One of the founding results of lattice based cryptography is a quantum
reduction from the Short Integer Solution problem to the Learning with Errors
problem introduced by Regev. It has recently been pointed out by Chen, Liu and
Zhandry that this reduction can be made more powerful by replacing the learning
with errors problem with a quantum equivalent, where the errors are given in
quantum superposition. In the context of codes, this can be adapted to a
reduction from finding short codewords to a quantum decoding problem for random
linear codes.
We therefore consider in this paper the quantum decoding problem, where we
are given a superposition of noisy versions of a codeword and we want to
recover the corresponding codeword. When we measure the superposition, we get
back the usual classical decoding problem for which the best known algorithms
are in the constant rate and error-rate regime exponential in the codelength.
However, we will show here that when the noise rate is small enough, then the
quantum decoding problem can be solved in quantum polynomial time. Moreover, we
also show that the problem can in principle be solved quantumly (albeit not
efficiently) for noise rates for which the associated classical decoding
problem cannot be solved at all for information theoretic reasons.
We then revisit Regev's reduction in the context of codes. We show that using
our algorithms for the quantum decoding problem in Regev's reduction matches
the best known quantum algorithms for the short codeword problem. This shows in
some sense the tightness of Regev's reduction when considering the quantum
decoding problem and also paves the way for new quantum algorithms for the
short codeword problem