Quantum circuits for hyperelliptic curve discrete logarithms over the Mersenne prime fields

Owing to smaller key size, hyperelliptic curve cryptosystem (HCC) has attracted much attention in modern cryptography, which is generally based on the discrete logarithm problem on the hyperelliptic curves of genus 2 (HCDLP). Unfortunately, quantum computation may threaten this widely applied cryptosystem, yet the exact quantum cost of HCDLP is still unexploited because of complicated divisor addition formulae. In this work, we present the concrete quantum resource estimate for Shor's algorithm to compute HCDLP over the Mersenne prime fields. For this aim, we first modify basic modular operations for quantum computation. Then, we realize the quantum circuit from the reversible transforms of divisor additions. As the core of our work, the transforms have been decomposed into the straight-line program of basic modular operations with minimal auxiliary registers. Finally, we expound that the HCDLP over an n-bit Mersenne prime field can be computed on a quantum computer with 3344n3 - 72n2 - 1360n Toffoli gates using 20n + 2-log n - + 10 qubits. In particular, under the 128-bit security level, the quantum circuit for HCDLP over the Mersenne prime field F2127- 1 requires more quantum resources than that of ECDLP over the generic prime fields.