TY - GEN
T1 - Quantum Algorithms for the Approximate k-List Problem and their Application to Lattice Sieving
AU - Kirshanova, Elena
AU - Mårtensson, Erik
AU - Postlethwaite, Eamonn
AU - Roy Moulik, Subhayan
N1 - Conference code: 25
PY - 2019
Y1 - 2019
N2 - The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a $d$-dimensional lattice in $2^{\const d + \smallo(d)}$ time steps with $2^{\const' d + \smallo(d)}$ memory for constants $c, c'$. In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical $k$-Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in $2^{0.2989d + o(d)}$ time steps using $2^{0.1395d + o(d)}$ memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in $2^{0.2653d + o(d)}$ time steps and memory. In the QRAM model these algorithms can be implemented using $\poly(d)$ width quantum circuits.Secondly, we frame the $k$-Sieve as the problem of $k$-clique listing in a graph and apply quantum $k$-clique finding techniques to the $k$-Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the $2$-Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in $2^{0.1037d + o(d)}$ time steps using $2^{0.2075d + o(d)}$ quantum memory.
AB - The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a $d$-dimensional lattice in $2^{\const d + \smallo(d)}$ time steps with $2^{\const' d + \smallo(d)}$ memory for constants $c, c'$. In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical $k$-Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in $2^{0.2989d + o(d)}$ time steps using $2^{0.1395d + o(d)}$ memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in $2^{0.2653d + o(d)}$ time steps and memory. In the QRAM model these algorithms can be implemented using $\poly(d)$ width quantum circuits.Secondly, we frame the $k$-Sieve as the problem of $k$-clique listing in a graph and apply quantum $k$-clique finding techniques to the $k$-Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the $2$-Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in $2^{0.1037d + o(d)}$ time steps using $2^{0.2075d + o(d)}$ quantum memory.
KW - shortest vector problem (SVP)
KW - lattice sieving
KW - Grover's algorithm
KW - approximate $k$-list problem
KW - nearest neighbour algorithms
KW - distributed computation
U2 - 10.1007/978-3-030-34578-5_19
DO - 10.1007/978-3-030-34578-5_19
M3 - Paper in conference proceeding
BT - Advances in Cryptology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
PB - Springer
T2 - Advances in Cryptology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security
Y2 - 8 December 2019 through 12 December 2019
ER -