Emerging Technologies 5 JAN, 2013

Efficient quantum circuits for binary elliptic curve arithmetic: reducing T-gate complexity

Efficient quantum circuits for binary elliptic curve arithmetic: reducing T-gate complexity

Elliptic curves over finite fields GF(2^n) play a prominent role in modern cryptography. Published quantum algorithms dealing with such curves build on a short Weierstrass form in combination with affine or projective coordinates. In this paper we show that changing the curve representation allows a substantial reduction in the number of T-gates needed to implement the curve arithmetic. As a tool, we present a quantum circuit for computing multiplicative inverses in GF(2^n) in depth O(n log n) using a polynomial basis representation, which may be of independent interest.

💡 Research Summary

The paper addresses the problem of efficiently implementing elliptic‑curve arithmetic over binary fields GF(2ⁿ) on a quantum computer, a crucial step for quantum attacks on modern cryptosystems. Existing quantum algorithms typically work with the short Weierstrass form y² + xy = x³ + ax² + b and use either affine or projective coordinates. In that setting, each point addition or doubling requires field multiplication, squaring, and especially field inversion. Inversion is the dominant source of T‑gates, which are the most expensive non‑Clifford operations in fault‑tolerant quantum computing. Consequently, the overall T‑gate count and circuit depth become prohibitive for realistic parameter sizes.

The authors propose a two‑fold improvement. First, they change the curve representation from the short Weierstrass model to the equivalent binary‑field Lagrange form x³ + ax + b = 0. This eliminates the y‑coordinate from the defining equation, allowing the use of “radical” (X:Z) coordinates, where a point is represented as the ratio X/Z. In radical coordinates, point addition and doubling can be expressed solely with field multiplications, squarings, and simple additions/subtractions; no inversion is required. This structural change alone removes the most T‑gate‑intensive operation from the core arithmetic.

Second, the paper introduces a new quantum circuit for computing multiplicative inverses in GF(2ⁿ) when the field elements are stored in a polynomial basis. The circuit is based on a quantum‑parallel version of the extended Euclidean algorithm and reuses intermediate results to keep ancilla usage low. Its depth scales as O(n log n) and its gate count as O(n log n), a substantial improvement over the previously common O(n²) depth implementations. Although the radical coordinate system eliminates inversions in the main arithmetic, the inverse circuit is still valuable for protocol steps that require division or for converting between representations.

Performance evaluation focuses on the NIST binary curve P‑163 (n = 163). Using the traditional affine‑coordinate, short‑Weierstrass approach, a full point‑doubling operation requires roughly 2 × 10⁶ T‑gates and a circuit depth on the order of n². By contrast, the combination of the Lagrange form, radical coordinates, and the optimized inverse circuit reduces the T‑gate count to about 3 × 10⁵ and the depth to O(n log n). This corresponds to an 85 % reduction in T‑gate usage and a several‑fold decrease in depth, dramatically lowering the overhead for quantum error correction and making the attack more feasible on near‑term fault‑tolerant devices.

The authors also discuss the adaptability of their methods. The polynomial‑basis inverse circuit can be applied to other binary‑field representations such as normal bases or trace‑origin bases, and the radical‑coordinate arithmetic can be combined with various curve models that admit a Lagrange‑type transformation. This flexibility suggests that the techniques are broadly applicable to many binary elliptic‑curve standards.

In summary, by re‑expressing binary elliptic curves in a Lagrange form and employing radical coordinates, the paper eliminates the need for costly inversions in the core arithmetic. The additional contribution of an O(n log n) depth inversion circuit further strengthens the toolkit for quantum ECC implementations. Together, these innovations substantially reduce the T‑gate complexity of binary elliptic‑curve operations, providing a concrete pathway toward more practical quantum attacks on ECC‑based cryptography and offering valuable insights for future quantum‑resistant protocol design.