Overview of Quantum Cryptanalysis of Lattice Systems
Elena Kirshanova
I. Kant Baltic Federal University
based on joint works with G.Herold, T. Laarhoven
Quantum Cryptanalysis of Post-Quantum CryptographyThe Simons Institute for the Theory of Computing
March 1, 2020
Outline
• The Shortest Vector Problem
• Classical & Quantum Sieve
• Other algorithms
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving
(Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving
(Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving (Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Main Routine in Sieving: 2-List problem on the unit sphere
Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements
L1 L2 ⊂
find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1
0
Q1: How large is L?Q2: How fast can we find all (x1, x2)?
Main Routine in Sieving: 2-List problem on the unit sphere
Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements
L1 L2 ⊂
find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1
0
Q1: How large is L?Q2: How fast can we find all (x1, x2)?
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Q1: How large is L?
µC ≈ det(C)n2 = det
(1 〈x1 , x2〉
〈x1 , x2〉 1
)n2
det
(1 1/21/2 1
)= 3
4=⇒ |L| =
(43
)n/2+o(n)= 2(0.2075+o(1))n
0
1
x1
1 x2
1
π/3
Q2: How fast can we find all (x1, x2)?
Brute force complexity: |L|2 = 2(0.415+o(1))n
To achieve T = 20.292+o(1) use Near Neighbor search(aka Locality-Sensitive techniques)
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
α
choose ui ∈ Sn−1
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
x1
x2
x3
x4
x5x6
x7
x8
x9
x10
x11
α
choose ui ∈ Sn−1
∀xi ∈ L, find all uj :
〈xi , uj〉 < α
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
x1
x2
x3
x4
x5x6
x7
x8
x9
x10
x11
q
β
choose ui ∈ Sn−1
∀xi ∈ L, find all uj :
〈xi , uj〉 < α
∀qi ∈ L, find all uj :
〈qi , uj〉 < β
Analysis I
1. How to find relevant centers fast?
[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis IIHow large is U?
u1
u2
u3
u4
u5
u6
u7
u8
u9
x3
x4
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
References I
• [ANS18] Y. Aono, P. Q. Nguyen, Y. Shen. Quantum LatticeEnumeration and Tweaking Discrete Pruning
• [BDGL16] A. Becker, L. Ducas, N. Gama, T. Laarhoven. New directionsin nearest neighbor searching with applications to lattice sieving.
• [Laa15] T. Laarhoven. Search problems in cryptography. PhD thesis
• [MO15] A. May, I.Ozerov. On Computing Nearest Neighbors withApplications to Decoding of Binary Linear Codes