The semidirect discrete logarithm problem (SDLP) is the following analogue of the standard discrete logarithm problem in the semidirect product semigroup \(G\rtimes {{\,\textrm{End}\,}}(G)\) for a finite semigroup G. Given \(g\in G, \sigma \in {{\,\textrm{End}\,}}(G)\), and \(h=\prod _{i=0}^{t-1}\sigma ^i(g)\) for some integer t, the SDLP\((G,\sigma )\), for g and h, asks to determine t. As Shor’s algorithm crucially depends on commutativity, it is believed not to be applicable to the SDLP. For generic semigroups, the best known algorithm for the SDLP is based on Kuperberg’s subexponential time quantum algorithm. Still, the problem plays a central role in the security of certain proposed cryptosystems in the family of semidirect product key exchange. This includes a recently proposed signature protocol called SPDH-Sign. In this paper, we show that the SDLP is even easier in some important special cases. Specifically, for a finite group G, we describe quantum algorithms for the SDLP in \(G\rtimes {\textrm{Aut}}(G)\) for the following two classes of instances: the first one is when G is solvable and the second is when G is a matrix group and a power of \(\sigma \) with a polynomially small exponent is an inner automorphism of G. We further extend the results to groups composed of factors from these classes. A consequence is that SPDH-Sign and similar cryptosystems whose security assumption is based on the presumed hardness of the SDLP in the cases described above are insecure against quantum attacks. The quantum ingredients we rely on are not new: these are Shor’s factoring and discrete logarithm algorithms and well-known generalizations.

半直接离散对数问题 (SDLP) 是有限半群的半直积半群 \(G\rtimes {{\,\textrm{End}\,}}(G)\) 中标准离散对数问题的以下模拟G. 给定 \(g\in G, \sigma \in {{\,\textrm{End}\,}}(G)\) 和 \(h=\prod _{i=0}^{t- 1}\sigma ^i(g)\) 对于某个整数 t，SDLP\((G,\sigma )\) 对于 g 和 h 要求确定 t。由于 Shor 算法主要依赖于交换性，因此它被认为不适用于 SDLP。对于泛型半群，最著名的 SDLP 算法是基于 Kuperberg 的次指数时间量子算法。尽管如此，这个问题在半直接乘积密钥交换系列中某些提议的密码系统的安全性中起着核心作用。这包括最近提出的称为 SPDH-Sign 的签名协议。在本文中，我们表明 SDLP 在一些重要的特殊情况下甚至更容易。具体来说，对于有限群 G，我们为以下两类实例描述了 \(G\rtimes {\textrm{Aut}}(G)\) 中 SDLP 的量子算法：第一个是当 G 可解时，并且第二个是当 G 是矩阵群并且具有多项式小指数的 \(\sigma \) 幂是 G 的内自同构时。我们进一步将结果扩展到由这些类的因子组成的群。结果是，在上述情况下，SPDH-Sign 和类似的密码系统（其安全性假设基于 SDLP 的假定硬度）对于量子攻击是不安全的。我们所依赖的量子成分并不新鲜：这些是肖尔的因式分解和离散对数算法以及众所周知的概括。