A Faster Lattice Reduction Method Using Quantum Search

We propose a new lattice reduction method. Our algorithm approximates shortest lattice vectors up to a factor ≤ (k/6) n/2k and makes use of Grover’s quantum search algorithm. The proposed method has the expected running time O(n 3(k/6) k/8 A + n 4 A). That is about the square root of the running time O(n 3(k/6) k/4 A + n 4 A) of Schnorr’s recent random sampling reduction which in turn improved the running time to the fourth root of previously known algorithms. Our result demonstrates that the availability of quantum computers will affect not only the security of cryptosystems based on integer factorization or discrete logarithms, but also of lattice based cryptosystems. Rough estimates based on our asymptotic improvements and experiments reported in [1] suggest that the NTRU security parameter needed to be increased from 503 to 1277 if sufficiently large quantum computer were available nowadays.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[3]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[4]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[5]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[6]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[7]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[8]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[9]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[10]  Gilles Brassard,et al.  Quantum cryptanalysis of hash and claw-free functions , 1997, SIGA.

[11]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[12]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[13]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[14]  Arnaldo V. Moura,et al.  LATIN'98: Theoretical Informatics , 1998, Lecture Notes in Computer Science.

[15]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[16]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[17]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[18]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[19]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction with Floating Point Orthogonalization , 2001, CaLC.

[20]  Claus Peter Schnorr,et al.  New Practical Algorithms for the Approximate Shortest Lattice Vector , 2001 .

[21]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[22]  Sean Hallgren,et al.  Polynomial-time quantum algorithms for Pell's equation and the principal ideal problem , 2002, STOC '02.

[23]  Oded Regev,et al.  Quantum computation and lattice problems , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[24]  Daniele Micciancio Improved cryptographic hash functions with worst-case/average-case connection , 2002, STOC '02.

[25]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[26]  Oded Regev Quantum Computation and Lattice Problems , 2004, SIAM J. Comput..