Advertisement

Quantum Algorithms for the Approximate k-List Problem and Their Application to Lattice Sieving

  • Elena KirshanovaEmail author
  • Erik Mårtensson
  • Eamonn W. Postlethwaite
  • Subhayan Roy Moulik
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11921)

Abstract

The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a d-dimensional lattice in \(2^{\mathsf {c}d + o(d)}\) time steps with \(2^{\mathsf {c}' d + o(d)}\) memory for constants \(c, c'\). In this work, we give various quantum sieving algorithms that trade computational steps for memory.

We first give a quantum analogue of the classical k-Sieve algorithm [Herold–Kirshanova–Laarhoven, PKC’18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in \(2^{0.2989d + o(d)}\) time steps using \(2^{0.1395d + o(d)}\) memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in \(2^{0.2653d + o(d)}\) time steps and memory. In the QRAM model these algorithms can be implemented using \(\mathrm {poly}(d)\) width quantum circuits.

Secondly, we frame the k-Sieve as the problem of k-clique listing in a graph and apply quantum k-clique finding techniques to the k-Sieve.

Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A’13] to the 2-Sieve, and give an analysis in the quantum circuit model. We show how to solve SVP in \(2^{0.1037d + o(d)}\) time steps using \(2^{0.2075d + o(d)}\) quantum memory.

Notes

Acknowledgements

Most of this work was done while EK was at ENS de Lyon, supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC and by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701). EM is supported by the Swedish Research Counsel (grant 2015-04528) and the Swedish Foundation for Strategic Research (grant RIT17-0005). EWP is supported by the EPSRC and the UK government (grant EP/P009301/1). SRM is supported by the Clarendon Scholarship, Google-DeepMind Scholarship and Keble Sloane–Robinson Award.

We are grateful to the organisers of the Oxford Post-Quantum Cryptography Workshop held at the Mathematical Institute, University of Oxford, March 18–22, 2019, for arranging the session on Quantum Cryptanalysis, where this work began. We would like to acknowledge the fruitful discussions we had with Gottfried Herold during this session.

Finally, we would like to thank the AsiaCrypt’19 reviewers, whose constructive comments helped to improve the quality of this paper.

References

  1. [AD97]
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC 1997, pp. 284–293 (1997)Google Scholar
  2. [ADH+19]
    Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17656-3_25CrossRefGoogle Scholar
  3. [ADRSD15]
    Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time using discrete Gaussian sampling: extended abstract. In: STOC 2015, pp. 733–742 (2015)Google Scholar
  4. [AGJO+15]
    Arunachalam, S., Gheorghiu, V., Jochym-O’Connor, T., Mosca, M., Srinivasan, P.V.: On the robustness of bucket brigade quantum RAM. New J. Phys. 17(12), 123010 (2015)CrossRefGoogle Scholar
  5. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33rd Annual ACM Symposium on Theory of Computing, STOC 2001, pp. 601–610 (2001)Google Scholar
  6. [ANS18]
    Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 405–434. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_14CrossRefGoogle Scholar
  7. [BBG+13]
    Beals, R., et al.: Efficient distributed quantum computing. Proc. R. Soc. A 469(2153), 20120686 (2013)MathSciNetCrossRefGoogle Scholar
  8. [BBHT98]
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte der Physik 46(4–5), 493–505 (1998)CrossRefGoogle Scholar
  9. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, pp. 10–24 (2016)Google Scholar
  10. [BdWD+01]
    Buhrman, H., et al.: Quantum algorithms for element distinctness. In: Proceedings of the 16th Annual Conference on Computational Complexity, CCC 2001, Washington, DC, USA, pp. 131–137. IEEE Computer Society (2001)Google Scholar
  11. [BGJ14]
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. LMS J. Comput. Math. 17(A), 49–70 (2014)MathSciNetCrossRefGoogle Scholar
  12. [BHMT02]
    Brassard, G., Høyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. In: Quantum Computation and Quantum Information: A Millennium Volume, vol. 305, pp. 53–74 (2002). Earlier version in arxiv:quant-ph/0005055
  13. [BHT97]
    Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. ACM SIGACT News (Cryptology Column) 28, 14–19 (1997)CrossRefGoogle Scholar
  14. [BLS16]
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19, 146–162 (2016)MathSciNetCrossRefGoogle Scholar
  15. [CCL17]
    Chen, Y., Chung, K.-M., Lai, C.-Y.: Space-efficient classical and quantum algorithms for the shortest vector problem. arXiv e-prints, August 2017Google Scholar
  16. [CDW17]
    Cramer, R., Ducas, L., Wesolowski, B.: Short Stickelberger class relations and application to Ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56620-7_12CrossRefGoogle Scholar
  17. [DRS14]
    Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: 2014 IEEE 29th Conference on Computational Complexity (CCC), pp. 98–109, June 2014Google Scholar
  18. [Duc18]
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
  19. [Gal14]
    Gall, F.L.: Improved quantum algorithm for triangle finding via combinatorial arguments. In: 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, pp. 216–225, October 2014Google Scholar
  20. [GLM08]
    Giovannetti, V., Lloyd, S., Maccone, L.: Quantum random access memory. Phys. Rev. Lett. 100, 160501 (2008)MathSciNetCrossRefGoogle Scholar
  21. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  22. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, STOC 1996, pp. 212–219 (1996)Google Scholar
  23. [HK17]
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate \(k\)-list problem in Euclidean norm. In: PKC 2017, pp. 16–40 (2017)Google Scholar
  24. [HKL18]
    Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time-memory trade-offs for tuple lattice sieving. In: Public-Key Cryptography - PKC 2018, pp. 407–436 (2018)CrossRefGoogle Scholar
  25. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC 1983, pp. 193–206 (1983)Google Scholar
  26. [Kle00]
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)Google Scholar
  27. [KLM07]
    Kaye, P., Laflamme, R., Mosca, M.: An Introduction to Quantum Computing. Oxford University Press, Oxford (2007)zbMATHGoogle Scholar
  28. [KMPR19]
    Kirshanova, E., Mårtensson, E., Postlethwaite, E.W., Moulik, S.R.: Quantum algorithms for the approximate \(k\)-list problem and their application to lattice sieving. Cryptology ePrint Archive, Report 2019/1016 (2019). https://eprint.iacr.org/2019/1016
  29. [Kup13]
    Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: TQC-2013, pp. 20–34 (2013)Google Scholar
  30. [Laa15]
    Laarhoven, T.: Search problems in cryptography. PhD thesis, Eindhoven University of Technology (2015)Google Scholar
  31. [LGN17]
    Le Gall, F., Nakajima, S.: Quantum algorithm for triangle finding in sparse graphs. Algorithmica 79(3), 941–959 (2017)MathSciNetCrossRefGoogle Scholar
  32. [LMvdP15]
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Designs, Codes and Cryptography 77(2), 375–400 (2015)MathSciNetCrossRefGoogle Scholar
  33. [Map]
    Maplesoft, a division of Waterloo Maple Inc., Waterloo, Ontario. Standard worksheet interface, Maple 2016.0, feb. frm[o]-7 2016Google Scholar
  34. [Mon18]
    Montanaro, A.: Quantum-walk speedup of backtracking algorithms. Theory Comput. 14(15), 1–24 (2018)MathSciNetCrossRefGoogle Scholar
  35. [MV10]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 1468–1480 (2010)Google Scholar
  36. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptology 2(2), 181–207 (2008)MathSciNetCrossRefGoogle Scholar
  37. [PMHS19]
    Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-17656-3_24CrossRefGoogle Scholar
  38. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93 (2005)Google Scholar
  39. [Reg09]
    Regev, O.: Lecture notes: lattices in computer science (2009). http://www.cims.nyu.edu/~regev/teaching/lattices_fall_2009/index.html. Accessed 30 Apr 2019
  40. [TKH18]
    Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: PKC 2018, pp. 437–460 (2018)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Elena Kirshanova
    • 1
    Email author
  • Erik Mårtensson
    • 2
  • Eamonn W. Postlethwaite
    • 3
  • Subhayan Roy Moulik
    • 4
  1. 1.I. Kant Baltic Federal UniversityKaliningradRussia
  2. 2.Department of Electrical and Information TechnologyLund UniversityLundSweden
  3. 3.Information Security GroupRoyal Holloway, University of LondonEghamUK
  4. 4.Department of Computer ScienceUniversity of OxfordOxfordUK

Personalised recommendations