J. Math. Cryptol.

8 (2014), 405 – 416

DOI 10.1515 / jmc-2013-0038 © de Gruyter 2014

Quantum computation of
discrete logarithms in semigroups
Andrew M. Childs and Gábor Ivanyos
Communicated by Rainer Steinwandt

Abstract. We describe an efficient quantum algorithm for computing discrete logarithms

in semigroups using Shor’s algorithms for period finding and the discrete logarithm prob-
lem as subroutines. Thus proposed cryptosystems based on the presumed hardness of
discrete logarithms in semigroups are insecure against quantum attacks. In contrast, we
show that some generalizations of the discrete logarithm problem are hard in semigroups
despite being easy in groups. We relate a shifted version of the discrete logarithm problem
in semigroups to the dihedral hidden subgroup problem, and we show that the constructive
membership problem with respect to k  2 generators in a black-box abelian semigroup
1 1
Q
of order N requires ‚.N 2 2k / quantum queries.

Keywords. Quantum algorithms, discrete logarithm, semigroups, hidden shift problem,

constructive membership, semigroup actions.

2010 Mathematics Subject Classification. 68Q12, 68Q17, 68W30, 81P68, 94A60.

1 Introduction

The presumed difficulty of computing discrete logarithms in groups is a common

cryptographic assumption. For example, such an assumption underlies Diffie–
Hellman key exchange, ElGamal encryption, and most elliptic curve cryptogra-
phy. While such cryptosystems may be secure against classical computers, Shor
showed that quantum computers can efficiently compute discrete logarithms [19].
Shor originally described an algorithm for computing discrete logarithms in the
multiplicative group of a prime field, but it is well known that his approach effi-
ciently computes discrete logarithms in any finite group, provided only that group
elements have a unique encoding and that group operations can be performed
efficiently.

AMC received support from NSERC, the Ontario Ministry of Research and Innovation, and the US
ARO. GI received support from the Hungarian Research Fund (OTKA, grant NK105645) and from
the Centre for Quantum Technologies at the National University of Singapore.
406 A. M. Childs and G. Ivanyos

Here we consider the closely-related problem of computing discrete logarithms

in finite semigroups. A semigroup is simply a set equipped with an associative
binary operation. In particular, a semigroup need not have inverses (and also need
not have an identity element).
We work in a model of black-box semigroups (analogous to the model of black-
box groups [2]). In this model, the elements of a semigroup S are uniquely rep-
resented by bit strings and we are given a black box that performs multiplication
using this representation. In the quantum setting, this black box performs the mul-
tiplication reversibly (i.e., it performs the map jx; y; zi 7! jx; y; z ˚ xyi, where
x; y; z are encodings of semigroup elements, xy is the encoding of the corre-
sponding product, and ˚ denotes bitwise addition modulo 2) and can be queried
in superposition. It is conventional to charge unit cost for each query to the black
box.
In the discrete logarithm problem for a semigroup S , we are given two elements
x; g 2 S and are asked to find the smallest a 2 N ´ ¹1; 2; : : :º such that g a D x
(or to determine that no such a exists). We write a D logg x.
At first glance, it may be unclear how a quantum computer could compute dis-
crete logarithms in semigroups. Shor’s discrete logarithm algorithm relies cru-
cially on the function .a; b/ 7! g a x b , but x b is not defined in a semigroup. In
fact, hardness of the semigroup discrete logarithm problem has been proposed as
a cryptographic assumption that might be secure against quantum computers [11].
The particular scheme described in [11], based on matrix semigroups, has been
broken by a quantum attack [16]. However, the algorithm of [16] uses a reduction
from discrete logarithms in matrix groups to discrete logarithms in finite fields
[14], so it does not apply to general semigroups.
Here we point out that in fact quantum computers can efficiently compute dis-
crete logarithms in any finite semigroup. Our approach is a straightforward ap-
plication of known quantum tools. The structure of the semigroup generated by
g can be efficiently determined using the ability of a quantum computer to detect
periodicity, as shown in Section 2. Once this structure is known, an algorithm to
compute discrete logarithms follows easily, as explained in Section 3.
On the other hand, some problems for semigroups are considerably harder than
for groups. In Section 4, we consider a shifted version of the discrete logarithm
problem in semigroups, namely solving the equation x D yg a for a. This prob-
lem appears comparably difficult to the dihedral hidden subgroup problem, even
though the corresponding problem in a group can be solved efficiently by com-
puting a discrete logarithm. In Section 5, we consider the problem of writing a
given semigroup element as a product of k  2 given generators of a black-box
abelian semigroup. This problem can also be solved efficiently in groups, whereas
1 1
the semigroup version is provably hard, requiring .N 2 2k / quantum queries for
 Quantum computation of discrete logarithms in semigroups 407

an N -element semigroup. In fact, this bound is optimal up to logarithmic factors,

as we show using the algorithm for the shifted discrete logarithm problem.
After posting a preprint of this work, we learned of independent related work by
Banin and Tsaban, who showed that the semigroup discrete logarithm problem can
be solved efficiently using an oracle for the discrete logarithm problem in a cyclic
group [3]. In particular, this implies a fast quantum algorithm for the semigroup
discrete logarithm problem.

2 Finding the period and index of a semigroup element

Given a finite semigroup S, fix some element g 2 S . The element g generates a
subsemigroup hgi ´ ¹g j W j 2 Nº of S. The value
t ´ min j 2 N W g j D g k for some k 2 j C N
® ¯

is called the index of g. The index exists since S is finite. The value
r ´ min j 2 N W g t D g tCj
® ¯

is called the period of g. These definitions are illustrated in Figure 1. If j  t, we

say that g j is in the cycle of g; if j < t, we say that g j is in the tail of g.
We suppose that the elements of S are represented using log N bits, and we
consider an algorithm to be efficient if it runs in time poly.log N /. Since jhgij D
t C r, clearly t C r  N . Typically, log N D poly.log.t C r//, in which case an
efficient algorithm runs in time poly.log.t C r//.
We claim that there is an efficient quantum algorithm to compute t and r.
(Throughout this article, we consider bounded-error quantum algorithms.)

Lemma 2.1. There is an efficient quantum algorithm to determine the index and
the period of an element g of a black-box semigroup.
p
Proof. First we find the period, as follows. Create the state jMD1 jj ijg j i= M
P

for some sufficiently large M (it suffices to take M > N 2 C N ). Note that we can
compute g j efficiently even for exponentially large j using repeated squaring, so
this state can be made in polynomial time. Next, we discard the second register.
To understand what happens when we do this, suppose we measure the second
register. If we obtain an element in the tail of g, then the first register is left in
a computational basis state, which is useless. However, with probability at least
.M t C 1/=M  1 N=M , we obtain an element in the cycle of g, and we are
left with an r-periodic state
L 1
1 X
p jx0 C jri
L j D0
408 A. M. Childs and G. Ivanyos

g g2 g3 g t−1 g t = g t+r

g t+r−1 g t+1

g t+r−2 g t+2

Figure 1. The semigroup hgi.

for some unknown x0 2 ¹t; t C 1; : : : ; t C r 1º, where L is either b.M t/=rc

or d.M t/=re (depending on the value of x0 ). This is precisely the type of state
that appears in Shor’s period-finding algorithm (see for example [5, Algorithm 5]).
After Fourier transforming this state over ZM and measuring, we obtain the out-
come k 2 ZM with probability

ˇL 1
1 ˇˇ X 2 ik.x0 Cjr/=M ˇˇ2 sin2 . krL
ˇ
M /
Pr.k/ D e D :
LM LM sin . kr
2
M /
ˇ ˇ
j D0

A simple calculation (see for example [5, equations (57)–(60)]) shows that the
probability of obtaining a closest integer to one of the r integer multiples of M=r
is at least 4= 2 . By efficient classical postprocessing using continued fractions,
we can recover r with constant probability by sampling from such a distribution
[19]. Since we are in the cycle of g with overwhelming probability, the overall
procedure succeeds with constant probability (which could be boosted by standard
techniques).
Given the period of g, we can find its index by an efficient classical procedure.
Observe that we can efficiently decide whether a given element g j is in the tail
or the cycle of g: simply compute g r by repeated squaring and multiply by g j to
compute g j Cr . If g j Cr D g j , then g j is in the cycle of g; otherwise it is in the
tail of g. Let
´
1 if g j Cr D g j (i.e., g j is in the cycle of g),
.g j / ´
0 otherwise (i.e., g j is in the tail of g):

The list . .g/; .g 2 /; : : : ; .g N // consists of t 1 zeros followed by N t C1

ones, so we can find t in O.log N / iterations by binary search.
 Quantum computation of discrete logarithms in semigroups 409

3 Computing discrete logarithms

We now show how to efficiently compute discrete logarithms in semigroups on a
quantum computer.

Theorem 3.1. There is an efficient quantum algorithm to compute logg x on input

x; g 2 S (or to determine if no such value exists).

Proof. First, we use Lemma 2.1 to compute the index t and the period r of g. Then
we determine whether x is in the tail or the cycle of g. As described in the proof
of Lemma 2.1, this can be done efficiently by determining whether xg r D x.
If x is in the tail of g, then we compute p, the smallest positive integer such that
.xg p / D 1. This can be done efficiently by using binary search to find the first 1
in the list . .xg/; .xg 2 /; : : : ; .xg t //. Then we can compute logg x D t p.
On the other hand, suppose x is in the cycle of g. Then we use the well-known
fact (see for example [9]) that C ´ ¹g t Cj W j 2 Zr º is a group with iden-
tity element g t Cs where s D t mod r. In fact C is a cyclic group generated
by g t CsC1 ; in particular, for j  t we have g t CsC1 g j D g j C1 . Now we use
Shor’s discrete logarithm algorithm to compute logg t CsC1 x. While we cannot
immediately compute the inverse of x in C , we know that the inverse of g tCsC1
is g t CsCr 1 , so we can compute the hiding function f W Zr  Zr ! C with
f .a; b/ D x a g .tCsCr 1/b D x a .g t CsC1 / b , which suffices to efficiently com-
pute discrete logarithms in C . Thus we can compute

logg x D t C Œ.s C logg t CsC1 x/ mod r:

Finally, given a candidate value a for logg x, we check whether g a D x. If this

check fails then we conclude that logg x does not exist. This conclusion is cor-
rect (with bounded error) because the algorithm succeeds in finding logg x (with
bounded error) when it does exist.

4 A shifted version of the discrete logarithm problem

While the discrete logarithm problem is no harder in semigroups than in groups,
some problems that have efficient quantum algorithms in groups are more difficult
in semigroups. In this section, we discuss a shifted version of the discrete loga-
rithm problem that appears to be closely related to the dihedral hidden subgroup
problem.
The shifted discrete logarithm problem is as follows: given x; y; g 2 S , find
some a 2 N such that x D yg a (or determine that no such value exists). If S is a
group, then this problem reduces to the ordinary discrete logarithm problem, since
410 A. M. Childs and G. Ivanyos

it suffices to find a 2 N such that g a D y 1 x. However, if S is a semigroup, then

the best quantum algorithm we are aware of is the following.

Lemma 4.1. There is a quantum algorithm that, on inputs x; y; g 2 S , finds

pa 2 N
a O. logjSj/
such that x D yg (or determines if no such value exists) in time 2 .
Furthermore, there is an algorithm using only poly.logjS j/ quantum queries.

Proof. Similarly to j 7! g j , the function j 7! yg j has index

tQ ´ min j 2 N W yg j D yg k for some k 2 j C N

® ¯

and period
rQ ´ min j 2 N W yg tQ D yg tQCj I
® ¯

we say that yg j is in the cycle if j  tQ and in the tail if j < tQ. The period rQ
and the index tQ can be computed efficiently along the same lines as described in
Section 2.
The case where x is in the tail can be treated as in Section 3. If x is in the
cycle, so that x D yg tQC` for some nonnegative integer `, then we must solve a
constructive orbit membership problem for a permutation action of the group ZrQ
on the set of elements of the form yg tQCj . Specifically, the action of j 0 2 ZrQ is
0
multiplication by g j and we must find the element ` 2 ZrQ transporting yg tQ to x.
To this end, we consider the efficiently computable function f W Z2 Ë ZrQ ! S
with f .0; j / D yg tQCj and f .1; j / D xg j . The function f .0; j / is injective
since it has period r. Q Furthermore, f .1; j / D xg j D yg tQC`Cj D f .0; j C `/,
i.e., f .1; j / is a shift of f .0; j / by `. Therefore, f hides the subgroup h.1; `/i
of the dihedral group Z2 Ë ZrQ (i.e., it is constant on the cosets of this subgroup
and distinct on different cosets). It follows p that the Kuperberg sieve [12] finds
O. log rQ /
` (and hence a D t C `) in time 2
Q . Finally, since the dihedral hidden
subgroup problem can be solved with only polynomially many quantum queries
to the hiding function [6], we can solve the shifted discrete logarithm problem in
a black-box semigroup S with only poly.logjS j/ queries.
As in the proof of Theorem 3.1, given a candidate value a, we can check
whether x D yg a . If this check fails, we can conclude (with bounded error)
that no solution exists.

The dihedral hidden subgroup problem (DHSP) is apparently hard. Despite con-
siderable effort (motivated by a close connection to lattice problems [17]), Kuper-
berg’s algorithm remains the best known approach, and it is plausible that there
might be no efficient quantum algorithm. Note that the DHSP can be reduced to
a quantum generalization of the constructive orbit membership problem, namely,
 Quantum computation of discrete logarithms in semigroups 411

orbit membership for a permutation action on pairwise orthogonal quantum states

[7, Proposition 2.2]. Thus, intuitively, a solution of the shift problem for a (classi-
cal) permutation action (such as in the shifted discrete logarithm problem) should
exploit that the action is on classical states, unless it also solves the DHSP.
In Section 5, we describe another variant of the discrete logarithm problem that
is even harder than the shifted discrete logarithm problem, requiring exponentially
many queries. We also show that our lower bound for that problem is nearly opti-
mal using the algorithm of Lemma 4.1 as a subroutine.

5 Constructive semigroup membership

Given an abelian semigroup generated by g1 ; : : : ; gk and a semigroup element x 2
hg1 ; : : : ; gk i, the constructive membership problem asks us to find a1 ; : : : ; ak 2
N0 ´ ¹0; 1; 2; : : :º with a1 C


Cak  1 such that x D g1a1


gkak . The notation
gi0 simply indicates that no factor of gi is present, so solutions with ai D 0 for
some values of i are well defined even though the semigroup need not have an
identity element.
This natural generalization of the discrete logarithm problem is easy for abelian
groups (see for example [10, Theorem 5]). In that case, let ri ´ jhgi ij for all i 2
¹1; : : : ; kº, r ´ jhxij, and L ´ Zr1 


 Zrk  Zr . The values .r1 ; : : : ; rk ; r/
can be computed efficiently by Shor’s order-finding algorithm [19]. Now consider
the function f W L ! G defined by f .a1 ; : : : ; ak ; b/ D g1a1


gkak x b . This func-
tion hides the subgroup
H ´ .a1 ; : : : ; ak ; b/ 2 L W g1a1


gkak D x b  L;
® ¯

so generators of H can be found in polynomial time [15]. To solve the construc-

tive membership problem, it suffices to find the solutions with b D 1 mod r. This
corresponds to a system of linear Diophantine equations, so it can be solved clas-
sically in polynomial time (see for example [18, Corollary 5.3b]).
Here we show that the constructive membership problem in semigroups is con-
siderably harder. Specifically, given a black-box semigroup S, we need expo-
nentially many quantum queries (in logjSj) to solve the constructive membership
problem with respect to k  2 generators.

Theorem 5.1. For any fixed k 2 N, there is a black-box semigroup S with k

1 1
generators for which at least .jS j 2 2k / quantum queries are required to solve
the constructive membership problem.

Proof. For any n 2 N, consider the abelian semigroup

S D g1a1


gkak W a1 ; : : : ; ak 2 N0 ; 1  a1 C


C ak  n [ ¹0º
® ¯
412 A. M. Childs and G. Ivanyos

generated by g1 ; : : : ; gk , with the following multiplication rules:

0.g1a1


gkak / D 0;
´
g1a1 Cb1


gkak Cbk if kiD1 .ai C bi /  n,
P
a1 ak b1 bk
.g1


gk /.g1


gk / D
if kiD1 .ai C bi / > n:
P
0

Let † ´ ¹.a1 ; : : : ; ak 1 / 2 N0k 1 W a1 C


C ak 1  nº. We show that

the problem of inverting a black-box permutation W † ! † (i.e., computing
 1 ./ for any fixed  2 † given a black box for ) reduces to constructive
semigroup membership in a black-box version of S with respect to the generators
p
g1 ; : : : ; gk . Since inverting
a permutation of m points requires . m/ quantum
queries [1], j†j D nCk 1
D ‚.nk 1 /, and jSj D nCk D ‚.nk /, this shows


k 1 k
that constructive semigroup membership requires
p
1 1

 nk 1 D  jS j 2 2k
queries.
To construct the black-box semigroup, we specify an encoding
encW S ! .a1 ; : : : ; ak / 2 N0k W 1  a1 C


C ak < n [ † [ ¹0º
® ¯

defined by
enc.g1a1


gkak / ´ .a1 ; : : : ; ak / if a1 C


C ak < n;
enc.g1a1


gkak 11 gkn a1


ak 1
/ ´ .a1 ; : : : ; ak 1 /;

enc.0/ ´ 0:
We can compute enc.gh/ using at most one call to  given the encodings enc.g/;
enc.h/ of any g; h 2 S. Now suppose we can solve the constructive membership
problem for some semigroup element with encoding  2 †, with respect to the
generators g1 ; : : : ; gk with encodings .1; 0; : : : ; 0/; : : : ; .0; : : : ; 0; 1/. Then we can
find the values a1 ; : : : ; ak 1 such that enc.g1a1


gkak 11 gkn a1


ak 1 / D , so
that .a1 ; : : : ; ak 1 / D  1 ./, thereby inverting .

Note that Theorem 5.1 gives a lower bound on the worst-case query complexity.
In fact, the same lower bound holds if we are given a random element of †. How-
ever, we leave the problem of the average-case quantum query complexity where,
say, x is chosen uniformly from the semigroup, as an open problem.
While Theorem 5.1 shows that the constructive membership problem is prov-
ably hard in black-box semigroups, the problem is also known to be NP-hard in
explicit semigroups. In particular, Beaudry proved NP-completeness of member-
ship testing in abelian semigroups of transformations of (small) finite sets [4].
 Quantum computation of discrete logarithms in semigroups 413

We show that for any fixed k, the lower bound of Theorem 5.1 is nearly tight.

Theorem 5.2. For any fixed k 2 N, there is a quantum algorithm to solve the
constructive membership problem for x 2 S D hg1 ; : : : ; gk i with respect to
1 1
g1 ; : : : ; gk in time jS j 2 2k Co.1/ . Furthermore, the quantum query complexity
1 1
of this problem is at most jS j 2 2k poly.logjSj/.
To prove this, we use the following simple observations.

Lemma 5.3. Let S be a finite abelian semigroup and let x; g1 ; : : : ; gk 2 S .

Let .a1 ; : : : ; ak / be the lexicographically first k-tuple from N0k such that x D
g1a1


gkak . Then .a1 C 1/


.ak C 1/  jS j.
Proof. Assume for a contradiction that .a1 C1/


.ak C1/ > jS j. Then, by the pi-
geonhole principle, there must exist c1 ; : : : ; ck ; d1 ; : : : ; dk 2 N0 with ci ; di  ai
(for all i D 1; : : : ; k) such that g1c1


gkck D g1d1


gkdk and .c1 ; : : : ; ck / ¤
.d1 ; : : : ; dk /. Suppose without loss of generality that .c1 ; : : : ; ck / is lexicograph-
ically smaller than .d1 ; : : : ; dk /. Let bi ´ ai C ci di for all i , and note that
ai di  0. Thus
g1a1


gkak D g1d1


gkdk g1a1 d1



gkak dk
;
g1b1


gkbk D g1c1


gkck g1a1 d1



gkak dk
:

This implies g1b1


gkbk D x. Also, for the first index i with ci ¤ di , we have
ci < di . Therefore .b1 ; : : : ; bk / is lexicographically smaller than .a1 ; : : : ; ak /, a
contradiction.

Lemma 5.4. For any r; L 2 N, let

D.r; L/ ´ .a1 ; : : : ; ar / 2 N0r W .a1 C 1/


.ar C 1/  L :
® ¯

Then for fixed r, jD.r; L/j D O.L logr 1

L/.
Proof. By induction on r, we show that jD.r; L/j  L. 32 log2 L/r 1 for every
integer L > 1. Clearly jD.1; L/j D L. We have .a1 ; : : : ; arC1 / 2 D.r C 1; L/ if
and only if .a1 ; : : : ; ar / 2 D.r; bL=.arC1 C 1/c/. Therefore
L
X L
X
jD.r C 1; L/j D jD.r; bL=ac/j  bL=ac. 23 log2 bL=ac/r 1

aD1 aD1
L
X
 .L=a/. 23 log2 L/r 1
 L. 23 log2 L/r ;
aD1
PL 1 3
where we used the fact that for every integer L > 1, aD1 a < 2 log2 L.
414 A. M. Childs and G. Ivanyos

We are now ready to prove the upper bound for constructive semigroup mem-
bership.

Proof of Theorem 5.2. By Lemma 5.3, there are some a1 ; : : : ; ak 2 N0 with x D

g1a1


gkak and some j 2 ¹1; : : : ; kº such that
Y
.ai C 1/  jS j.k 1/=k
:
i¤j

k 1
To see this, note that jkD1 i ¤j .ai C 1/ D
Qk 1.
 jS jk
Q Q
j D1 .aj C 1/
Thus, for each j 2 ¹1; : : : ; kº, we perform a Grover search [8] over the set
° Y ±
.a1 ; : : : ; aj 1 ; aj C1 ; : : : ; ak / 2 N0k 1 W .ai C 1/  jS j.k 1/=k ;
i ¤j

where for each .k 1/-tuple we use Lemma 4.1 (with y D i ¤j giai and g D gj )
Q

to find aj such that x D g1a1


gkak (or to exclude its existence). By Lemma 5.4,
k 1 1 1
the running time of this procedure is kjS j 2k Co.1/ D jS j 2 2k Co.1/ . Using the
query-efficient (but not time-efficient) algorithm for the dihedral hidden subgroup
1 1
problem in place of Kuperberg’s algorithm, we require only jS j 2 2k poly.logjSj/
queries.

6 Discussion
We have considered quantum algorithms for the semigroup discrete logarithm
problem and some natural generalizations thereof. While discrete logarithms can
be computed efficiently by a quantum computer even in semigroups, the shifted
semigroup discrete logarithm problem appears comparable in difficulty to the di-
hedral hidden subgroup problem, and the constructive membership problem in a
black-box semigroup with respect to multiple generators is provably hard. Thus,
while hardness of the discrete logarithm problem in semigroups is not a good as-
sumption for quantum-resistant cryptography, one might build quantum-resistant
cryptosystems based on the presumed hardness of other problems in semigroups.
Testing membership in abelian semigroups is related to a cryptographic problem
known as the semigroup action problem (SAP) [13]. Given an (abelian) semigroup
S acting on a set M and two elements x; y 2 M , the SAP asks one to find an
element s 2 S such that x D sy. Constructive membership testing in a monoid
(i.e., a semigroup with an identity element, which can be adjoined artificially if
necessary) is an instance of SAP: consider S acting on itself by multiplication and
let y be the identity. (More precisely, to obtain a decomposition with respect to
 Quantum computation of discrete logarithms in semigroups 415

generators g1 ; : : : ; gk , consider the natural action of hg1 i 


 hgk i on S .) On

the other hand, the SAP over an abelian semigroup can be reduced to membership
of x in a subsemigroup generated by y and S of the abelian semigroup S 0 D
S [ M [ ¹0º with a semigroup operation that naturally extends the multiplication
of S and the action of S on M . In particular, the SAP for a cyclic semigroup
action reduces to an instance of the shifted discrete logarithm problem discussed
in Section 4.
A natural open question raised by our work is the quantum complexity of the
shifted semigroup discrete logarithm problem: is this task indeed as hard as the
DHSP, or is there a faster algorithm using additional structure? In general, it
might also be interesting to develop new quantum-resistant cryptographic prim-
itives based on hard semigroup problems.

Acknowledgments. We thank Rainer Steinwandt for suggesting the problem of

computing discrete logarithms in semigroups and for helpful references. We thank
Robin Kothari for pointing out that the lower bound of Theorem 5.1 generalizes
from k D 2 to k > 2. We also thank the Dagstuhl research center and the organiz-
ers of its 2013 seminar on Quantum Cryptanalysis, where this work was started.

Bibliography
[1] A. Ambainis, Quantum lower bounds by quantum arguments, J. Comput. System Sci.
64 (2002), no. 4, 750–767.
[2] L. Babai and E. Szemerédi, On the complexity of matrix group problems I, in: 25th
Symposium on Foundations of Computer Science, 229–240, 1984.
[3] M. Banin and B. Tsaban, A reduction of semigroup DLP to classic DLP, preprint
(2013), http://arxiv.org/abs/1310.7903.
[4] M. Beaudry, Membership testing in commutative transformation semigroups, In-
form. and Comput. 79 (1988), no. 1, 84–93.
[5] A. M. Childs and W. van Dam, Quantum algorithms for algebraic problems, Rev.
Modern Phys. 82 (2010), no. 1, 1–52.
[6] M. Ettinger and P. Høyer, On quantum algorithms for noncommutative hidden sub-
groups, Adv. in Appl. Math. 25 (2000), 239–251.
[7] K. Friedl, G. Ivanyos, F. Magniez, M. Santha and P. Sen, Hidden translation and
translating coset in quantum computing, SIAM J. Comput. 43 (2014), no. 1, 1–24.
[8] L. K. Grover, Quantum mechanics helps in searching for a needle in a haystack,
Phys. Rev. Lett. 79 (1997), no. 2, 325–328.
[9] J. M. Howie, Fundamentals of Semigroup Theory, London Math. Soc. Monogr. Ser.
12, Oxford University Press, 1995.
416 A. M. Childs and G. Ivanyos

[10] G. Ivanyos, F. Magniez and M. Santha, Efficient quantum algorithms for some in-
stances of the non-abelian hidden subgroup problem, Internat. J. Found. Comput.
Sci. 14 (2003), no. 5, 723–739.
[11] D. Kahrobaei, C. Koupparis and V. Shpilrain, Public key exchange using matrices
over group rings, Groups Complex. Cryptol. 5 (2013), no. 1, 97–115.
[12] G. Kuperberg, A subexponential-time quantum algorithm for the dihedral hidden
subgroup problem, SIAM J. Comput. 35 (2005), no. 1, 170–188.
[13] G. Maze, C. Monico and J. Rosenthal, Public key cryptography based on semigroup
actions, Adv. Math. Commun. 1 (2007), 489–507.
[14] A. J. Menezes and Y.-H. Wu, The discrete logarithm problem in GL.n; q/, Ars Com-
bin. 47 (1997), 23–32.
[15] M. Mosca and A. Ekert, The hidden subgroup problem and eigenvalue estimation on
a quantum computer, in: Proceedings of the 1st NASA International Conference on
Quantum Computing and Quantum Communication, Lecture Notes in Comput. Sci.
1509, Springer, Berlin (1999), 174–188.
[16] A. D. Myasnikov and A. Ushakov, Quantum algorithm for the discrete logarithm
problem for matrices over finite group rings, preprint (2012), http://eprint.
iacr.org/2012/574.
[17] O. Regev, Quantum computation and lattice problems, SIAM J. Comput. 33 (2004),
no. 3, 738–760.
[18] A. Schrijver, Theory of Linear and Integer Programming, John Wiley & Sons, Chich-
ester, 1986.
[19] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete loga-
rithms on a quantum computer, SIAM J. Comput. 26 (1997), no. 5, 1484–1509.

Received November 2, 2013; accepted June 6, 2014.

Author information
Andrew M. Childs, Department of Combinatorics & Optimization and Institute
for Quantum Computing, University of Waterloo, 200 University Avenue West,
Waterloo, Ontario N2L 3G1, Canada.
E-mail: [email protected]
Gábor Ivanyos, Institute for Computer Science and Control, Hungarian Academy
of Sciences, Kende u. 13–17, 1111 Budapest, Hungary.
E-mail: [email protected]