Abstract
The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a d-dimensional lattice in \(2^{\mathsf {c}d + o(d)}\) time steps with \(2^{\mathsf {c}' d + o(d)}\) memory for constants \(c, c'\). In this work, we give various quantum sieving algorithms that trade computational steps for memory.
We first give a quantum analogue of the classical k-Sieve algorithm [Herold–Kirshanova–Laarhoven, PKC’18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in \(2^{0.2989d + o(d)}\) time steps using \(2^{0.1395d + o(d)}\) memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in \(2^{0.2653d + o(d)}\) time steps and memory. In the QRAM model these algorithms can be implemented using \(\mathrm {poly}(d)\) width quantum circuits.
Secondly, we frame the k-Sieve as the problem of k-clique listing in a graph and apply quantum k-clique finding techniques to the k-Sieve.
Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A’13] to the 2-Sieve, and give an analysis in the quantum circuit model. We show how to solve SVP in \(2^{0.1037d + o(d)}\) time steps using \(2^{0.2075d + o(d)}\) quantum memory.
The full version of this article can be found at https://eprint.iacr.org/2019/1016.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
This means that the complexity of the algorithm is measured by the number of oracle calls to the adjacency matrix of a graph.
- 3.
The code is available at https://github.com/ElenaKirshanova/QuantumSieve.
- 4.
This is not necessary but it enables us to efficiently create superpositions
using Hadamard gates. Since our lists \(L_i\) are of sizes \(2^{\mathsf {c}d + o(d)}\) for a large d and a constant \(\mathsf {c}< 1\), this condition is easy to satisfy by rounding \(\mathsf {c}d\). - 5.
This follows by multiplying the sizes of the lists \(L_i(\mathbf {x}_1, \ldots \mathbf {x}_{i-1})\) for all \(2 \le i \le k\).
- 6.
As we are in the balanced configuration case, and our input lists are identical, Theorem 5 has no dependence on j.
- 7.
Note that this differs from [BdWD+01] as in general either of Step 1 or 2 may dominate and we also make use of the existence of \(\varTheta (n)\) triangles.
- 8.
Note that we are considering \(G_{ijk}\) rather than G here, hence the \(n \leftrightarrow n', m \leftrightarrow m'\) notation change.
- 9.
Given that \(|\ell _{i} |= n^{\gamma }, |\ell _{i j} |= 2n^{\gamma }, |\ell _{i j k} |= 3n^{\gamma }\) the expected numbers of triangles differ only by a constant.
using Hadamard gates. Since our lists References
Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC 1997, pp. 284–293 (1997)
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25
Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time using discrete Gaussian sampling: extended abstract. In: STOC 2015, pp. 733–742 (2015)
Arunachalam, S., Gheorghiu, V., Jochym-O’Connor, T., Mosca, M., Srinivasan, P.V.: On the robustness of bucket brigade quantum RAM. New J. Phys. 17(12), 123010 (2015)
Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33rd Annual ACM Symposium on Theory of Computing, STOC 2001, pp. 601–610 (2001)
Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 405–434. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_14
Beals, R., et al.: Efficient distributed quantum computing. Proc. R. Soc. A 469(2153), 20120686 (2013)
Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte der Physik 46(4–5), 493–505 (1998)
Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, pp. 10–24 (2016)
Buhrman, H., et al.: Quantum algorithms for element distinctness. In: Proceedings of the 16th Annual Conference on Computational Complexity, CCC 2001, Washington, DC, USA, pp. 131–137. IEEE Computer Society (2001)
Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. LMS J. Comput. Math. 17(A), 49–70 (2014)
Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Quantum Computation and Quantum Information: A Millennium Volume, vol. 305, pp. 53–74 (2002). Earlier version in arxiv:quant-ph/0005055
Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. ACM SIGACT News (Cryptology Column) 28, 14–19 (1997)
Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19, 146–162 (2016)
Chen, Y., Chung, K.-M., Lai, C.-Y.: Space-efficient classical and quantum algorithms for the shortest vector problem. arXiv e-prints, August 2017
Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger class relations and application to Ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: 2014 IEEE 29th Conference on Computational Complexity (CCC), pp. 98–109, June 2014
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5
Gall, F.L.: Improved quantum algorithm for triangle finding via combinatorial arguments. In: 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, pp. 216–225, October 2014
Giovannetti, V., Lloyd, S., Maccone, L.: Quantum random access memory. Phys. Rev. Lett. 100, 160501 (2008)
Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, STOC 1996, pp. 212–219 (1996)
Herold, G., Kirshanova, E.: Improved algorithms for the approximate \(k\)-list problem in Euclidean norm. In: PKC 2017, pp. 16–40 (2017)
Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time-memory trade-offs for tuple lattice sieving. In: Public-Key Cryptography - PKC 2018, pp. 407–436 (2018)
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC 1983, pp. 193–206 (1983)
Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)
Kaye, P., Laflamme, R., Mosca, M.: An Introduction to Quantum Computing. Oxford University Press, Oxford (2007)
Kirshanova, E., Mårtensson, E., Postlethwaite, E.W., Moulik, S.R.: Quantum algorithms for the approximate \(k\)-list problem and their application to lattice sieving. Cryptology ePrint Archive, Report 2019/1016 (2019). https://eprint.iacr.org/2019/1016
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC-2013, pp. 20–34 (2013)
Laarhoven, T.: Search problems in cryptography. PhD thesis, Eindhoven University of Technology (2015)
Le Gall, F., Nakajima, S.: Quantum algorithm for triangle finding in sparse graphs. Algorithmica 79(3), 941–959 (2017)
Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Designs, Codes and Cryptography 77(2), 375–400 (2015)
Maplesoft, a division of Waterloo Maple Inc., Waterloo, Ontario. Standard worksheet interface, Maple 2016.0, feb. frm[o]-7 2016
Montanaro, A.: Quantum-walk speedup of backtracking algorithms. Theory Comput. 14(15), 1–24 (2018)
Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 1468–1480 (2010)
Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptology 2(2), 181–207 (2008)
Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_24
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93 (2005)
Regev, O.: Lecture notes: lattices in computer science (2009). http://www.cims.nyu.edu/~regev/teaching/lattices_fall_2009/index.html. Accessed 30 Apr 2019
Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: PKC 2018, pp. 437–460 (2018)
Acknowledgements
Most of this work was done while EK was at ENS de Lyon, supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC and by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). EM is supported by the Swedish Research Counsel (grant 2015-04528) and the Swedish Foundation for Strategic Research (grant RIT17-0005). EWP is supported by the EPSRC and the UK government (grant EP/P009301/1). SRM is supported by the Clarendon Scholarship, Google-DeepMind Scholarship and Keble Sloane–Robinson Award.
We are grateful to the organisers of the Oxford Post-Quantum Cryptography Workshop held at the Mathematical Institute, University of Oxford, March 18–22, 2019, for arranging the session on Quantum Cryptanalysis, where this work began. We would like to acknowledge the fruitful discussions we had with Gottfried Herold during this session.
Finally, we would like to thank the AsiaCrypt’19 reviewers, whose constructive comments helped to improve the quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Kirshanova, E., Mårtensson, E., Postlethwaite, E.W., Moulik, S.R. (2019). Quantum Algorithms for the Approximate k-List Problem and Their Application to Lattice Sieving. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11921. Springer, Cham. https://doi.org/10.1007/978-3-030-34578-5_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-34578-5_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34577-8
Online ISBN: 978-3-030-34578-5
eBook Packages: Computer ScienceComputer Science (R0)
