Solving the Shortest Vector Problem in Lattices Faster Using Quantum Search

By applying Grover’s quantum search algorithm to the lattice algorithms of Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehle, we obtain improved asymptotic quantum results for solving the shortest vector problem. With quantum computers we can provably find a shortest vector in time 2^1.799n?+?o(n), improving upon the classical time complexity of 2^2.465n?+?o(n) of Pujol and Stehle and the 2^2n?+?o(n) of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time 2^0.312n?+?o(n), improving upon the classical time complexity of 2^0.384n?+?o(n) of Wang et al. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem. Keywords: lattices; shortest vector problem; sieving; quantum algorithms; quantum search

[1]  Masahiro Yagisawa,et al.  Fully Homomorphic Encryption without bootstrapping , 2015, IACR Cryptol. ePrint Arch..

[2]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[3]  Greg Kuperberg,et al.  Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2011, TQC.

[4]  D. Bernstein Cost analysis of hash collisions : will quantum computers make SHARCS obsolete? , 2009 .

[5]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[6]  Thijs Laarhoven,et al.  Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems , 2012, IACR Cryptol. ePrint Arch..

[7]  Christoph Ludwig,et al.  A Faster Lattice Reduction Method Using Quantum Search , 2003, ISAAC.

[8]  Seth Lloyd,et al.  Quantum random access memory. , 2007, Physical review letters.

[9]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations , 2013, SIAM J. Comput..

[10]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[11]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[12]  Gilles Brassard,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[13]  J. H. van de Pol Lattice-based cryptography , 2011 .

[14]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[15]  G. Brassard,et al.  Quantum Amplitude Amplification and Estimation , 2000, quant-ph/0005055.

[16]  David Jao,et al.  Constructing elliptic curve isogenies in quantum subexponential time , 2010, J. Math. Cryptol..

[17]  Didier Sornette,et al.  Encyclopedia of Complexity and Systems Science , 2009 .

[18]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[19]  Lov K. Grover,et al.  How significant are the known collision and element distinctness quantum algorithms? , 2004, Quantum Inf. Comput..

[20]  Sebastian Dörn Quantum Algorithms for Algebraic Problems ∗ , 2008 .

[21]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[22]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[23]  Oded Regev,et al.  Quantum computation and lattice problems , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[24]  Andris Ambainis,et al.  Quantum walk algorithm for element distinctness , 2003, 45th Annual IEEE Symposium on Foundations of Computer Science.

[25]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[26]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.

[27]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[28]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[29]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[30]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[31]  Dorit Aharonov,et al.  A lattice problem in quantum NP , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[32]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[33]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[34]  Frédéric Magniez,et al.  Quantum Algorithms for Element Distinctness , 2005, SIAM J. Comput..

[35]  Umesh V. Vazirani,et al.  Quantum Algorithms , 2001, LATIN.

[36]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[37]  Stacey Jeffery,et al.  Collision Finding with Many Classical or Quantum Processors , 2011 .

[38]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[39]  Michele Mosca,et al.  Algorithms for Quantum Computers , 2010, Handbook of Natural Computing.

[40]  RegevOded On lattices, learning with errors, random linear codes, and cryptography , 2009 .

[41]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[42]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[43]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[44]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[45]  Chen-Mou Cheng,et al.  Extreme Enumeration on GPU and in Clouds - - How Many Dollars You Need to Break SVP Challenges - , 2011, CHES.

[46]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[47]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[48]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[49]  Gilles Brassard,et al.  Quantum Cryptanalysis of Hash and Claw-Free Functions , 1998, LATIN.

[50]  O. Regev A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space , 2004, quant-ph/0406151.

[51]  M. Ajtai The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[52]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[53]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[54]  Glynn Winskel,et al.  Proceedings of the 25th International Colloquium on Automata, Languages and Programming , 1998 .

[55]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[56]  Naganuma Ken,et al.  Heuristic improvements of BKZ 2.0 , 2012 .

[57]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[58]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[59]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[60]  Michael Schneider,et al.  Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices , 2011, WALCOM.

[61]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[62]  Gilles Brassard,et al.  Quantum Counting , 1998, ICALP.