quantum cryptanalysis.

Load-bearing premise

The optimized stepwise update rules and location-controlled arithmetic components can be realized in the standard quantum circuit model without hidden space overhead or additional ancilla qubits beyond the stated O(log n) terms.

What would settle it

An explicit circuit or resource count for the modular inversion block on a 256-bit field that requires more than 3n + 4 log n qubits would falsify the space bound.

Figures

Figures reproduced from arXiv: 2604.02311 by Han Luo, Tongyang Li, Yuexin Su, Ziruo Wang, Ziyi Yang.

**Figure 2.** Figure 2: The overall quantum circuit of Shor’s algorithm for solving ECDLP using QFT. The qubits, [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗

**Figure 3.** Figure 3: The overall quantum circuit of Shor’s algorithm for solving ECDLP using semiclassical QFT. [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: An illustration of how the two Work registers are allocated for temporary variables within a single iteration of the EEA. The upper and lower stripes represent the Work1 and Work2 registers, respectively. The symbols (h) and (l) indicate that the value t ′ is split into its higher-order bits (h) and lower-order bits (l), which are placed at the corresponding positions on the two sides of the Work2 register… view at source ↗

**Figure 5.** Figure 5: Overall circuit implementation (Part 1) of a single iteration of our space-efficient EEA. The three [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗

**Figure 6.** Figure 6: Overall circuit implementation (Part 2) of a single iteration of our space-efficient EEA. The [PITH_FULL_IMAGE:figures/full_fig_p019_6.png] view at source ↗

**Figure 7.** Figure 7: The explicit implementation of a location-controlled swap circuit. This circuit swaps the qubit [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗

**Figure 8.** Figure 8: A template for the explicit implementation of a location-controlled addition/subtraction circuit. [PITH_FULL_IMAGE:figures/full_fig_p020_8.png] view at source ↗

**Figure 9.** Figure 9: The explicit implementation of the length updating circuit. This circuit updates [PITH_FULL_IMAGE:figures/full_fig_p021_9.png] view at source ↗

**Figure 10.** Figure 10: Schematic low-width controlled affine Weierstrass point-addition circuit, adapted from the [PITH_FULL_IMAGE:figures/full_fig_p026_10.png] view at source ↗

read the original abstract

Solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) is critical for evaluating the quantum security of widely deployed elliptic-curve cryptosystems. Consequently, minimizing the number of logical qubits required to execute this algorithm is a key object. In implementations of Shor's algorithm, the space complexity is largely dictated by the modular inversion operation during point addition. Starting from the extended Euclidean algorithm (EEA), we refine the register-sharing method of Proos and Zalka and propose a space-efficient reversible modular inversion algorithm. We use length registers together with location-controlled arithmetic to store the intermediate variables in a compact form throughout the computation. We then optimize the stepwise update rules and give concrete circuit constructions for the resulting controlled arithmetic components. This leads to a modular inversion circuit that uses $3n + 4\lfloor \log_2 n \rfloor + O(1)$ logical qubits and $204n^2\log_2 n + O(n^2)$ Toffoli gates. By inserting this modular inversion component into the controlled affine point-addition circuit, we obtain a space-efficient algorithm for the ECDLP with $5n + 4\lfloor \log_2 n \rfloor + O(1)$ qubits and $O(n^3)$ Toffoli gates. In particular, for a 256-bit prime-field curve, our estimate reduces the logical-qubit count to 1333, compared with 2124 in the previous low-width implementation of H\"aner et al.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper tightens the logical qubit bound for quantum ECDLP to 5n + 4 log n by refining register sharing in the modular inversion step.

read the letter

The main thing to know is that the authors cut the qubit count for a full Shor-style ECDLP solver down to 5n + 4 floor(log n) plus small constants, which for a 256-bit curve gives 1333 logical qubits instead of the 2124 reported by Haner et al. They achieve this by tightening the Proos-Zalka register-sharing approach for the extended Euclidean algorithm inversion, adding length registers and location-controlled arithmetic so that intermediate values stay packed without extra ancilla. The inversion circuit itself is stated at 3n + 4 log n qubits and roughly 204 n squared log n Toffoli gates, then dropped into the controlled affine addition to reach the overall bound with O(n cubed) gates total. The construction uses only standard reversible primitives and the numbers follow directly from the shared n-bit registers plus the log n overhead, with no visible circularity or hidden space costs in the update rules. For people who need concrete resource estimates to assess quantum security of deployed ECC, this supplies a usable tighter upper bound that can be plugged straight into existing analyses. The derivations appear consistent on the page, though the exact controlled-arithmetic gate decompositions would be easier to check if the full circuit diagrams were expanded in an appendix. This is the kind of incremental but practical circuit-level work that belongs in a reading group focused on quantum cryptanalysis. It is grounded enough and improves a published baseline by a measurable amount, so it should go to peer review rather than a desk reject.

Referee Report

1 major / 2 minor

Summary. The paper claims to develop a space-efficient quantum algorithm for the Elliptic Curve Discrete Logarithm Problem (ECDLP) by refining the extended Euclidean algorithm for reversible modular inversion using length registers and location-controlled arithmetic. This results in a modular inversion circuit using 3n + 4⌊log₂ n⌋ + O(1) qubits and 204n² log₂ n + O(n²) Toffoli gates, which when integrated into the controlled affine point addition yields an overall ECDLP solver with 5n + 4⌊log₂ n⌋ + O(1) qubits and O(n³) Toffoli gates. For a 256-bit curve, this reduces the qubit count to 1333 compared to 2124 in prior work.

Significance. If the resource estimates hold, this work provides a substantial reduction in logical qubit requirements for quantum attacks on elliptic curve cryptography (1333 vs. 2124 for 256-bit curves), which is significant for assessing quantum security margins. The constructive use of standard reversible arithmetic primitives, register sharing, and explicit Toffoli counts strengthens the contribution by enabling more precise hardware resource planning.

major comments (1)

[Abstract and modular inversion circuit description] Abstract and modular inversion section: the central qubit formula 5n + 4⌊log₂n⌋ + O(1) for the full ECDLP algorithm rests on the claim that embedding the 3n + 4⌊log₂n⌋ + O(1) inversion circuit into controlled affine point addition incurs no hidden ancilla overhead from the location-controlled arithmetic or stepwise updates; an explicit register accounting table or diagram verifying this for the EEA-based components would be required to confirm the total.

minor comments (2)

[Abstract] Abstract: the inversion gate count 204n²log₂n + O(n²) is stated without a breakdown of the leading coefficient derivation or comparison table to prior EEA implementations; adding this would improve verifiability.
[References] The reference to Häner et al. should include the full citation details (year, title, venue) in the bibliography for completeness.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful reading, positive assessment of significance, and recommendation for minor revision. The suggestion for explicit register accounting improves clarity of the qubit claims.

read point-by-point responses

Referee: Abstract and modular inversion section: the central qubit formula 5n + 4⌊log₂n⌋ + O(1) for the full ECDLP algorithm rests on the claim that embedding the 3n + 4⌊log₂n⌋ + O(1) inversion circuit into controlled affine point addition incurs no hidden ancilla overhead from the location-controlled arithmetic or stepwise updates; an explicit register accounting table or diagram verifying this for the EEA-based components would be required to confirm the total.

Authors: We agree that an explicit accounting table strengthens the presentation. In the revised manuscript we have added a register accounting table (new Table 2) in the modular inversion section together with a compact diagram of register sharing. The table enumerates every register (including length registers and those used for location-controlled arithmetic) across the EEA steps and the controlled affine point addition, confirming that all intermediate values reuse the existing 3n + 4⌊log₂n⌋ + O(1) qubits with no additional ancilla. The integration therefore preserves the overall bound of 5n + 4⌊log₂n⌋ + O(1) qubits. revision: yes

Circularity Check

0 steps flagged

No significant circularity in the derivation chain

full rationale

The paper constructs an explicit reversible modular inversion circuit from the extended Euclidean algorithm by refining register-sharing techniques and introducing length registers with location-controlled arithmetic. Qubit counts (3n + 4⌊log₂n⌋ + O(1) for inversion, then 5n + 4⌊log₂n⌋ + O(1) for the full ECDLP algorithm) are obtained by direct enumeration of shared n-bit registers plus explicit O(log n) overhead terms in the stepwise update rules and controlled components. No parameters are fitted to data, no quantity is defined in terms of itself, and no load-bearing step reduces to a self-citation or imported ansatz; the comparison to Häner et al. is an external benchmark. The derivation is therefore self-contained against standard reversible-arithmetic primitives.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper relies on standard quantum circuit assumptions and prior algorithmic techniques without introducing new free parameters or postulated entities.

axioms (1)

standard math Quantum computation is modeled by reversible circuits composed of Toffoli gates and standard arithmetic primitives.
All circuit constructions and resource counts presuppose the usual fault-tolerant quantum circuit model.

pith-pipeline@v0.9.0 · 5581 in / 1301 out tokens · 57604 ms · 2026-05-13T21:17:21.675029+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

41 extracted references · 41 canonical work pages · 3 internal anchors

[1]

A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits

Matthew Amy, Dmitri Maslov, Michele Mosca, and Martin Roetteler. A meet-in-the-middle algorithm for fast synthesis of depth-optimal quantum circuits. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems , 32(6):818--830, 2013. https://doi.org/10.1109/TCAD.2013.2244643

work page doi:10.1109/tcad.2013.2244643 2013
[2]

Bernstein, Iggy van Hoof, and Tanja Lange

Gustavo Banegas, Daniel J. Bernstein, Iggy van Hoof, and Tanja Lange. Concrete quantum cryptanalysis of binary elliptic curves. Cryptology ePrint Archive , 2020. https://eprint.iacr.org/2020/1296

work page 2020
[3]

NIST special publication 800-57 part 1, revision 5, recommendation for key management: P art 1--general

Elaine Barker and Quynh Dang. NIST special publication 800-57 part 1, revision 5, recommendation for key management: P art 1--general. NIST, Technical Report , page 171, 2020

work page 2020
[4]

Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS) , 2006

Simon Blake-Wilson, Nelson Bolyard, Vipul Gupta, Chris Hawk, and Bodo Moeller. Elliptic curve cryptography (ECC) cipher suites for transport layer security (TLS) , 2006. https://www.rfc-editor.org/rfc/rfc4492.html

work page 2006
[5]

Simon Blake-Wilson and M. Qu. Standards for efficient cryptography (sec) 2: Recommended elliptic curve domain parameters . Certicom Research, Oct , page 25, 1999

work page 1999
[6]

Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi, Justin Drake, and Dan Boneh. Securing elliptic curve cryptocurrencies against quantum vulnerabilities: Resource estimates and mitigations, 2026. arXiv:2603.28846

work page internal anchor Pith review Pith/arXiv arXiv 2026
[7]

A new quantum ripple-carry addition circuit

Steven A. Cuccaro, Thomas G. Draper, Samuel A. Kutin, and David Petrie Moulton. A new quantum ripple-carry addition circuit. arXiv preprint , 2004. arXiv:quant-ph/0410184

work page internal anchor Pith review Pith/arXiv arXiv 2004
[8]

Reducing the number of qubits in quantum factoring

Cl \'e mence Chevignard, Pierre-Alain Fouque, and Andr \'e Schrottenloher. Reducing the number of qubits in quantum factoring. In Annual International Cryptology Conference , pages 384--415. Springer, 2025. https://doi.org/10.1007/978-3-032-01878-6_13

work page doi:10.1007/978-3-032-01878-6_13 2025
[9]

Reducing the number of qubits in quantum discrete logarithms on elliptic curves

Clémence Chevignard, Pierre-Alain Fouque, and André Schrottenloher. Reducing the number of qubits in quantum discrete logarithms on elliptic curves. Cryptology ePrint Archive, Paper 2026/280, 2026. https://eprint.iacr.org/2026/280

work page 2026
[10]

Childs and Wim van Dam

Andrew M. Childs and Wim van Dam. Quantum algorithms for algebraic problems. Reviews of Modern Physics , 82(1):1--52, 2010. https://doi.org/10.1103/RevModPhys.82.1

work page doi:10.1103/revmodphys.82.1 2010
[11]

Whitfield Diffle and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory , 22(6), 1976. https://doi.org/10.1145/3549993.3550007

work page doi:10.1145/3549993.3550007 1976
[12]

Revisiting S hor's quantum algorithm for computing general discrete logarithms, 2019

Martin Eker . Revisiting S hor's quantum algorithm for computing general discrete logarithms, 2019. arXiv:1905.09084

work page arXiv 2019
[13]

A public key cryptosystem and a signature scheme based on discrete logarithms

Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory , 31(4):469--472, 1985. https://doi.org/10.1109/TIT.1985.1057074

work page doi:10.1109/tit.1985.1057074 1985
[14]

Fowler, Matteo Mariantoni, John M

Austin G. Fowler, Matteo Mariantoni, John M. Martinis, and Andrew N. Cleland. Surface codes: Towards practical large-scale quantum computation. Physical Review A , 86(3):032324, 2012. https://doi.org/10.1103/PhysRevA.86.032324

work page doi:10.1103/physreva.86.032324 2012
[15]

How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits

Craig Gidney and Martin Eker . How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum , 5:433, 2021. https://doi.org/10.22331/q-2021-04-15-433

work page doi:10.22331/q-2021-04-15-433 2048
[16]

Galbraith and Pierrick Gaudry

Steven D. Galbraith and Pierrick Gaudry. Recent progress on the elliptic curve discrete logarithm problem. Designs, Codes and Cryptography , 78(1):51--72, 2016. https://doi.org/10.1007/s10623-015-0146-7

work page doi:10.1007/s10623-015-0146-7 2016
[17]

How to factor 2048 bit RSA integers with less than a million noisy qubits

Craig Gidney. How to factor 2048 bit RSA integers with less than a million noisy qubits. arXiv preprint , 2025. arXiv:2505.15917

work page internal anchor Pith review Pith/arXiv arXiv 2048
[18]

Griffiths and Chi-Sheng Niu

Robert B. Griffiths and Chi-Sheng Niu. Semiclassical F ourier transform for quantum computation. Physical Review Letters , 76(17):3228, 1996. https://doi.org/10.1103/PhysRevLett.76.3228

work page doi:10.1103/physrevlett.76.3228 1996
[19]

Resource analysis of S hor's elliptic curve algorithm with an improved quantum adder on a two-dimensional lattice

Quan Gu, Han Ye, Junjie Chen, and Xiongfeng Ma. Resource analysis of S hor's elliptic curve algorithm with an improved quantum adder on a two-dimensional lattice. arXiv preprint arXiv:2510.23212 , 2025

work page arXiv 2025
[20]

Zur theorie der abstrakten elliptischen Funktionenk \"o rper II

Helmut Hasse. Zur theorie der abstrakten elliptischen Funktionenk \"o rper II. Automorphismen und Meromorphismen. Das Additionstheorem. Journal für die reine und angewandte Mathematik , 1936. https://doi.org/10.1515/crll.1936.175.69

work page doi:10.1515/crll.1936.175.69 1936
[21]

Improved quantum circuits for elliptic curve discrete logarithms

Thomas H \"a ner, Samuel Jaques, Michael Naehrig, Martin Roetteler, and Mathias Soeken. Improved quantum circuits for elliptic curve discrete logarithms. In International Conference on Post-quantum Cryptography , pages 425--444. Springer, 2020. https://doi.org/10.1007/978-3-030-44223-1_23

work page doi:10.1007/978-3-030-44223-1_23 2020
[22]

Thomas H\" a ner, Martin Roetteler, and Krysta M. Svore. Factoring using 2n + 2 qubits with T offoli based modular multiplication. Quantum Info. Comput. , 17(7–8):673–684, June 2017. https://dl.acm.org/doi/abs/10.5555/3179553.3179560

work page doi:10.5555/3179553.3179560 2017
[23]

Optimized implementation of quantum binary field multiplication with T offoli depth one

Kyungbae Jang, Wonwoong Kim, Sejin Lim, Yeajun Kang, Yujin Yang, and Hwajeong Seo. Optimized implementation of quantum binary field multiplication with T offoli depth one. In International Conference on Information Security Applications , pages 251--264. Springer, 2022. https://doi.org/10.1007/978-3-031-25659-2_18

work page doi:10.1007/978-3-031-25659-2_18 2022
[24]

The elliptic curve digital signature algorithm (ECDSA)

Don Johnson, Alfred Menezes, and Scott Vanstone. The elliptic curve digital signature algorithm (ECDSA) . International Journal of Information Security , 1(1):36--63, 2001. https://doi.org/10.1007/s102070100002

work page doi:10.1007/s102070100002 2001
[25]

New quantum cryptanalysis of binary elliptic curves (extended version)

Kyungbae Jang, Vikas Srivastava, Anubhab Baksi, Santanu Sarkar, and Hwajeong Seo. New quantum cryptanalysis of binary elliptic curves (extended version). Cryptology ePrint Archive , 2025. https://eprint.iacr.org/2025/017

work page 2025
[26]

New quantum circuits for ECDLP : Breaking prime elliptic curve cryptography in minutes

Hyunji Kim, Kyungbae Jang, Siyi Wang, Anubhab Baksi, Gyeongju Song, Hwajeong Seo, and Anupam Chattopadhyay. New quantum circuits for ECDLP : Breaking prime elliptic curve cryptography in minutes. Cryptology ePrint Archive, Paper 2026/106, 2026. https://eprint.iacr.org/2026/106

work page 2026
[27]

The J acobi factoring circuit: Quantum factoring with near-linear gates and sublinear space and depth

Gregory D Kahanamoku-Meyer, Seyoon Ragavan, Vinod Vaikuntanathan, and Katherine van Kirk. The J acobi factoring circuit: Quantum factoring with near-linear gates and sublinear space and depth. In Proceedings of the 57th Annual ACM Symposium on Theory of Computing , pages 1496--1507, 2025. https://doi.org/10.1145/3717823.3718273

work page doi:10.1145/3717823.3718273 2025
[28]

Elliptic curve cryptosystems

Neal Koblitz. Elliptic curve cryptosystems. Mathematics of Computation , 48(177):203--209, 1987. https://doi.org/10.1090/S0025-5718-1987-0866109-5

work page doi:10.1090/s0025-5718-1987-0866109-5 1987
[29]

Tanuj Khattar, Noah Shutty, Craig Gidney, Adam Zalcman, Noureldin Yosri, Dmitri Maslov, Ryan Babbush, and Stephen P. Jordan. Verifiable quantum advantage via optimized DQI circuits, 2025. arXiv:2510.10967

work page arXiv 2025
[30]

Victor S. Miller. Use of elliptic curves in cryptography. In Conference on the Theory and Application of Cryptographic Techniques , pages 417--426. Springer, 1985. https://doi.org/10.1007/3-540-39799-X_31

work page doi:10.1007/3-540-39799-x_31 1985
[31]

Satoshi Nakamoto and A. Bitcoin. A peer-to-peer electronic cash system. Bitcoin.--URL: https://bitcoin. org/bitcoin. pdf , 4(2):15, 2008

work page 2008
[32]

Nielsen and Isaac L

Michael A. Nielsen and Isaac L. Chuang. Quantum computation and quantum information . Cambridge University Press, 2010

work page 2010
[33]

Another concrete quantum cryptanalysis of binary elliptic curves

Dedy Septono Catur Putranto, Rini Wisnu Wardhani, Harashta Tatimma Larasati, and Howon Kim. Another concrete quantum cryptanalysis of binary elliptic curves. Cryptology ePrint Archive , 2022. https://eprint.iacr.org/2022/501

work page 2022
[34]

Shor's discrete logarithm quantum algorithm for elliptic curves

John Proos and Christof Zalka. Shor's discrete logarithm quantum algorithm for elliptic curves. Quantum Info. Comput. , 3(4):317–344, July 2003. https://dl.acm.org/doi/abs/10.5555/2011528.2011531

work page doi:10.5555/2011528.2011531 2003
[35]

An efficient quantum factoring algorithm

Oded Regev. An efficient quantum factoring algorithm. Journal of the ACM , 72(1):1--13, 2025. https://doi.org/10.1145/3708471

work page doi:10.1145/3708471 2025
[36]

Svore, and Kristin Lauter

Martin Roetteler, Michael Naehrig, Krysta M. Svore, and Kristin Lauter. Quantum resource estimates for computing elliptic curve discrete logarithms. In International Conference on the Theory and Application of Cryptology and Information Security , pages 241--270. Springer, 2017. https://doi.org/10.1007/978-3-319-70697-9_9

work page doi:10.1007/978-3-319-70697-9_9 2017
[37]

Rivest, Adi Shamir, and Leonard Adleman

Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM , 21(2):120--126, 1978. https://doi.org/10.1145/359340.359342

work page doi:10.1145/359340.359342 1978
[38]

Space-efficient and noise-robust quantum factoring

Seyoon Ragavan and Vinod Vaikuntanathan. Space-efficient and noise-robust quantum factoring. In Annual International Cryptology Conference , pages 107--140. Springer, 2024. https://doi.org/10.1007/978-3-031-68391-6_4

work page doi:10.1007/978-3-031-68391-6_4 2024
[39]

Elliptic curve algorithm integration in the secure shell transport layer, 2009

Douglas Stebila and Jon Green. Elliptic curve algorithm integration in the secure shell transport layer, 2009. https://www.rfc-editor.org/rfc/rfc5656

work page 2009
[40]

Peter W. Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th Annual Symposium on Foundations of Computer Science , pages 124--134. IEEE, 1994. https://doi.org/10.1109/SFCS.1994.365700

work page doi:10.1109/sfcs.1994.365700 1994
[41]

Concrete quantum cryptanalysis of binary elliptic curves via addition chain

Ren Taguchi and Atsushi Takayasu. Concrete quantum cryptanalysis of binary elliptic curves via addition chain. In Cryptographers’ Track at the RSA Conference , pages 57--83. Springer, 2023. https://doi.org/10.1007/978-3-031-30872-7_3

work page doi:10.1007/978-3-031-30872-7_3 2023