We revisit the quantum algorithm for computing short discrete logarithms that was recently introduced by Ekera and Hastad. By carefully analyzing the probability distribution induced by the algorithm, we show its success probability to be higher than previously reported. Inspired by our improved understanding of the distribution, we propose an improved post-processing algorithm that is considerably more efficient, enables better tradeoffs to be achieved, and requires fewer runs, than the original post-processing algorithm. To prove these claims, we construct a classical simulator for the quantum algorithm by sampling the probability distribution it induces for given logarithms. This simulator is in itself a key contribution. We use it to demonstrate that Ekera–Hastad achieves an advantage over Shor, not only in each individual run, but also overall, when targeting cryptographically relevant instances of RSA and Diffie–Hellman with short exponents.

中文翻译：

---

计算短离散对数的量子算法中的后处理

我们重新审视了最近由 Ekera 和 Hastad 引入的用于计算短离散对数的量子算法。通过仔细分析算法引起的概率分布，我们表明其成功概率高于先前报告的。受我们对分布的更好理解的启发，我们提出了一种改进的后处理算法，与原始后处理算法相比，该算法效率更高，能够实现更好的权衡，并且需要的运行次数更少。为了证明这些说法，我们通过对量子算法对给定对数得出的概率分布进行采样，为量子算法构建了一个经典模拟器。这个模拟器本身就是一个关键的贡献。我们用它来证明 Ekera-Hastad 比 Shor 取得了优势，不仅在每次运行中，