Transformation of Elliptic Curve Discrete Logarithm Problem to QUBO Using Direct Method in Quantum Annealing Applications

 This paper investigates how to reduce the elliptic curve discrete logarithm problem over prime fields to the quadratic unconstrained binary optimization (QUBO) problem in order to obtain as few logical qubits as possible. In the best case scenario, if n is the bitlength of a characteristic of prime field F p , approximately 3 n 3 logical qubits are required for such a reduction in the Edwards curve case. We present a practical attack on an elliptic curve discrete logarithm problem over the 3-bit prime field F 7 for an elliptic curve with the subgroup of order 8. We solved this problem using the D-Wave Advantage QPU. To the best of the authors’ knowledge, no one has made, so far, a practical attack on the elliptic curve discrete logarithm over a prime field using the direct quantum method.


Introduction
Shor's quantum algorithm for factorization and discrete logarithm computation [1] is one of the essential research areas in modern cryptology.The resources required to run Shor's quantum algorithm have been widely analyzed in [2]- [4].The estimations of resources required for implementing Shor's algorithm for the elliptic curve discrete logarithm problem (ECDLP) are presented in [5] for binary elliptic curves and in [6] for elliptic curves over prime fields.
As one may notice from Tab. 1, for real-world security parameters, the number of qubits necessary to run Shor's algorithm is not so big, but the number of Toffoli gates is huge.From this point of view, much work is still required to run Shor's algorithm to solve ECDLP for real-world security parameters.It is worth noting that a recent review of ECDLP using classical methods may be found in [7].
On the other hand, quantum annealing is an approach that is becoming increasingly popular.D-Wave Advantage is the most powerful computer using the quantum annealing technology.One of the interesting cryptography-related applications of quantum annealing is transforming the factorization algorithm [8] or the discrete logarithm problem over prime fields [9] into the quadratic unconstrained binary optimization (QUBO) problem, and then solving this problem using the D-Wave computer.
QUBO [10] is a significant problem with many real-world applications.The QUBO model can be described by the following optimization problem: where Q is an N × N upper-diagonal matrix of real weights and x is a vector of binary variables.The diagonal terms Q i,i are linear coefficients, and the non-zero off-diagonal terms are quadratic coefficients Q i,j .
The QUBO problem may also be viewed as a problem of minimizing a function such as: Let us note that the QUBO problem is a special case of the binary quadratic model (BQM) problem, where BQM may be given as: with a i and b i,j being real numbers and v i ∈ {−1, +1} or {0, 1}.Transformation of the QUBO problem to the BQM problem for v i ∈ {0, 1} is straightforward -we must forget the constant c appearing in BQM.
This paper shows how to transform the ECDLP over prime fields to the QUBO problem.The best method allows to convert a discrete logarithm problem over a prime field F p to the QUBO problem using approximately 3n 3 logical qubits, where n is the bitlength of p.
With the scope of researched defined above, the authors' contribution consists in the following: • presenting a method for reducing the elliptic curve discrete logarithm problem to the QUBO problem, with the said method requiring approximately 3n 3 logical qubits for such a reduction, • presenting a practical example and the results of solving ECDLP on the Edwards curve over F 7 for the problem with the order of generator equal to 8, using the D-Wave Advantage QPU.
It is worth noting that, to the best of the authors' knowledge, no one has ever made a practical attack on the elliptic curve discrete logarithm over a prime field using direct quantum methods.Relying on the index calculus method, the application of quantum annealing to solving ECDLP over prime fields was presented in [11].In that paper, hybrid classicalquantum annealing methods were used to collect relations.After that, the linear algebra step was computed classically to retrieve the private key.
The results presented in this paper are more connected with [9], where the DLP problem was transformed directly to the QUBO problem and then solved using the direct quantum annealing method.The main results of this paper are showing the direct transformation of the ECDLP on Edwards curves to the QUBO problem, with this problem then being solved using direct quantum annealing methods.
Solving such a QUBO problem is equivalent to retrieving the private key.There is no need to solve linear algebra steps, as was required in [11].However, it is also worth noting that any QUBO problem may be run on a computer using a classical annealing algorithm (for example simulated annealing).Yet, there are some heuristic arguments that, in many cases, the complexity of quantum annealing may reach even e √ N for a QUBO problem consisting of N variables [12], with the simulated annealing algorithm offering some gains, as its complexity is e N .Therefore, quantum annealing is much more interesting to consider in this case.However, the presented example is of the minor variety and the results obtained constitute another step in applying quantum computations to classical public-key cryptography problems.

Transformation of General
Now, the discrete logarithm problem is defined.Having elements g, h ∈ G for which holds that: the problem is to find proper y.
If for any g 1 , g 2 ∈ G holds that g 1 □ g 2 may be written as a multivariate Boolean polynomial with integer coefficients, then such a discrete logarithm problem may be transformed to the QUBO problem.
Let m be the bitlength of the order of element g, denoted as ord(g).
where u 1 , . . ., u m are binary variables.Then: Let o be the neutral element of group operation in G.Then, for every element g ∈ G must hold: The most important factor in this context is to ensure that one will be able to write u i ⋄ (2 i−1 ⋄ g) as in Eq. ( 7), using multivariate polynomials of Boolean variables and real coefficients.By applying x i = u i ⋄ (2 i−1 ⋄ g), the general DLP problem given by Eq. ( 5) may be transformed to a problem of finding the solution of: Transformation of the discrete logarithm problem over finite fields in additive and multiplicative groups has been presented in detail in [9].Application of the quantum annealing approach while solving such discrete logarithms was also presented.Therefore, we omit these descriptions and focus mainly on transforming the elliptic curve discrete logarithm problem to the QUBO problem and solving it using quantum annealing.

Transformation of Elliptic Curve Discrete Logarithm Problem to QUBO
Elliptic curve cryptography (ECC) is an important part of modern security.Many cryptographic problems are based on the computational complexity of the elliptic curve discrete logarithm problem (ECDLP), which will be described below.The most popular cryptographic algorithms based on ECDLP are Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA).
We begin by defining an elliptic curve discrete logarithm problem over a prime field F p : where P, Q ∈ E(F p ) and y ∈ {1, ord(P ) − 1}.
Let m be the bitlength of ord(P ).
where u 1 , . . ., u m are binary variables.Then: It is worth noting that writing allows to obtain y > ord(P ), and to get the result from {0, . . ., ord(P ) − 1} computing y mod ord(P ).
For simplicity, let us suppose that the neutral element O of addition operation in E(F p ) may be represented using affine coordinates and O = (O x , O y ).This is the case, for instance, in Edwards or twisted Edwards curves.Then, for every point P = (P x , P y ) ∈ E(F p ): If 11) above is equivalent to: Similar transformations can be repeated when the neutral element cannot be represented using affine coordinates but must be presented using projective coordinates, as it is the case in short Weierstrass curves.Now, the ECDLP given by Eq. ( 9) may be transformed to the problem of finding a solution of: General decomposition scheme of an elliptic curve discrete logarithm problem.
Let E be an elliptic curve with complete arithmetic and let us assume, for simplicity, that all points from ⟨P ⟩ may be presented using affine coordinates.Then, for every two points where φ, ξ, ψ are polynomials.
To solve the problem given by Eq. ( 13), a regular binary tree of maximal height is used (Fig. 2), the same as for transforming the DLP problem to the QUBO problem [9].
In Eq. ( 14), point Q is computed explicitly, but may be presented by the coordinates of every point implicitly.
For the case of ECDLP and the method of decomposition presented in Fig. 2, the following system of equations is obtained: where: Next, we will focus on the transformation of the ECDLP defined on different models of elliptic curves to the QUBO problem.
In the direct method presented above, it is important to use only one kind of formula that should work for all proper possible inputs.In the case of the elliptic curve in the Weierstrass form, the main issue is that efficient formulas work separately while adding and separately while doubling.Furthermore, in the case of the Weierstrass curve, a neutral element cannot be added using classical, reasonably efficient addition formulas.
On the other hand, complete arithmetic formulas exist for the Weierstrass curves, but they are inefficient [13].Therefore, using an elliptic curve model that would allow to use the following: • efficient arithmetic with a small number of multiplications, • neutral element which can be represented by affine coordinates, • complete arithmetic, seems much more convenient.
Therefore, we focus on applying the proposed method to the case of Edwards curves, which fulfills all the conditions presented above.
The sum of points P = (x 1 , y 1 ) and Q = (x 2 , y 2 ) on E Ed is given by: The neutral element is O = (0, 1) and the negation is given by −(x, y) = (−x, y).If d is not a square in K, the above addition formula is complete in the K-rational points set on E.
, the Eq. ( 12) for Edwards curves is equivalent to: In such a case, using the idea presented earlier as well as Eq.(15), the system of equations in the case of the Edwards curve will be given by Eq. ( 19).Assume that the Edwards curve is defined over a prime field F p and n denotes the bitlength of p and m denotes the bitlength of the size of the order of the group generated by P .
Let us compute the number of logical variables required to transform the ECDLP problem on the Edwards curve into the QUBO problem.We begin by counting the necessary variables for a single system of equations f i,1 , . . ., f i, 9 , where 1 < i < m − 2. Due to the fact that cases for i = 1 and i = m − 2 are similar, the analysis for these two scenarios may be omitted.
Consider f i,1 case in the number of variable context.For variables A i , n bits are necessary to represent them because every A i is in the set {1, . . ., p − 1}.During the multiplication of P i+1,y and R i−1,y , there will be n monomials of degree 2 (P i−1,y consists of two terms, but only one Boolean variable) and n monomials of degree 1.This means that (−P i+1,y R i−1,y ) mod p will consist, in such a case, of 2n monomials with coefficients from set {0, . . ., p − 1}.Finally, it means that the maximum value of polynomial f i,1 is equal to (2n + 1)(p − 1), because the value of A i is also limited by p − 1.Therefore, k i,1 p (2n + 1)(p − 1), which means that k i,1 2n and the bitlength of k i,1 is equal to ⌊log 2 (2n)⌋ + 1 at most.Hence, for equation f i,1 , we have: • n additional variables obtained during linearization of square monomials, • n Boolean variables for variable A i , • ⌊log 2 (2n)⌋ + 1 Boolean variables necessary for writing variable k i,1 .Therefore, for equation f i,1 , 2n + ⌊log 2 (2n)⌋ + 1 additional variables are necessary.The same applies to equation f i,4 .Let us focus on equation f i,2 .For variables B i , n bits are required to represent them, because every B i is in set {1, . . ., p − 1}.On the other hand, during the multiplication of terms P i+1,x R i−1,x there will be n monomials of degree 2, because P i−1,x consists of one term and only one Boolean variable.This means that (−P i+1,x R i−1,x ) mod p will consist, in such a case, of n monomials with coefficients from set {0, . . ., p − 1}.It means that the maximum value of polynomial f i,2 is equal to (n + 1)(p − 1), because the value of B i is also limited by p − 1.Therefore, k i,2 p (n + 1)(p − 1), which means that k i,2 n and the bitlength of k i,2 is equal to ⌊log 2 (n)⌋ + 1 at most.So, for equation f i,2 , we have: • n additional variables obtained during linearization of square monomials, • n Boolean variables for variable B i , • ⌊log 2 (2n)⌋ + 1 Boolean variables necessary for writing variable k i,1 .Therefore, for equation f i,2 , 2n + ⌊log 2 (n)⌋ + 1 additional variables are necessary.The same results apply to equation f i,3 .As far as equation f i,5 is concerned, n bits are necessary to represent variables E i , because every E i is in set {1, . . ., p − 1}.On the other hand, during the multiplication of terms C i and D i , there will be n 2 monomials of degree 2 (both C i , D i consist of n Boolean variables).This means that (−C i D i ) mod p will consist, in such a case, of n 2 monomials with coefficients from set {0, . . ., p − 1}.Finally, it means that the maximum value of polynomial f i,5 is (n 2 +1)(p−1), because the value of E i is also limited by p − 1.Therefore, k i,5 p (n 2 + 1)(p − 1), which means that (n 2 +1)(p−1) p < n 2 + 1, so k i,5 n 2 and the bitlength of k i,5 is equal to ⌊log 2 (n 2 )⌋ + 1 at most.So, for equation f i,5 , we have: -n 2 additional variables obtained during linearization of square monomials, n Boolean variables for variable E i , -⌊log 2 (n 2 )⌋ + 1 Boolean variables necessary for writing variable k i,5 .This proves that, for equation k i,5 , n 2 + n + ⌊log 2 (n 2 )⌋ + 1 additional variables are necessary.The same applies to equations f i,6 and f i,7 , but in each of these cases n bits are necessary for representation of R i,x and R i,y , so for f i,6 and f i,7 , n 2 + 2n + ⌊log 2 (n 2 )⌋ + 1 additional variables are necessary for each equation.The case concerned with equation f i,8 is the simplest.There are no necessary additional Boolean variables for linearizing square monomials and new variables from a finite field.The only additional variables are necessary for k i,8 .Let us note that (−R i,x − F i ) mod p will consist, in such a case, of 2n monomials with coefficients from set {0, . . ., p − 1}.Finally, it means that the maximum value of polynomial f i,8 is (2n + 2)(p − 1), because the values of C i and D i are also limited by p − 1.
Therefore, k i,8 p (2n + 2)(p − 1), which means that k i,8 (2n+2)(p−1) p < 2n + 2, so k i,8 2n + 1 and the bitlength of k i,8 is equal to ⌊log 2 (2n + 1)⌋ + 1 at most.Similar considerations apply to equation f i, 9 .There are no necessary additional Boolean variables for linearizing square monomials and new variables from a finite field.The only additional variables are necessary for f i, 9 .Let us note that (−G i ) mod p will consist, in such a case, of n monomials with coefficients from set {0, . . ., p − 1}.Finally, it means that the maximum value of polynomial f i,9 is equal to (n + 3)(p − 1), because the values of A i , B i and R i,y are also limited by p − 1.
n + 2 and the bitlength of k i,9 is ⌊log 2 (n + 2)⌋ + 1 at most.Summing up, for the system of equations f i,1 , . . ., f i,9 there are: In the case of the f 1,1 , . . ., f 1,9 system of equations and the f m−2,1 , . . ., f m−2,9 system, the number of necessary binary variables is lower.However, it does not influence the overall number of necessary variables much, so we use the same estimations as for 1 < i < m − 2.

Practical Example and Results
Consider the following Edwards curve E Ed /F 7 : x 2 + y 2 = 1 + 6x 2 y 2 .The order of the group of points of this curve is equal to 8, and the group is cyclic.The generator of this group is point P = (3, 3) and ECDLP with Q = (4, 3) = [y]P .We aim to break this ECDLP by finding proper y.First, we show how to transform this problem into the QUBO problem.
In the case of small problems, the transformation of entire equations may be more efficient than a separate transformation of each multiplication.Since we know that the order of P is 8 and Q is not the neutral point, y ∈ {1, . . ., 7}.Using binary variables u 1 , u 2 , u 3 , we can write y as y = u 1 + 2u 2 + 4u 3 After this step, we have to make quadratization and then add penalties.The other method is first to make linearization of each of the equations and then square each of them, compute their sum, and add penalties [15].The latter method allows to compute the number of necessary variables more easily, while the former method may result in a smaller number of variables after problem reduction.
Based on these considerations, the first method has been selected, and the final problem in the BQM has been obtained.To make all transformations, the Magma Computational Algebra System (http://magma.maths.usyd.edu.au/magma/) has been used.The task was solved using quantum annealing, with the minimal energy criterion.
The proper solution was found, which is y = 7, because u 1 , u 2 , u 3 = 1.The values of parameters used in solving this QUBO problem are shown in Tab. 2 and the embedding of the problem to the D-Wave Advantage is illustrated in Fig. 3.

Conclusion
This paper presents methods for transforming the elliptic curve discrete logarithm problem over prime fields to the QUBO problem.We showed how to efficiently perform such a transformation using approximately 3n 3 logical variables (logical qubits) in the case of the Edwards curve.The discrete logarithm problem in the multiplicative subgroup over a finite field requires approximately 2n 2 variables.
Table 3 presents the estimated number of logical variables of equivalent QUBO problems for real-world parameters.From Tab. 3 we can conclude that the number of logical variables (qubits) necessary to run appropriate QUBO problems for real-world parameters is very high.We show that the proposed approach, unlike Shor's algorithm, may be run in practice.
Even though small instances were solved only, they were run on the D-Wave computer remotely, via the D-Wave Leap cloud (https://cloud.dwavesys.com/leap/).
The elliptic curve discrete logarithm problem on the Edwards curve over F 7 has been solved using the D-Wave Advantage QPU, with 112 physical qubits being used.Because the presented approach requires approximately 3n 3 logical qubits for the reduction of ECDLP over F p , where the bitlength of p is equal to n, the number of variables for real-size problems will be very large.For example, for a 256-bit prime field, approximately 50 300 000 logical variables will be necessary.
Even though the problem we have solved is small, according to our knowledge, this is the first instance anyone has ever reported a solution to a discrete logarithm problem over prime fields using direct quantum methods.

Fig. 3 .
Fig. 3. Embedding of a problem equivalent to the problem of finding elliptic curve discrete logarithm over F7 on Edwards curve to the D-Wave Advantage.The number of physical qubits is larger than the number of necessary logical qubits.Because the Pegasus topology graph is incompatible with the graph problem (QUBO problems define graph representation of the problem), chains are necessary to embed the problem graph to the Pegasus topology.
Tab. 2. D-Wave Advantage solver parameters used in solving QUBO problem equivalent to the problem of finding elliptic curve discrete logarithm over F7 on Edwards curve in a subgroup of size 8.Estimated number of logical variables of equivalent QUBO problem for real-world problems.