This paper studies the quantum computational complexity of the discrete logarithm (DL) and related group-theoretic problems in the context of generic algorithms -- that is, algorithms that do not exploit any properties of the group encoding. We establish a generic model of quantum computation for group-theoretic problems, which we call the quantum generic group model. Shor's algorithm for the DL problem and related algorithms can be described in this model. We show the quantum complexity lower bounds and almost matching algorithms of the DL and related problems in this model. More precisely, we prove the following results for a cyclic group $G$ of prime order. - Any generic quantum DL algorithm must make $\Omega(\log |G|)$ depth of group operations. This shows that Shor's algorithm is asymptotically optimal among the generic quantum algorithms, even considering parallel algorithms. - We observe that variations of Shor's algorithm can take advantage of classical computations to reduce the number of quantum group operations. We introduce a model for generic hybrid quantum-classical algorithms and show that these algorithms are almost optimal in this model. Any generic hybrid algorithm for the DL problem with a total number of group operations $Q$ must make $\Omega(\log |G|/\log Q)$ quantum group operations of depth $\Omega(\log\log |G| - \log\log Q)$. - When the quantum memory can only store $t$ group elements and use quantum random access memory of $r$ group elements, any generic hybrid algorithm must make either $\Omega(\sqrt{|G|})$ group operations in total or $\Omega(\log |G|/\log (tr))$ quantum group operations. As a side contribution, we show a multiple DL problem admits a better algorithm than solving each instance one by one, refuting a strong form of the quantum annoying property suggested in the context of password-authenticated key exchange protocol.

翻译：本文研究离散对数及其相关群论问题在通用算法（即不利用群编码任何性质的算法）框架下的量子计算复杂性。我们针对群论问题建立了一种通用量子计算模型，称为量子通用群模型。Shor算法解决离散对数问题及其相关算法可在此模型中描述。我们证明该模型下离散对数及相关问题的量子复杂性下界与几乎匹配的算法。更精确地，对于素数阶循环群$G$，我们得到以下结果： - 任何通用量子离散对数算法必须使用$\Omega(\log |G|)$深度的群操作。这表明即使考虑并行算法，Shor算法在通用量子算法中渐近最优。 - 我们观察到Shor算法的变体可利用经典计算减少量子群操作数量。我们引入通用混合量子-经典算法模型，并证明此类算法在该模型中几乎最优：任何处理离散对数问题的通用混合算法，若总群操作次数为$Q$，则必须使用$\Omega(\log |G|/\log Q)$次量子群操作，且深度为$\Omega(\log\log |G| - \log\log Q)$。 - 当量子存储器仅能存储$t$个群元素并使用$r$个群元素的量子随机存取存储器时，任何通用混合算法必须使用总计$\Omega(\sqrt{|G|})$次群操作，或$\Omega(\log |G|/\log (tr))$次量子群操作。 作为附加贡献，我们证明多重离散对数问题存在比逐一求解每个实例更优的算法，这反驳了密码认证密钥交换协议中提出的强量子烦扰性质。