1: \begin{abstract}

2: The semidirect discrete logarithm problem (SDLP) is the

3: following analogue of the standard discrete logarithm problem in the semidirect product semigroup $G\rtimes \End(G)$ 

4: for a finite semigroup $G$. 

5: Given $g\in G, \sigma\in \End(G)$, 

6: and $h=\prod_{i=0}^{t-1}\sigma^i(g)$ for some integer $t$, the SDLP$(G,\sigma)$, for $g$ and $h$, asks to determine

7: $t$. As Shor's algorithm crucially depends on commutativity,

8: it is believed

9: not to be applicable to the SDLP. 

10: Previously, the best known algorithm for the SDLP was

11:  based on Kuperberg's subexponential time quantum algorithm. 

12: Still, the problem plays a central role in  the security of 

13: certain proposed cryptosystems in the family of \textit{semidirect product key exchange}. This includes

14: a recently proposed signature protocol

15: called SPDH-Sign.  

16: In this paper, we show that the SDLP is even easier 

17: in some important special cases. Specifically, for a finite group $G$, we

18: describe quantum algorithms for the SDLP in 

19: $G\rtimes \Aut(G)$ for the following two classes of instances:  

20: the first one is when $G$ is solvable and the second is when

21: $G$ is a matrix group and a power of

22: $\sigma$ with a polynomially small exponent is an inner automorphism of $G$.

23: We further extend the results to groups composed of factors

24: from these classes. 

25: A consequence is that SPDH-Sign and similar cryptosystems 

26: whose security assumption is based on the presumed hardness of the SDLP 

27: in the cases described above are insecure against quantum attacks.

28: The quantum ingredients we rely on

29: %of the algorithms in this paper

30: are not new: these are

31: Shor's factoring and discrete logarithm algorithms

32: and well-known generalizations.

33: \end{abstract}

34: