On the Quantum Complexity of the Continuous Hidden Subgroup Problem

  • Koen de BoerEmail author
  • Léo Ducas
  • Serge FehrEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12106)


The Hidden Subgroup Problem (HSP) aims at capturing all problems that are susceptible to be solvable in quantum polynomial time following the blueprints of Shor’s celebrated algorithm. Successful solutions to this problems over various commutative groups allow to efficiently perform number-theoretic tasks such as factoring or finding discrete logarithms.

The latest successful generalization (Eisenträger et al. STOC 2014) considers the problem of finding a full-rank lattice as the hidden subgroup of the continuous vector space \(\mathbb {R}^m\), even for large dimensions m. It unlocked new cryptanalytic algorithms (Biasse-Song SODA 2016, Cramer et al. EUROCRYPT 2016 and 2017), in particular to find mildly short vectors in ideal lattices.

The cryptanalytic relevance of such a problem raises the question of a more refined and quantitative complexity analysis. In the light of the increasing physical difficulty of maintaining a large entanglement of qubits, the degree of concern may be different whether the above algorithm requires only linearly many qubits or a much larger polynomial amount of qubits.

This is the question we start addressing with this work. We propose a detailed analysis of (a variation of) the aforementioned HSP algorithm, and conclude on its complexity as a function of all the relevant parameters. Our modular analysis is tailored to support the optimization of future specialization to cases of cryptanalytic interests. We suggest a few ideas in this direction.


Quantum algorithm Hidden subgroup Period finding Fourier transform Cryptanalysis 



We would like to thank Stacey Jeffery, Oded Regev and Ronald de Wolf for helpful discussions on the topic of this article.


  1. 1.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296(4), 625–636 (1993).
  2. 2.
    Biasse, J.F., Song, F.: Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 893–902. Society for Industrial and Applied Mathematics (2016)Google Scholar
  3. 3.
    de Boer, K., Ducas, L., Fehr, S.: On the quantum complexity of the continuous hidden subgroup problem. Cryptology ePrint Archive, Report 2019/716 (2019).
  4. 4.
    Buchmann, J., Kessler, V.: Computing a reduced lattice basis from a generating system, August 1996Google Scholar
  5. 5.
    Buchmann, J., Pohst, M.: Computing a lattice basis from a system of generating vectors. In: Davenport, J.H. (ed.) EUROCAL 1987. LNCS, vol. 378, pp. 54–63. Springer, Heidelberg (1989). Scholar
  6. 6.
    Chang, X., Stehlé, D., Villard, G.: Perturbation analysis of the QR factor R in the context of LLL lattice basis reduction. Math. Comput. 81(279), 1487–1511 (2012). Scholar
  7. 7.
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). Scholar
  8. 8.
    Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). Scholar
  9. 9.
    Deitmar, A., Echterhoff, S.: Principles of Harmonic Analysis, 2nd edn. Springer, Heidelberg (2016). Scholar
  10. 10.
    Ducas, L., Plançon, M., Wesolowski, B.: On the shortness of vectors to be found by the ideal-SVP quantum algorithm. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 322–351. Springer, Cham (2019). Scholar
  11. 11.
    Eisenträger, K., Hallgren, S., Kitaev, A., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing, pp. 293–302. ACM (2014)Google Scholar
  12. 12.
    Graham, R.L., Knuth, D.E., Patashnik, O.: Concrete Mathematics: A Foundation for Computer Science, 2nd edn. Addison-Wesley Longman Publishing Co., Inc., Boston (1994)zbMATHGoogle Scholar
  13. 13.
    Grover, L., Rudolph, T.: Creating superpositions that correspond to efficiently integrable probability distributions. arXiv preprint quant-ph/0208112 (2002)Google Scholar
  14. 14.
    Hales, L., Hallgren, S.: An improved quantum Fourier transform algorithm and applications. In: Proceedings 41st Annual Symposium on Foundations of Computer Science, pp. 515–525, November 2000.
  15. 15.
    Hallgren, S.: Fast quantum algorithms for computing the unit group and class group of a number field. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 468–474. ACM (2005)Google Scholar
  16. 16.
    Hallgren, S.: Polynomial-time quantum algorithms for Pell’s equation and the principal ideal problem. J. ACM (JACM) 54(1), 4 (2007)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Heinonen, J.: Lectures on Lipschitz analysis.
  18. 18.
    Kitaev, A., Webb, W.A.: Wavefunction preparation and resampling using a quantum computer. arXiv preprint arXiv:0801.0342 (2008)
  19. 19.
    Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). Scholar
  21. 21.
    Miller, S.D., Stephens-Davidowitz, N.: Generalizations of Banaszczyk’s transference theorems and tail bound. arXiv preprint arXiv:1802.05708 (2018)
  22. 22.
    Mosca, M., Ekert, A.: The hidden subgroup problem and eigenvalue estimation on a quantum computer. In: Williams, C.P. (ed.) QCQC 1998. LNCS, vol. 1509, pp. 174–188. Springer, Heidelberg (1999). Scholar
  23. 23.
    National Institute of Standards and Technology: Post-quantum cryptography standardization (2017).
  24. 24.
    Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874–903 (2009)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information, 10th edn. Cambridge University Press, New York (2011)zbMATHGoogle Scholar
  26. 26.
    Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity. In: Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, pp. 403–412. ACM (2011)Google Scholar
  27. 27.
    Pellet-Mary, A., Hanrot, G., Stehlé, D.: Approx-SVP in ideal lattices with pre-processing. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 685–716. Springer, Cham (2019). Scholar
  28. 28.
    Regev, O.: Lecture notes in ‘lattices in computer science’, November 2004Google Scholar
  29. 29.
    Regev, O.: Quantum computation and lattice problems. SIAM J. Comput. 33(3), 738–760 (2004)MathSciNetCrossRefGoogle Scholar
  30. 30.
    Reiter, M., Arthur, S.: Fourier transform & solobev spaces (lecture notes) (2008).
  31. 31.
    Schmidt, A., Vollmer, U.: Polynomial time quantum algorithm for the computation of the unit group of a number field. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 475–480. ACM (2005)Google Scholar
  32. 32.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)Google Scholar
  33. 33.
    Song, F.: Email, from September 2018Google Scholar
  34. 34.
    Song, F.: Quantum computing: a cryptographic perspective. Ph.D. thesis, The Pennsylvania State University (2013).
  35. 35.
    Villani, A.: Another note on the inclusion \(l^p(\mu ) \subset l^q(\mu )\). Am. Math. Monthly 92(7), 485–487 (1985).
  36. 36.
    Werner, D.: Funktionalanalysis. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  37. 37.
    Yudin, V.A.: The multidimensional Jackson theorem. Math. Notes Acad. Sci. USSR 20(3), 801–804 (1976). Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  1. 1.Cryptology GroupCentrum Wiskunde & Informatica (CWI)AmsterdamThe Netherlands
  2. 2.Mathematical InstituteLeiden UniversityLeidenThe Netherlands

Personalised recommendations