Quantum computation of discrete logarithms in semigroups

We describe an efficient quantum algorithm for computing discrete logarithms in semigroups using Shor’s algorithms for period finding and discrete log as subroutines. Thus proposed cryptosystems based on the presumed hardness of discrete logarithms in semigroups are insecure against quantum attacks. In contrast, we show that some generalizations of the discrete log problem are hard in semigroups despite being easy in groups. We relate a shifted version of the discrete log problem in semigroups to the dihedral hidden subgroup problem, and we show that the constructive membership problem with respect to $k \ge 2$ generators in a black-box abelian semigroup of order $N$ requires $\tilde \Theta(N^{\frac{1}{2}-\frac{1}{2k}})$ quantum queries.

💡 Research Summary

The paper investigates the computational complexity of discrete logarithm problems in finite semigroups—algebraic structures equipped only with an associative binary operation, lacking inverses and possibly an identity element. The authors show that, despite these apparent limitations, a quantum computer can solve the standard discrete logarithm problem in any finite semigroup efficiently, by adapting Shor’s period‑finding and discrete‑log algorithms as subroutines.

First, the authors formalize two structural parameters for a given element g of a semigroup S: the index t (the length of the “tail” before the sequence g, g², … enters a cycle) and the period r (the length of the eventual cycle). Lemma 1 proves that both t and r can be extracted in polynomial time using a quantum routine that prepares the superposition (\frac{1}{\sqrt{M}}\sum_{j=0}^{M-1}|j\rangle|g^{j}\rangle) for a sufficiently large M, measures the second register, and, conditioned on landing in the cycle, obtains a state with r‑periodicity. A quantum Fourier transform then yields r with the same success probability as Shor’s original algorithm; a simple continued‑fraction post‑processing recovers the exact period. The index t is found by a binary search that checks whether (g^{j+r}=g^{j}) holds, which requires only O(log N) queries.

With t and r known, Theorem 1 describes how to compute (\log_{g}x). If x lies in the tail, the logarithm is simply (t-p) where p is the first position of x in the tail, found by binary search. If x lies in the cycle, the authors construct a cyclic subgroup C generated by (g^{t+s}) (where s is chosen so that (g^{t+s}) is the identity of C). Within C, the inverse of (g^{t+s}) is (g^{t+s+r-1}), allowing the definition of a hiding function (f(a,b)=x^{a}(g^{t+s+r-1})^{b}=x^{a}(g^{t+s})^{-b}). Applying Shor’s discrete‑log algorithm to C yields (\log_{g^{t+s}}x), and the original logarithm follows by adding the offset t. Crucially, the algorithm never requires a global inverse in the semigroup; it only uses the locally defined inverse inside the cyclic component.

Section 4 introduces a shifted discrete‑log problem: given x, y, g find a such that (x = y g^{a}). In a group this reduces to the ordinary discrete log, but in a semigroup the lack of inverses makes it harder. The authors map this problem to the dihedral hidden subgroup problem (DHSP). They define two functions (f(0,j)=y g^{\tilde t + j}) and (f(1,j)=x g^{j}) where (\tilde t) and (\tilde r) are the index and period of the sequence generated by y. The pair ((1,\ell)) where (\ell) satisfies (x = y g^{\tilde t + \ell}) generates a hidden subgroup of the dihedral group ( \mathbb Z_{2}\ltimes \mathbb Z_{\tilde r}). Consequently, solving the shifted problem is equivalent to solving DHSP. Using Kuperberg’s sub‑exponential algorithm gives a runtime of (2^{O(\sqrt{\log \tilde r})}); however, only polynomially many quantum queries are needed because DHSP can be solved with a polynomial‑query algorithm. This demonstrates that the shifted problem is plausibly harder than the ordinary semigroup discrete log, mirroring the conjectured hardness of DHSP.

Section 5 tackles the constructive membership problem for an abelian semigroup with generators (g_{1},\dots,g_{k}): given an element x, find non‑negative integers (a_{1},\dots,a_{k}) (not all zero) such that (x = g_{1}^{a_{1}}\cdots g_{k}^{a_{k}}). In groups this reduces to solving a system of linear equations modulo the orders of the generators, which is efficiently solvable via the hidden‑subgroup framework. In semigroups, however, the authors prove a strong quantum lower bound. By constructing a specific semigroup S whose multiplication mimics a bounded‑sum constraint, they reduce the problem of inverting a black‑box permutation (\pi) on a set (\Sigma) (which requires (\Omega(\sqrt{|\Sigma|})) quantum queries) to constructive membership in S. Since (|\Sigma| = \Theta(n^{k-1})) and (|S| = \Theta(n^{k})), any algorithm must make at least (\Omega(|S|^{1/2 - 1/(2k)})) queries (Theorem 2).

The authors also provide an almost matching upper bound (Theorem 3). Lemma 3 shows that for any representation of x as a product of the generators, the product ((a_{1}+1)\cdots(a_{k}+1)) cannot exceed (|S|). This yields a bound on at least one coordinate, enabling a Grover search over the remaining (k-1) coordinates. Each iteration of the Grover search uses the shifted‑log algorithm (Lemma 2) as a subroutine to verify whether a candidate tuple yields x. The total runtime becomes (|S|^{1/2 - 1/(2k)}) up to polylogarithmic factors, which matches the lower bound up to logarithmic terms. If one replaces Kuperberg’s algorithm with a query‑efficient DHSP solver, the algorithm uses only (|S|^{1/2 - 1/(2k)}) quantum queries.

Overall, the paper establishes three main contributions: (1) an explicit quantum algorithm that computes discrete logarithms in any finite semigroup in polynomial time, (2) a reduction of a shifted semigroup discrete‑log problem to the dihedral hidden subgroup problem, indicating a potentially harder variant, and (3) tight quantum query complexity bounds for the constructive membership problem in abelian semigroups with multiple generators. These results invalidate cryptographic schemes that rely on the presumed hardness of semigroup discrete logs against quantum adversaries, while also highlighting new semigroup problems that may retain quantum hardness and could serve as bases for post‑quantum cryptography.