overview of quantum cryptanalysis of lattice systems · overview of quantum cryptanalysis of...

Overview of Quantum Cryptanalysis of Lattice Systems

Elena Kirshanova

I. Kant Baltic Federal University

based on joint works with G.Herold, T. Laarhoven

Quantum Cryptanalysis of Post-Quantum CryptographyThe Simons Institute for the Theory of Computing

March 1, 2020

Outline

• The Shortest Vector Problem

• Classical & Quantum Sieve

• Other algorithms

SVP

0

b1

b2

v

Minimum

λ1(L) = minv∈L\0 ‖v‖

Determinant

det(L) = |det(bi)i|

Minkowski bound

λ1(L) ≤√n(det(L)) 1n

The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:

‖vshortest‖ = λ1(L)

SVP

0

b1

b2

v

Minimum

λ1(L) = minv∈L\0 ‖v‖

Determinant

det(L) = |det(bi)i|

Minkowski bound

λ1(L) ≤√n(det(L)) 1n

The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:

‖vshortest‖ = λ1(L)

SVP

0

b1

b2

v

Minimum

λ1(L) = minv∈L\0 ‖v‖

Determinant

det(L) = |det(bi)i|

Minkowski bound

λ1(L) ≤√n(det(L)) 1n

The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:

‖vshortest‖ = λ1(L)

Asymptotics for SVP Algorithms

• Enumeration

Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)

Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)

• Sieving

(Heuristic)

Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n

Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n

Asymptotics for SVP Algorithms

• Enumeration

Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)

Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)

• Sieving

(Heuristic)

Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n

Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n

Asymptotics for SVP Algorithms

• Enumeration

Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)

Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)

• Sieving (Heuristic)

Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n

Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n

Basic 2-Sieve (Nguyen-Vidick sieve)

Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors

L L=

L′x1 ± x2

||x1 ± x2||is small

L′=

...poly(n)

0

Basic 2-Sieve (Nguyen-Vidick sieve)

Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors

L L=

L′x1 ± x2

||x1 ± x2||is small

L′=

...poly(n)

0

Basic 2-Sieve (Nguyen-Vidick sieve)

Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors

L L=

L′x1 ± x2

||x1 ± x2||is small

L′=

...poly(n)

0

Basic 2-Sieve (Nguyen-Vidick sieve)

Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors

L L=

L′x1 ± x2

||x1 ± x2||is small

L′=

...poly(n)

0

Basic 2-Sieve (Nguyen-Vidick sieve)

Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors

L L=

L′x1 ± x2

||x1 ± x2||is small

L′=

...poly(n)

0

Main Routine in Sieving: 2-List problem on the unit sphere

Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements

L1 L2 ⊂

find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1

0

Q1: How large is L?Q2: How fast can we find all (x1, x2)?

Main Routine in Sieving: 2-List problem on the unit sphere

Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements

L1 L2 ⊂

find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1

0

Q1: How large is L?Q2: How fast can we find all (x1, x2)?

Distribution of Gram matrices

Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :

Ci.j = 〈xi , xj〉

• C determines the 2-norm of the sum:

||∑

xi||2 = k + 2∑i<j

〈xi , xj〉

• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function

µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k

A proof is in [HK’17] and relies on the Wishart distribution

Distribution of Gram matrices

Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :

Ci.j = 〈xi , xj〉

• C determines the 2-norm of the sum:

||∑

xi||2 = k + 2∑i<j

〈xi , xj〉

• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function

µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k

A proof is in [HK’17] and relies on the Wishart distribution

Distribution of Gram matrices

Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :

Ci.j = 〈xi , xj〉

• C determines the 2-norm of the sum:

||∑

xi||2 = k + 2∑i<j

〈xi , xj〉

• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function

µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k

A proof is in [HK’17] and relies on the Wishart distribution

Q1: How large is L?

µC ≈ det(C)n2 = det

(1 〈x1 , x2〉

〈x1 , x2〉 1

)n2

det

(1 1/21/2 1

)= 3

4=⇒ |L| =

(43

)n/2+o(n)= 2(0.2075+o(1))n

0

1

x1

1 x2

1

π/3

Q2: How fast can we find all (x1, x2)?

Brute force complexity: |L|2 = 2(0.415+o(1))n

To achieve T = 20.292+o(1) use Near Neighbor search(aka Locality-Sensitive techniques)

Locality-sensitive filtering [MO15, BGJ15, BDGL16]

u1

u2

u3

u4

u5

u6

u7

u8

u9

α

choose ui ∈ Sn−1

Locality-sensitive filtering [MO15, BGJ15, BDGL16]

u1

u2

u3

u4

u5

u6

u7

u8

u9

x1

x2

x3

x4

x5x6

x7

x8

x9

x10

x11

α

choose ui ∈ Sn−1

∀xi ∈ L, find all uj :

〈xi , uj〉 < α

Locality-sensitive filtering [MO15, BGJ15, BDGL16]

u1

u2

u3

u4

u5

u6

u7

u8

u9

x1

x2

x3

x4

x5x6

x7

x8

x9

x10

x11

q

β

choose ui ∈ Sn−1

∀xi ∈ L, find all uj :

〈xi , uj〉 < α

∀qi ∈ L, find all uj :

〈qi , uj〉 < β

Analysis I

1. How to find relevant centers fast?

[MO15, BDGL16]: choose u from a product code.

u ∈ C1 × C2 × . . .× Ct =: U,

Ci - spherical codes of length o(n).

To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.

2. For each x ∈ L : finding all relevant ui ∈ U :

TUpdate = |U | · Prui∈Sn−1

[〈ui , x〉 < α] = |U | · (1− α2)n/2.

3. For each x ∈ L : query all relevant ui ∈ U :

TQuery = |U | · Prui∈Sn−1

[〈ui , x〉 < β] = |U | · (1− β2)n/2.

Analysis I

1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.

u ∈ C1 × C2 × . . .× Ct =: U,

Ci - spherical codes of length o(n).

To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.

2. For each x ∈ L : finding all relevant ui ∈ U :

TUpdate = |U | · Prui∈Sn−1

[〈ui , x〉 < α] = |U | · (1− α2)n/2.

3. For each x ∈ L : query all relevant ui ∈ U :

TQuery = |U | · Prui∈Sn−1

[〈ui , x〉 < β] = |U | · (1− β2)n/2.

Analysis I

1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.

u ∈ C1 × C2 × . . .× Ct =: U,

Ci - spherical codes of length o(n).

To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.

2. For each x ∈ L : finding all relevant ui ∈ U :

TUpdate = |U | · Prui∈Sn−1

[〈ui , x〉 < α] = |U | · (1− α2)n/2.

3. For each x ∈ L : query all relevant ui ∈ U :

TQuery = |U | · Prui∈Sn−1

[〈ui , x〉 < β] = |U | · (1− β2)n/2.

Analysis I

1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.

u ∈ C1 × C2 × . . .× Ct =: U,

Ci - spherical codes of length o(n).

To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.

2. For each x ∈ L : finding all relevant ui ∈ U :

TUpdate = |U | · Prui∈Sn−1

[〈ui , x〉 < α] = |U | · (1− α2)n/2.

3. For each x ∈ L : query all relevant ui ∈ U :

TQuery = |U | · Prui∈Sn−1

[〈ui , x〉 < β] = |U | · (1− β2)n/2.

Analysis IIHow large is U?

u1

u2

u3

u4

u5

u6

u7

u8

u9

x3

x4

Analysis II

How large is U?

|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2

1. 〈u , x3〉 = α

2. 〈u , x4〉 = β

P = Pru∈Sn−1

[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]

=

(det

(1 α βα 1 cβ c 1

))n/2(det( 1 cc 1 ))

n/2.

For α = β = c = 1/2, P−1 =(32

)n/2= 20.292n

Analysis II

How large is U?

|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2

1. 〈u , x3〉 = α

2. 〈u , x4〉 = β

P = Pru∈Sn−1

[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]

=

(det

(1 α βα 1 cβ c 1

))n/2(det( 1 cc 1 ))

n/2.

For α = β = c = 1/2, P−1 =(32

)n/2= 20.292n

Analysis II

How large is U?

|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2

1. 〈u , x3〉 = α

2. 〈u , x4〉 = β

P = Pru∈Sn−1

[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]

=

(det

(1 α βα 1 cβ c 1

))n/2(det( 1 cc 1 ))

n/2.

For α = β = c = 1/2, P−1 =(32

)n/2= 20.292n

Quantum LSF [Laa’15]

Main idea: apply Grover search inside each bucket

Classical:

1. TUpdate = |U | · (1− α2)n/2

2. TQuery = |U | · (1− β2)n/2

3. Set α : |L| · (1− α2)n/2 = 1

Quantum:

1. TUpdate = |U | · (1−α2)n/2

2. TQQuery = |U |·(1−β

2)n/2+Grover Search inside eachrelevant center

TQQuery =|U | · (1− β

2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2

TQQuery = TQ

Update for α =√34 and |U | = (139 )

n/2 = 20.265·n

Quantum LSF [Laa’15]

Main idea: apply Grover search inside each bucket

Classical:

1. TUpdate = |U | · (1− α2)n/2

2. TQuery = |U | · (1− β2)n/2

3. Set α : |L| · (1− α2)n/2 = 1

Quantum:

1. TUpdate = |U | · (1−α2)n/2

2. TQQuery = |U |·(1−β

2)n/2+Grover Search inside eachrelevant center

TQQuery =|U | · (1− β

2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2

TQQuery = TQ

Update for α =√34 and |U | = (139 )

n/2 = 20.265·n

Quantum LSF [Laa’15]

Main idea: apply Grover search inside each bucket

Classical:

1. TUpdate = |U | · (1− α2)n/2

2. TQuery = |U | · (1− β2)n/2

3. Set α : |L| · (1− α2)n/2 = 1

Quantum:

1. TUpdate = |U | · (1−α2)n/2

2. TQQuery = |U |·(1−β

2)n/2+Grover Search inside eachrelevant center

TQQuery =|U | · (1− β

2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2

TQQuery = TQ

Update for α =√34 and |U | = (139 )

n/2 = 20.265·n

Other Ways to Attack SVP/LWE/SIS?

1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size

TEnum = 2((1/2e)+o(1))n logn

Quantum: back-tracking technique [ANS18]

TQEnum = 2((1/4e)+o(1))n logn

2. Low-mem. Sparse/binary secret LWE: Grover search:

TGrover = 212|Search space|

3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.

Thank you!

Other Ways to Attack SVP/LWE/SIS?

1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size

TEnum = 2((1/2e)+o(1))n logn

Quantum: back-tracking technique [ANS18]

TQEnum = 2((1/4e)+o(1))n logn

2. Low-mem. Sparse/binary secret LWE: Grover search:

TGrover = 212|Search space|

3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.

Thank you!

Other Ways to Attack SVP/LWE/SIS?

1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size

TEnum = 2((1/2e)+o(1))n logn

Quantum: back-tracking technique [ANS18]

TQEnum = 2((1/4e)+o(1))n logn

2. Low-mem. Sparse/binary secret LWE: Grover search:

TGrover = 212|Search space|

3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.

Thank you!

References I

• [ANS18] Y. Aono, P. Q. Nguyen, Y. Shen. Quantum LatticeEnumeration and Tweaking Discrete Pruning

• [BDGL16] A. Becker, L. Ducas, N. Gama, T. Laarhoven. New directionsin nearest neighbor searching with applications to lattice sieving.

• [Laa15] T. Laarhoven. Search problems in cryptography. PhD thesis

• [MO15] A. May, I.Ozerov. On Computing Nearest Neighbors withApplications to Decoding of Binary Linear Codes