47 research outputs found
Quantum Lattice Enumeration and Tweaking Discrete Pruning
International audienceEnumeration is a fundamental lattice algorithm. We show how to speed up enumeration on a quantum computer, which affects the security estimates of several lattice-based submissions to NIST: if T is the number of operations of enumeration, our quantum enumeration runs in roughly operations. This applies to the two most efficient forms of enumeration known in the extreme pruning setting: cylinder pruning but also discrete pruning introduced at Eurocrypt '17. Our results are based on recent quantum tree algorithms by Montanaro and Ambainis-Kokainis. The discrete pruning case requires a crucial tweak: we modify the preprocessing so that the running time can be rigorously proved to be essentially optimal, which was the main open problem in discrete pruning. We also introduce another tweak to solve the more general problem of finding close lattice vectors
Approximate Voronoi cells for lattices, revisited
We revisit the approximate Voronoi cells approach for solving the closest
vector problem with preprocessing (CVPP) on high-dimensional lattices, and
settle the open problem of Doulgerakis-Laarhoven-De Weger [PQCrypto, 2019] of
determining exact asymptotics on the volume of these Voronoi cells under the
Gaussian heuristic. As a result, we obtain improved upper bounds on the time
complexity of the randomized iterative slicer when using less than memory, and we show how to obtain time-memory trade-offs even when using
less than memory. We also settle the open problem of
obtaining a continuous trade-off between the size of the advice and the query
time complexity, as the time complexity with subexponential advice in our
approach scales as , matching worst-case enumeration bounds,
and achieving the same asymptotic scaling as average-case enumeration
algorithms for the closest vector problem.Comment: 18 pages, 1 figur
Lattice Reduction with Approximate Enumeration Oracles:Practical Algorithms and Concrete Performance
Faster Enumeration-based Lattice Reduction:Root Hermite Factor k1/(2k) Time kk/8+o(k)
International audienc
Not-so-adiabatic quantum computation for the shortest vector problem
Since quantum computers are known to break the vast majority of
currently-used cryptographic protocols, a variety of new protocols are being
developed that are conjectured, but not proven to be safe against quantum
attacks. Among the most promising is lattice-based cryptography, where security
relies upon problems like the shortest vector problem. We analyse the potential
of adiabatic quantum computation for attacks on lattice-based cryptography, and
give numerical evidence that even outside the adiabatic regime such methods can
facilitate the solution of the shortest vector and similar problems.Comment: 15 pages total, 9 figures, journal submission to Phys Rev Research
v2, corrected two typos (save --> safe, relies --> relies on
Improved Classical and Quantum Algorithms for the Shortest Vector Problem via Bounded Distance Decoding
The most important computational problem on lattices is the Shortest Vector
Problem (SVP). In this paper, we present new algorithms that improve the
state-of-the-art for provable classical/quantum algorithms for SVP. We present
the following results. A new algorithm for SVP that provides a smooth
tradeoff between time complexity and memory requirement. For any positive
integer , our algorithm takes time and
requires memory. This tradeoff which ranges from
enumeration () to sieving ( constant), is a consequence of a new
time-memory tradeoff for Discrete Gaussian sampling above the smoothing
parameter.
A quantum algorithm for SVP that runs in time and
requires classical memory and poly(n) qubits. In Quantum Random
Access Memory (QRAM) model this algorithm takes only time and
requires a QRAM of size , poly(n) qubits and
classical space. This improves over the previously fastest classical (which is
also the fastest quantum) algorithm due to [ADRS15] that has a time and space
complexity .
A classical algorithm for SVP that runs in time
time and space. This improves over an algorithm of [CCL18] that
has the same space complexity.
The time complexity of our classical and quantum algorithms are obtained
using a known upper bound on a quantity related to the lattice kissing number
which is . We conjecture that for most lattices this quantity is a
. Assuming that this is the case, our classical algorithm runs in
time , our quantum algorithm runs in time
and our quantum algorithm in QRAM model runs in time .Comment: Faster Quantum Algorithm for SVP in QRAM, 43 pages, 4 figure
Faster Enumeration-based Lattice Reduction: Root Hermite Factor k^(1/(2k)) in Time k^(k/8 + o(k))
We give a lattice reduction algorithm that achieves root Hermite factor in time and polynomial memory. This improves on the previously best known enumeration-based algorithms which achieve the same quality, but in time . A cost of was previously mentioned as potentially achievable (Hanrot-Stehlé\u2710) or as a heuristic lower bound (Nguyen\u2710) for enumeration algorithms. We prove the complexity and quality of our algorithm under a heuristic assumption and provide empirical evidence from simulation and implementation experiments attesting to its performance for practical and cryptographic parameter sizes. Our work also suggests potential avenues for achieving costs below for the same root Hermite factor, based on the geometry of SDBKZ-reduced bases
Lattice Reduction with Approximate Enumeration Oracles: Practical Algorithms and Concrete Performance
This work provides a systematic investigation of the use of approximate enumeration oracles in BKZ, building on recent technical progress on speeding-up lattice enumeration: relaxing (the search radius of) enumeration and extended preprocessing which preprocesses in a larger rank than the enumeration rank.
First, we heuristically justify that relaxing enumeration with certain extreme pruning asymptotically achieves an exponential speed-up for reaching the same root Hermite factor (RHF). Second, we perform simulations/experiments to validate this and the performance for relaxed enumeration with numerically optimised pruning for both regular and extended preprocessing.
Upgrading BKZ with such approximate enumeration oracles gives rise to our main result, namely a practical and faster (wrt. previous work) polynomial-space lattice reduction algorithm for reaching the same RHF in practical and cryptographic parameter ranges. We assess its concrete time/quality performance with extensive simulations and experiments
Concrete Analysis of Quantum Lattice Enumeration
Lattice reduction algorithms such as BKZ (Block-Korkine-Zolotarev) play a central role in estimating the security of lattice-based cryptography. The subroutine in BKZ which finds the shortest vector in a projected sublattice can be instantiated with enumeration algorithms. The enumeration procedure can be seen as a depth-first search on some ``enumeration tree\u27\u27 whose nodes denote a partial assignment of the coefficients, corresponding to lattice points as a linear combination of the lattice basis with the coefficients. This work provides a concrete analysis for the cost of quantum lattice enumeration based on Montanaro\u27s quantum tree backtracking algorithm. More precisely, we give a concrete implementation in the quantum circuit model. We also show how to optimize the circuit depth by parallelizing the components. Based on the circuit designed, we discuss the concrete quantum resource estimates required for lattice enumeration