Finding shortest lattice vectors faster using quantum search

Thijs Laarhoven; Michele Mosca; Joop van de Pol

doi:10.1007/s10623-015-0067-5

Download PDF (641 KB) View Article

Article

Designs, Codes and Cryptography

December 2015, Volume 77, Issue 2, pp 375-400

First online: 14 April 2015

Open Access This content is freely available online to anyone, anywhere at any time.

Finding shortest lattice vectors faster using quantum search

Thijs LaarhovenAffiliated withEindhoven University of Technology Email author
, Michele MoscaAffiliated withInstitute for Quantum Computing and Department of Combinatorics & Optimization, University of WaterlooPerimeter Institute for Theoretical PhysicsCanadian Institute for Advanced Research
, Joop van de PolAffiliated withUniversity of Bristol

Download PDF (641 KB)

View Article

Abstract

By applying a quantum search algorithm to various heuristic and provable sieve algorithms from the literature, we obtain improved asymptotic quantum results for solving the shortest vector problem on lattices. With quantum computers we can provably find a shortest vector in time \(2^{1.799n + o(n)}\), improving upon the classical time complexities of \(2^{2.465n + o(n)}\) of Pujol and Stehlé and the \(2^{2n + o(n)}\) of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time \(2^{0.268n + o(n)}\), improving upon the classical time complexity of \(2^{0.298n + o(n)}\) of Laarhoven and De Weger. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem.

Keywords

Lattices Shortest vector problem Sieving Quantum search

Mathematics Subject Classification

52C07 68W01 81P68 94A60

This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Cryptography, Codes, Designs and Finite Fields: In Memory of Scott A. Vanstone”.

A preliminary version of this paper was published at PQCrypto 2013 [50].

Page %P

Close Plain text

Look
Inside

Article Metrics

Citations

Other actions

Export citation
Register for Journal Updates
About This Journal
Reprints and Permissions
Add to Papers

Share this content on Facebook Share this content on Twitter Share this content on LinkedIn

References

1.
Aggarwal D., Dadush D., Regev O., Stephens-Davidowitz N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: STOC (2015).
2.
Ajtai M.: The shortest vector problem in \(L_2\) is NP-hard for randomized reductions. In: STOC, pp. 10–19 (1998).
3.
Ajtai M., Kumar R., Sivakumar D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001).
4.
Ambainis A.: Quantum walk algorithm for element distinctness. In: FOCS, pp. 22–31 (2003).
5.
Andoni A., Indyk P., Nguyen H.L., Razenshteyn I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014).
6.
Andoni A., Razenshteyn I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC (2015).
7.
Antipa A., Brown D., Gallant R., Lambert R., Struik R., Vanstone S.: Accelerated verification of ECDSA signatures. In: SAC, pp. 307–318 (2006).
8.
Aono Y., Naganuma K.: Heuristic improvements of BKZ 2.0. IEICE. Tech. Rep. 112(211), 15–22 (2012).
9.
Becker A., Gama N., Joux A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014).
10.
Bennett C.H., Bernstein E., Brassard G., Vazirani V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997).
11.
Bernstein D.J.: Cost analysis of hash collisions: will quantum computers make SHARCs obsolete? In: SHARCS (2009).
12.
Bernstein D.J., Buchmann J., Dahmen E. (eds.): Post-quantum Cryptography. Springer, Heidelberg (2008).
13.
Blake I.F., Fuji-Hara R., Mullin R.C., Vanstone S.A.: Computing logarithms in finite fields of characteristic two. SIAM J. Algebraic Discrete Methods 5(2), 276–285 (1984).
14.
Boneh D., Venkatesan R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: CRYPTO, pp. 129–142 (1996).
15.
Boyer M., Brassard G., Høyer P., Tapp A.: Tight bounds on quantum searching. Fortschr. Phys. 46, 493–505 (1998).
16.
Brakerski Z., Gentry C., Vaikuntanathan V.: Fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325 (2012).
17.
Brassard G., Høyer P., Tapp A.: Quantum cryptanalysis of hash and claw-free functions. In: LATIN, pp. 163–169 (1998).
18.
Brassard G., Høyer P., Mosca M., Tapp A.: Quantum amplitude amplification and estimation. In: AMS Contemporary Mathematics Series Millennium Volume Entitled Quantum Computation & Information, vol. 305 (2002).
19.
Buhrman B., Dürr C., Heiligman M., Høyer P., Magniez F., Santha M., de Wolf R.: Quantum algorithms for element distinctness. SIAM J. Comput. 34(6), 1324–1330 (2005).
20.
Charikar M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002).
21.
Chen Y., Nguyen P.Q.: BKZ 2.0: better lattice security estimates. In: ASIACRYPT, pp. 1–20 (2011).
22.
Childs A.M., Van Dam W.: Quantum algorithms for algebraic problems. Rev. Mod. Phys. 82, 1–52 (2010).
23.
Childs A.M., Jao D., Soukharev V.: Constructing elliptic curve isogenies in quantum subexponential time. arXiv:1012.4019 (2010).
24.
Coppersmith D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997).
25.
Coster M.J., Joux A., LaMacchia B.A., Odlyzko A.M., Schnorr C.P., Stern J.: Improved low-density subset sum algorithms. Comput. Complex. 2(2), 111–128 (1992).
26.
Ducas L., Durmus A., Lepoint T., Lyubashevsky V.: Lattice signatures and bimodal Gaussians. In: CRYPTO, pp. 40–56 (2013).
27.
Fincke U., Pohst M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44, 463–471 (1985).
28.
Galbraith S.D., Scott M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Pairing-Based Cryptography, pp. 211–224. Springer, Berlin (2008).
29.
Gallant R.P., Lambert R.J., Vanstone S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: CRYPTO, pp. 190–200 (2001).
30.
Gama N., Nguyen P.Q.: Predicting lattice reduction. In: EUROCRYPT, pp. 31–51 (2008).
31.
Gama N., Nguyen P.Q., Regev O.: Lattice enumeration using extreme pruning. In: EUROCRYPT, pp. 257–278 (2010).
32.
Gentry C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009).
33.
Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008).
34.
Giovannetti V., Lloyd S., Maccone L.: Quantum random access memory. Phys. Rev. Lett. 100, 160501 (2008).
35.
Grover L.K.: A fast quantum mechanical algorithm for database search. In: STOC, pp. 212–219 (1996).
36.
Grover L.K., Rudolph T.: How significant are the known collision and element distinctness quantum algorithms? Quantum Inf. Comput. 4(3), 201–206 (2004).
37.
Hallgren S.: Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem. J. ACM 54(1), 653–658 (2007).
38.
Hanrot G., Pujol X., Stehlé D.: Algorithms for the shortest and closest lattice vector problems. In: IWCC, pp. 159–190 (2011).
39.
Hoffstein J., Pipher J., Silverman J.: NTRU: a ring-based public key cryptosystem. In: ANTS, pp. 267–288 (1998).
40.
Ishiguro T., Kiyomoto S., Miyake Y., Takagi T.: Parallel Gauss Sieve algorithm: solving the SVP challenge over a \(128\)-dimensional ideal lattice. In: PKC, pp. 411–428 (2014).
41.
Jeffery S.: Collision finding with many classical or quantum processors. Master’s thesis, University of Waterloo (2011).
42.
Kabatiansky G., Levenshtein V.I.: On bounds for packings on a sphere and in space. Problemy Peredachi Informacii 14(1), 3–25 (1978).
43.
Kannan R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983).
44.
Khot S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005).
45.
Kuperberg G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005).
46.
Kuperberg G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. arXiv, Report 1112/3333, pp. 1–10 (2011).
47.
Laarhoven T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. Cryptology ePrint Archive, Report 2014/744 (2014).
48.
Laarhoven T., De Weger B.: Sieving for shortest lattice vectors in time \(2^{0.298n}\) using spherical locality-sensitive hashing. Cryptology ePrint Archive, Report 2015/211 (2015).
49.
Laarhoven T., van de Pol J., de Weger B.: Solving hard lattice problems and the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2012/533 (2012).
50.
Laarhoven T., Mosca M., van de Pol J.: Solving the shortest vector problem in lattices faster using quantum search. In: PQCrypto, pp. 83–101 (2013).
51.
Lagarias J.C., Odlyzko A.M.: Solving low-density subset sum problems. J. ACM 32(1), 229–246 (1985).
52.
Lenstra A.K., Lenstra H., Lovász L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982).
53.
Lindner R., Rückert M., Baumann P., Nobach L.: Lattice challenge. Online at http://www.latticechallenge.org/ (2014).
54.
Liu M., Wang X., Xu G., Zheng X.: Shortest lattice vectors in the presence of gaps. Cryptology ePrint Archive, Report 2011/039 (2011).
55.
Ludwig C.: A faster lattice reduction method using quantum search. In: ISAAC, pp. 199–208 (2003).
56.
Lyubashevsky V.: Lattice signatures without trapdoors. In: EUROCRYPT, pp. 738–755 (2012).
57.
Menezes A.J., van Oorschot P.C., Vanstone S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996).
58.
Micciancio D., Voulgaris P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010).
59.
Micciancio D., Voulgaris P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010).
60.
Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: EUROCRYPT, pp. 700–718 (2012).
61.
Mosca M.: Quantum algorithms. In: Encyclopedia of Complexity and Systems Science, pp. 7088–7118. Springer, New York (2009).
62.
Nguyen P.Q., Vidick T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptogr. 2(2), 181–207 (2008).
63.
Plantard T., Schneider M.: Ideal lattice challenge. Online at http://latticechallenge.org/ideallattice-challenge/ (2014).
64.
Pohst M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981).
65.
Pujol X., Stehlé D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). Cryptology ePrint Archive, Report 2009/605 (2009).
66.
Qu M., Vanstone S.A.: The knapsack problem in cryptography. Finite Fields 168, 291–308 (1994).
67.
Regev O.: Lattices in computer science. Lecture notes for a course at the Tel Aviv University (2004).
68.
Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005).
69.
Santha M.: Quantum walk based search algorithms. In: TAMC, pp. 31–46 (2008).
70.
Schneider M.: Sieving for short vectors in ideal lattices. In: AFRICACRYPT, pp. 375–391 (2013).
71.
Schneider M., Gama N., Baumann P., Nobach L.: SVP challenge. Online at http://latticechallenge.org/svp-challenge (2014).
72.
Schnorr C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987).
73.
Schnorr C.P., Euchner M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2–3), 181–199 (1994).
74.
Schnorr C.P.: Lattice reduction by random sampling and birthday methods. In: STACS, pp. 145–156 (2003).
75.
Shor P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).
76.
Smith J., Mosca M.: Algorithms for quantum computers. In: Handbook of Natural Computing, pp. 1451–1492. Springer, Berlin (2012).
77.
van de Pol J.: Lattice-based cryptography. Master’s thesis, Eindhoven University of Technology (2011).
78.
Vanstone S.A., Zuccherato R.J.: Short RSA keys and their generation. J. Cryptol. 8(2), 101–114 (1995).
79.
Wang X., Liu M., Tian C., Bi J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011).
80.
Zhang F., Pan Y., Hu G.: A three-level sieve algorithm for the shortest vector problem. In: SAC, pp. 29–47 (2013).

Title

Finding shortest lattice vectors faster using quantum search

Open Access

Available under Open Access This content is freely available online to anyone, anywhere at any time.

Journal

Designs, Codes and Cryptography
Volume 77, Issue 2-3 , pp 375-400

Cover Date

2015-12

DOI

10.1007/s10623-015-0067-5

Print ISSN

0925-1022

Online ISSN

1573-7586

Publisher

Springer US

Additional Links

Register for Journal Updates
Editorial Board
About This Journal
Manuscript Submission

Topics

Combinatorics
Coding and Information Theory
Data Structures, Cryptology and Information Theory
Data Encryption
Discrete Mathematics in Computer Science
Information and Communication, Circuits

Keywords

Lattices
Shortest vector problem
Sieving
Quantum search
52C07
68W01
81P68
94A60

Industry Sectors

Automotive
Electronics
IT & Software
Telecommunications
Aerospace
Engineering

Authors

Thijs Laarhoven ⁽¹⁾
Michele Mosca ⁽²⁾ ⁽³⁾ ⁽⁴⁾
Joop van de Pol ⁽⁵⁾

Author Affiliations

1. Eindhoven University of Technology, Eindhoven, The Netherlands
2. Institute for Quantum Computing and Department of Combinatorics & Optimization, University of Waterloo, Waterloo, ON, Canada
3. Perimeter Institute for Theoretical Physics, Waterloo, ON, Canada
4. Canadian Institute for Advanced Research, Toronto, Canada
5. University of Bristol, Bristol, UK

Continue reading...

To view the rest of this content please follow the download PDF link above.

Finding shortest lattice vectors faster using quantum search