Take an elliptic curve group of 256-bit prime order $n$ over a 256-bit prime field in which the Discrete Logarithm Problem is believed hard, e.g. secp256r1. Build an isomorphic Schnorr group by taking $p$ as the smallest prime of the form $p=n\,r+1$ at least $\pi\,2^{4094}$, computing $g=2^r\bmod p$, and considering the group of powers of $g$ under multiplication modulo $p$.
Using classical computers, the best known attacks against the DLP in these groups have expected cost in the order of $2\sqrt q\approx2^{129}$ group operations. Some use feasibly little memory and can be efficiently distributed. The group operation is less expensive in the elliptic curve group than in the Schnorr group, by a factor within $2^2$ to $2^8$. The elliptic curve group is thus believed almost as safe as the Schnorr group, within 2 to 8 bits of security out of ≈ 128.
Some hypothetical Cryptographically Relevant Quantum Computer might one day be capable of breaking the DLP in these groups using variants of Shor's algorithm. Assuming this, can we compare the necessary quantum computing resources, perhaps in term of number of quantum operations, number of qubits, and required quality of qubits for some definition of that?
