Skip to main content
SpringerLink
Log in

Lattice Sieving via Quantum Random Walks

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2021 (ASIACRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13093))

Abstract

Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16] and runs in (heuristic) time \(2^{0.2653d + o(d)}\). In this article, we present an improvement over Laarhoven’s result and present an algorithm that has a (heuristic) running time of \(2^{0.2570 d + o(d)}\) where d is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover’s algorithm used in [Laa16] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The SVP challenge can be accessed here https://www.latticechallenge.org/svp-challenge.

  2. 2.

    At this stage, there are 3 encryption schemes/key encapsulation mechanisms: KYBER, NTRU and SABER as well as two signature schemes: DILITHIUM and FALCON.

  3. 3.

    We are talking here only about the asymptotic running time, there are other metrics of interest that have been covered in [KMPM19, AGPS20] where there were some improvements.

  4. 4.

    We remain a bit imprecise and informal here as we haven’t properly described sieving algorithms yet.

  5. 5.

    We are only interested in asymptotic running time here so we are not interested in the choice of this universal gate set, as they are all essentially equivalent from the Solovay-Kitaev theorem (see [NC00], Appendix 3).

  6. 6.

    For a regular graph, if \(\lambda _1> \dots > \lambda _{|V|}\) are the eigenvalues of the normalized adjacency matrix of G, then \(\delta = \lambda _1 - \max _{i = 2 \dots n} |\lambda _i|\).

  7. 7.

    We consider an global ordering of elements of \(L_y\), for example with respect to their index, and \(J^v(\vec {t}_i)\) consists of the \(2N^{c_2}\) elements of \({J}^v(\vec {t}_i)\) which are the smallest with respect to this ordering.

  8. 8.

    This problem arises in several quantum random walk algorithms, for example for quantum subset-sum algorithms. One solution is to use a heuristic that essentially claims that we can use the average running time of the update cost instead of the worst case. In our case, we don’t need this heuristic as we manage to bound the update cost in the worst case. We refer to [BBSS20] for an interesting discussion on the topic.

References

  1. Arunachalam, S., Gheorghiu, V., Jochym-O’Connor, T., Mosca, M., Srinivasan, P.V.: On the robustness of bucket brigade quantum RAM. New J. Phys. 17(12), 123010 (2015)

    Google Scholar 

  2. Albrecht, M.R., Gheorghiu, V., Postlethwaite, E.W., Schanck, J.M.: Estimating quantum speedups for lattice sieves. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 583–613. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_20

    Chapter  Google Scholar 

  3. Andoni, A., Indyk, P., Nguyên, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)

    Google Scholar 

  4. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC’96, pp. 99–108. Association for Computing Machinery, New York, NY, USA (1996)

    Google Scholar 

  5. Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract). In: 30th Annual ACM Symposium on Theory of Computing Proceedings, pp. 10–19 (1998)

    Google Scholar 

  6. Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007)

    Article  MathSciNet  Google Scholar 

  7. Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC, pp. 793–801 (2015)

    Google Scholar 

  8. Bonnetain, X., Bricout, R., Schrottenloher, A., Shen, Y.: Improved classical and quantum algorithms for subset-sum. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 633–666. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_22

    Chapter  Google Scholar 

  9. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the 2016 Annual ACM-SIAM Symposium on Discrete Algorithms (2016)

    Google Scholar 

  10. Bernstein, D.J., Jeffery, S., Lange, T., Meurer, A.: Quantum algorithms for the subset-sum problem. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 16–33. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_2

    Chapter  MATH  Google Scholar 

  11. Becker, A., Laarhoven, T.: Efficient (ideal) lattice sieving using cross-polytope LSH. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_1

    Chapter  Google Scholar 

  12. Chen, C., et al.: NTRU. Round-3 submission to the NIST PQC project (2019)

    Google Scholar 

  13. Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)

    Google Scholar 

  14. Ducas, L., et al.: Crystals-dilithium, algorithm specifications and supporting documentation. Round-3 submission to the NIST PQC project (2019)

    Google Scholar 

  15. de Wolf, R.: Quantum computing: Lecture notes (2019)

    Google Scholar 

  16. Fouque, P.-A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU. Round-3 submission to the NIST PQC project (2019)

    Google Scholar 

  17. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)

    Article  Google Scholar 

  18. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC ’09, pp. 169–178. Association for Computing Machinery, New York, NY, USA (2009)

    Google Scholar 

  19. Giovannetti, V., Lloyd, S., Maccone, L.: Quantum random access memory. Phys. Rev. Lett. 100, 160501 (2008)

    Article  MathSciNet  Google Scholar 

  20. Grover, L.: A fast quantum mechanical algorithm for database search. In: Proceedings 28th Annual ACM Symposium on the Theory of Computing STOC, pp. 212–219 (1996)

    Google Scholar 

  21. Helm, A., May, A.: Subset sum quantumly in 1.17\(^{\text{n}}\). In: Jeffery, S., (ed.), 13th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2018, 16–18 July 2018, Sydney, Australia, volume 111 of LIPIcs, pp. 5:1–5:15. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2018)

    Google Scholar 

  22. Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)

    Google Scholar 

  23. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proceedings of the 15th Symposium on the Theory of Computing (STOC), pp. 99–108. ACM Press (1983)

    Google Scholar 

  24. Klein, P.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)

    Google Scholar 

  25. Kirshanova, E., Martensson, E., Postlethwaite, E.W., Moulik, S.R.: Quantum algorithms for the approximate k-list problem and their application to lattice sieving. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 521–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_19

    Chapter  Google Scholar 

  26. Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_5

    Chapter  MATH  Google Scholar 

  27. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1

    Chapter  MATH  Google Scholar 

  28. Laarhoven, T.: Search problems in cryptography, from fingerprinting to lattice sieving. Ph.D. thesis, Eindhoven University of Technology (2016)

    Google Scholar 

  29. Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_6

    Chapter  Google Scholar 

  30. Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)

    Article  MathSciNet  Google Scholar 

  31. Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Cryptogr. 77(2–3), 375–400 (2015)

    Article  MathSciNet  Google Scholar 

  32. Magniez, F., Nayak, A., Roland, J., Santha, M.: Search via quantum walk. SIAM J. Comput. 40(1), 142–164 (2011)

    Article  MathSciNet  Google Scholar 

  33. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)

    Google Scholar 

  34. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, New York, NY, USA (2000)

    Google Scholar 

  35. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Crypt. 2, 181–207 (2008)

    MathSciNet  MATH  Google Scholar 

  36. Pohst, M.E.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)

    Article  Google Scholar 

  37. Tulsiani, M., Kundu, S.K., Mitzenmacher, M., Upfal, E., Spencer, J.H.: Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, Cambridge (2013)

    Google Scholar 

  38. Terasawa, K., Tanaka, Y.: Spherical LSH for approximate nearest neighbor search on unit hypersphere. In: Dehne, F., Sack, J.-R., Zeh, N. (eds.) WADS 2007. LNCS, vol. 4619, pp. 27–38. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73951-7_4

    Chapter  Google Scholar 

  39. Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pp. 1–9. Association for Computing Machinery, New York, NY, USA (2011)

    Google Scholar 

  40. Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_2

    Chapter  Google Scholar 

Download references

Acknowledgments and Paths for Improvements

The authors want to thank Simon Apers for helpful discussions about quantum random walks, in particular about the fact that there are no better generic algorithms for finding k different marked than to run the whole random walk (including the setup) O(k) times. There could however be a smarter way to do this in our setting which would improve the overall complexity of our algorithm. Another possible improvement would be to embed the local sensitivity property in the graph on which we perform the random walk instead of working on the Johnson graph.

Author information

Authors and Affiliations

  1. Inria de Paris, EPI COSMIQ, Paris, France

    André Chailloux & Johanna Loyer

Authors
  1. André Chailloux
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Johanna Loyer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to André Chailloux or Johanna Loyer .

Editor information

Editors and Affiliations

  1. NTT Corporation, Tokyo, Japan

    Mehdi Tibouchi

  2. Nanyang Technological University, Singapore, Singapore

    Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chailloux, A., Loyer, J. (2021). Lattice Sieving via Quantum Random Walks. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13093. Springer, Cham. https://doi.org/10.1007/978-3-030-92068-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92068-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92067-8

  • Online ISBN: 978-3-030-92068-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation