Zvika Brakerski,Elena Kirshanova,Damien Stehlé,Weiqiang Wen

DOI: https://doi.org/10.1007/978-3-319-76581-5_24

2018-01-01

Abstract:The hardness of the learning with errors (LWE) problem is one of the most fruitful resources of modern cryptography. In particular, it is one of the most prominent candidates for secure post-quantum cryptography. Understanding its quantum complexity is therefore an important goal.We show that under quantum polynomial time reductions, LWE is equivalent to a relaxed version of the dihedral coset problem (DCP), which we call extrapolated DCP (eDCP). The extent of extrapolation varies with the LWE noise rate. By considering different extents of extrapolation, our result generalizes Regev’s famous proof that if DCP is in BQP (quantum poly-time) then so is LWE (FOCS 02). We also discuss a connection between eDCP and Childs and Van Dam’s algorithm for generalized hidden shift problems (SODA 07).Our result implies that a BQP solution for LWE might not require the full power of solving DCP, but rather only a solution for its relaxed version, eDCP, which could be easier.

Maxime Remaud,André Schrottenloher,Jean-Pierre Tillich

2023-09-19

Abstract:The Dihedral Coset Problem (DCP) in $Z_N$ has been extensively studied in quantum computing and post-quantum cryptography, as for instance, the Learning with Errors problem reduces to it. While the Ettinger-Hoyer algorithm is known to solve the DCP in $O(log(N))$ queries, it runs inefficiently in time $O(N)$. The first time-efficient algorithm was introduced (and later improved) by Kuperberg (SIAM J. Comput. 2005). These algorithms run in a subexponential amount of time and queries $O{2^{\sqrt{c_{DCP}log(N)}}}$, for some constant $c_{DCP}$. The sieving algorithms à la Kuperberg admit many trade-offs between quantum and classical time, memory and queries. Some of these trade-offs allow the attacker to reduce the number of queries if they are particularly costly, which is notably the case in the post-quantum key-exchange CSIDH. Such optimizations have already been studied, but they typically fall into two categories: the resulting algorithm is either based on Regev's approach of reducing the DCP with quadratic queries to a subset-sum instance, or on a re-optimization of Kuperberg's sieve where the time and queries are both subexponential. In this paper, we introduce the first algorithm to improve in the linear queries regime over the Ettinger-Hoyer algorithm. We then show that we can in fact interpolate between this algorithm and Kuperberg's sieve, by using the latter in a pre-processing step to create several quantum states, and solving a quantum subset-sum instance to recover the full secret in one pass from the obtained states. This allows to interpolate smoothly between the linear queries-exponential time complexity case and the subexponential query and time complexity case, thus allowing a fine tuning of the complexity taking into account the query cost. We also give on our way a precise study of quantum subset-sum algorithms in the non-asymptotic regime.

Quantum Physics

Javad Doliskani

DOI: https://doi.org/10.48550/arXiv.2105.12790

2021-05-27

Abstract:Our main result is a quantum public-key encryption scheme based on the Extrapolated Dihedral Coset problem (EDCP) which is equivalent, under quantum polynomial-time reductions, to the Learning With Errors (LWE) problem. For limited number of public keys (roughly linear in the security parameter), the proposed scheme is information-theoretically secure. For polynomial number of public keys, breaking the scheme is as hard as solving the LWE problem. The public keys in our scheme are quantum states of size $\tilde{O}(n)$ qubits. The key generation and decryption algorithms require $\tilde{O}(n)$ qubit operations while the encryption algorithm takes $O(1)$ qubit operations.

Quantum Physics,Cryptography and Security

Jintai Ding,Momonari Kudo,Shinya Okumura,Tsuyoshi Takagi,Chengdong Tao

DOI: https://doi.org/10.1007/s13160-018-0316-x

2018-01-01

Japan Journal of Industrial and Applied Mathematics

Abstract:Researching post-quantum cryptography is now an important task in cryptography. Although various candidates of post-quantum cryptosystems (PQC) have been constructed, sizes of their public keys are large. Okumura constructed a candidate of PQC whose security is expected to be based on certain Diophantine equations (DEC). Okumura analysis suggests that DEC achieves the high security with small public key sizes. This paper proposes a polynomial time-attack on the one-way property of DEC. We reduce the security of DEC to finding special short lattice points of some low-rank lattices derived from public data. The usual LLL algorithm could not find the most important lattice point in our experiments because of certain properties of the lattice point. Our heuristic analysis leads us to using a variant of the LLL algorithm, called a weighted LLL algorithm by us. Our experiments suggest that DEC with 128 bit security becomes insecure by our attack.

Muxi Zheng,Jinfeng Zeng,Wentao Yang,Pei-Jie Chang,Bao Yan,Haoran Zhang,Min Wang,Shijie Wei,Gui-Lu Long

2024-08-15

Abstract:The Learning-With-Errors (LWE) problem is a crucial computational challenge with significant implications for post-quantum cryptography and computational learning theory. Here we propose a quantum-classical hybrid algorithm with Ising model (HAWI) to address the LWE problem. Our approach involves transforming the LWE problem into the Shortest Vector Problem (SVP), using variable qubits to encode lattice vectors into an Ising Hamiltonian. We then identify the low-energy levels of the Hamiltonian to extract the solution, making it suitable for implementation on current noisy intermediate-scale quantum (NISQ) devices. We prove that the number of qubits required is less than $m(3m-1)/2$, where $m$ is the number of samples in the algorithm. Our algorithm is heuristic, and its time complexity depends on the specific quantum algorithm employed to find the Hamiltonian's low-energy levels. If the Quantum Approximate Optimization Algorithm (QAOA) is used to solve the Ising Hamiltonian problem, and the number of iterations satisfies $y < O\left(m\log m\cdot 2^{0.2972k}/pk^2\right)$, our algorithm will outperform the classical Block Korkine-Zolotarev (BKZ) algorithm, where $k$ is the block size related to problem parameters, and $p$ is the number of layers in QAOA. We demonstrate the algorithm by solving a $2$-dimensional LWE problem on a real quantum device with $5$ qubits, showing its potential for solving meaningful instances of the LWE problem in the NISQ era.

Quantum Physics,Mathematical Physics

Lior Eldar,Sean Hallgren

DOI: https://doi.org/10.48550/arXiv.2201.13450

2022-02-01

Abstract:We give a quantum algorithm for solving the Bounded Distance Decoding (BDD) problem with a subexponential approximation factor on a class of integer lattices. The quantum algorithm uses a well-known but challenging-to-use quantum state on lattices as a type of approximate quantum eigenvector to randomly self-reduce the BDD instance to a random BDD instance which is solvable classically. The running time of the quantum algorithm is polynomial for one range of approximation factors and subexponential time for a second range of approximation factors. The subclass of lattices we study has a natural description in terms of the lattice's periodicity and finite abelian group rank. This view makes for a clean quantum algorithm in terms of finite abelian groups, uses very relatively little from lattice theory, and suggests exploring approximation algorithms for lattice problems in parameters other than dimension alone. A talk on this paper sparked many lively discussions and resulted in a new classical algorithm matching part of our result. We leave it as a challenge to give a classcial algorithm matching the general case.

Quantum Physics,Computational Complexity,Data Structures and Algorithms

Ziqing Wang,Dianhua Tang,Haomiao Yang,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2021.102165

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:The lattice cryptosystem is considered to be able to resist the attacks of quantum computers. Lattice-based Public Key Encryption (PKE) schemes have attracted the interest of many researchers. In lattice-based cryptography, Learning With Errors (LWE) problem is a hard problem usually used to construct PKE scheme. To ensure the correctness of decryption, LWE-based schemes have a large ciphertext size. This makes these encryption schemes not practical enough when the communication bandwidth is limited. We propose a new variant of LWE, named Learning With Modulus (LWM) and prove that the new problem can be reduced from LWE problem. The proof idea of our reduction is similar to the reduction of LWR problem. We also construct a new PKE scheme based on the proposed LWM and LWE, which has small ciphertext size. For a 128 bits plaintext, the ciphertext size of our scheme is 53.57% of Lindner–Peikert’s (LP) scheme under the same security level. We use python to test the performance of our scheme. The results show that our scheme is only about 0.015 ms slower than LP in the decryption. The performance of our scheme for generating keys and encrypting messages is similar to LP.

Jiaqi Liu,Fang-Wei Fu

2023-12-01

Abstract:The Learning with Errors (LWE) problem has been widely utilized as a foundation for numerous cryptographic tools over the years. In this study, we focus on an algebraic variant of the LWE problem called Group ring LWE (GR-LWE). We select group rings (or their direct summands) that underlie specific families of finite groups constructed by taking the semi-direct product of two cyclic groups. Unlike the Ring-LWE problem described in \cite{lyubashevsky2010ideal}, the multiplication operation in the group rings considered here is non-commutative. As an extension of Ring-LWE, it maintains computational hardness and can be potentially applied in many cryptographic scenarios. In this paper, we present two polynomial-time quantum reductions. Firstly, we provide a quantum reduction from the worst-case shortest independent vectors problem (SIVP) in ideal lattices with polynomial approximate factor to the search version of GR-LWE. This reduction requires that the underlying group ring possesses certain mild properties; Secondly, we present another quantum reduction for two types of group rings, where the worst-case SIVP problem is directly reduced to the (average-case) decision GR-LWE problem. The pseudorandomness of GR-LWE samples guaranteed by this reduction can be consequently leveraged to construct semantically secure public-key cryptosystems.

Cryptography and Security,Information Theory

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

André Chailloux,Jean-Pierre Tillich

2023-11-01

Abstract:One of the founding results of lattice based cryptography is a quantum reduction from the Short Integer Solution problem to the Learning with Errors problem introduced by Regev. It has recently been pointed out by Chen, Liu and Zhandry that this reduction can be made more powerful by replacing the learning with errors problem with a quantum equivalent, where the errors are given in quantum superposition. In the context of codes, this can be adapted to a reduction from finding short codewords to a quantum decoding problem for random linear codes. We therefore consider in this paper the quantum decoding problem, where we are given a superposition of noisy versions of a codeword and we want to recover the corresponding codeword. When we measure the superposition, we get back the usual classical decoding problem for which the best known algorithms are in the constant rate and error-rate regime exponential in the codelength. However, we will show here that when the noise rate is small enough, then the quantum decoding problem can be solved in quantum polynomial time. Moreover, we also show that the problem can in principle be solved quantumly (albeit not efficiently) for noise rates for which the associated classical decoding problem cannot be solved at all for information theoretic reasons. We then revisit Regev's reduction in the context of codes. We show that using our algorithms for the quantum decoding problem in Regev's reduction matches the best known quantum algorithms for the short codeword problem. This shows in some sense the tightness of Regev's reduction when considering the quantum decoding problem and also paves the way for new quantum algorithms for the short codeword problem.

Quantum Physics

DOI: https://doi.org/10.1007/s11128-024-04387-w

IF: 1.965

2024-05-14

Quantum Information Processing

Abstract:Noisy trapdoor claw-free function (NTCF) is a powerful post-quantum cryptographic tool that can efficiently constrain actions of untrusted quantum devices within a classical–quantum interactive cryptographic model. Although NTCF is powerful, its essence remains a 2-to-1 one-way function (NTCF ), which is inefficient in some cryptographic tasks. This raises an intriguing question: Can NTCF be extended to higher dimensions based on standard cryptographic hardness assumptions? Inspired by the extrapolated dihedral cosets, this work focuses on developing many-to-one trapdoor claw-free functions with polynomially bounded preimage sizes. The main results can be summarized as follows: Firstly, we introduce the definition of -to-1 NTCF where is a polynomial integer, and present an efficient construction of NTCF assuming quantum hardness of the learning with errors (LWE) problem. Secondly, we illustrate a key application of NTCFs in establishing a reduction from the LWE problem to the dihedral coset problems (DCPs). Specifically, our approach, leveraging NTCF (resp. NTCF ), reveals a new quantum reduction pathway from the LWE problem to the DCP (resp. an extrapolated version of DCP). This reduction is the core cryptographic analysis tool for studying the resistance of lattice problems against quantum attacks. Finally, we demonstrate that NTCF can be further reduced to NTCF , thus preserving its usefulness in proofs of quantumness.

physics, multidisciplinary,quantum science & technology, mathematical

Leixiao Cheng,Quanshui Wu,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-319-72359-4_16

2017-01-01

Abstract:Lossy trapdoor functions (LTDF) and all-but-one trapdoor functions (ABO-TDF) are fundamental cryptographic primitives. And given the recent advances in quantum computing, it would be much desirable to develop new and improved lattice-based LTDF and ABO-TDF. In this work, we provide more compact constructions of LTDF and ABO-TDF based on the learning with errors (LWE) problem. In addition, our LWE-based ABO-TDF can allow smaller system parameters to support super-polynomially many injective branches in the construction of CCA secure public key encryption. As a core building tool, we provide a more compact homomorphic symmetric encryption schemes based on LWE, which might be of independent interest. To further optimize the ABO-TDF construction, we employ the full rank difference encoding technique. As a consequence, the results presented in this work can substantially improve the performance of all the previous LWE-based cryptographic constructions based upon LTDF and ABO-TDF.

Niklas Nolte,Mohamed Malhou,Emily Wenger,Samuel Stevens,Cathy Li,François Charton,Kristin Lauter

2024-10-10

Abstract:Sparse binary LWE secrets are under consideration for standardization for Homomorphic Encryption and its applications to private computation. Known attacks on sparse binary LWE secrets include the sparse dual attack and the hybrid sparse dual-meet in the middle attack which requires significant memory. In this paper, we provide a new statistical attack with low memory requirement. The attack relies on some initial lattice reduction. The key observation is that, after lattice reduction is applied to the rows of a q-ary-like embedded random matrix $\mathbf A$, the entries with high variance are concentrated in the early columns of the extracted matrix. This allows us to separate out the "hard part" of the LWE secret. We can first solve the sub-problem of finding the "cruel" bits of the secret in the early columns, and then find the remaining "cool" bits in linear time. We use statistical techniques to distinguish distributions to identify both the cruel and the cool bits of the secret. We provide concrete attack timings for recovering secrets in dimensions $n=256$, $512$, and $768$. For the lattice reduction stage, we leverage recent improvements in lattice reduction (e.g. flatter) applied in parallel. We also apply our new attack in the RLWE setting for $2$-power cyclotomic rings, showing that these RLWE instances are much more vulnerable to this attack than LWE.

Cryptography and Security

Hari Krovi,Martin Roetteler

DOI: https://doi.org/10.48550/arXiv.0810.3695

2008-10-21

Abstract:Many exponential speedups that have been achieved in quantum computing are obtained via hidden subgroup problems (HSPs). We show that the HSP over Weyl-Heisenberg groups can be solved efficiently on a quantum computer. These groups are well-known in physics and play an important role in the theory of quantum error-correcting codes. Our algorithm is based on non-commutative Fourier analysis of coset states which are quantum states that arise from a given black-box function. We use Clebsch-Gordan decompositions to combine and reduce tensor products of irreducible representations. Furthermore, we use a new technique of changing labels of irreducible representations to obtain low-dimensional irreducible representations in the decomposition process. A feature of the presented algorithm is that in each iteration of the algorithm the quantum computer operates on two coset states simultaneously. This is an improvement over the previously best known quantum algorithm for these groups which required four coset states.

Quantum Physics,Computational Complexity

Xingyu Yan,Licheng Wang,Lize Gu,Ziyi Li,Jingwen Suo

2023-07-21

Abstract:\emph{Noisy trapdoor claw-free function} (NTCF) as a powerful post-quantum cryptographic tool can efficiently constrain actions of untrusted quantum devices. However, the original NTCF is essentially \emph{2-to-1} one-way function (NTCF$^1_2$). In this work, we attempt to further extend the NTCF$^1_2$ to achieve \emph{many-to-one} trapdoor claw-free functions with polynomial bounded preimage size. Specifically, we focus on a significant extrapolation of NTCF$^1_2$ by drawing on extrapolated dihedral cosets, thereby giving a model of NTCF$^1_{\kappa}$ where $\kappa$ is a polynomial integer. Then, we present an efficient construction of NTCF$^1_{\kappa}$ assuming \emph{quantum hardness of the learning with errors (LWE)} problem. We point out that NTCF can be used to bridge the LWE and the dihedral coset problem (DCP). By leveraging NTCF$^1_2$ (resp. NTCF$^1_{\kappa}$), our work reveals a new quantum reduction path from the LWE problem to the DCP (resp. extrapolated DCP). Finally, we demonstrate the NTCF$^1_{\kappa}$ can naturally be reduced to the NTCF$^1_2$, thereby achieving the same application for proving the quantumness.

Cryptography and Security,Computational Complexity,Quantum Physics

Wenjuan Jia,Jiang Zhang,Binwu Xiang,Baocang Wang

DOI: https://doi.org/10.1016/j.tcs.2024.114481

IF: 1.002

2024-03-02

Theoretical Computer Science

Abstract:Let (D,S,χ,m)-LWEn,q be the LWE problem in matrix form (A,y=As+emodq) , where A,s,e are randomly chosen respectively from the seed distribution D over Zqm×n , secret distribution S over Zqn and noise distribution χm over Zm (or Rm ), i.e., A←D,s←S,e←χm . For various secret-noise distributions (S,χ) , the (D,S,χ,m)-LWEn,q problem is shown to be as hard as some standard worst-case lattice problems, but most of the known results require D to be the uniform distribution over Zqm×n . In this paper, we show that under the standard LWE assumption, the problem (D,S,χ,m)-LWEn,q can still be hard for some distribution D that is not (even computationally indistinguishable from) the uniform distribution over Zqm×n . Specifically, we show that if D is a semi-uniform distribution over Zqm×n (namely, D can be publicly derived from and has a "small difference" to the uniform distribution over Zqm×n ), then for appropriate choices of (S,χ) , the problem (D,S,χ,m)-LWEn,q is hard under the standard LWE assumption. Moreover, we also show that the semi-uniform MLWE problem is hard under the standard MLWE assumption. As a direct application, our results pave the way to prove the security of public-key encryptions with rounded public keys under the standard (M)LWE assumption.

computer science, theory & methods

André Chailloux,Johanna Loyer

DOI: https://doi.org/10.48550/arXiv.2105.05608

2021-05-12

Quantum Physics

Abstract:Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.

Yan Huang,Zhaofeng Su,Fangguo Zhang,Yong Ding,Rong Cheng

DOI: https://doi.org/10.1007/s11128-019-2562-5

IF: 1.965

2020-01-01

Quantum Information Processing

Abstract:The discrete logarithm problem (DLP) plays an important role in modern cryptography since it cannot be efficiently solved on a classical computer. Currently, the DLP based on the hyperelliptic curve of genus 2 (HCDLP) is widely used in industry and also a research field of hot interest. At the same time, quantum computing, a new paradigm for computing based on quantum mechanics, provides the ability to solve certain hard problems that cannot be efficiently solved on classical computers. In this paper, we consider the problem of solving the HCDLP in the paradigm of quantum computing. We propose a quantum algorithm for solving the HCDLP by applying the framework of quantum algorithm designed by Shor. The key of the algorithm is the realization of divisor addition. We solve the key problem and get analytical results for divisor addition by geometric meaning of the group addition. Therefore, the procedure can be efficiently realized on a quantum computer using the basic modular arithmetic operations. Finally, we conclude that the HCDLP defined over an n-bit prime field \(\mathbb {F}_{p}\) can be computed on a quantum computer with at most \(13n+2\lfloor \log _{2}n\rfloor +10\) qubits using \(2624n^{3} \log _{2}n-2209.2n^{3} + 1792n^{2} \log _{2}n-3012.8n^{2}\) Toffoli gates. For current parameters at comparable classical security levels, there are fewer qubits and Toffoli gates to solve the HCDLP than the ones to solve the DLP based on elliptic curves.

Yilei Chen,Zihan Hu,Qipeng Liu,Han Luo,Yaxin Tu

2024-10-06

Abstract:In this paper, we show new algorithms, hardness results and applications for $\sf{S|LWE\rangle}$ and $\sf{C|LWE\rangle}$ with real Gaussian, Gaussian with linear or quadratic phase terms, and other related amplitudes. Let $n$ be the dimension of LWE samples. Our main results are 1. There is a $2^{\tilde{O}(\sqrt{n})}$-time algorithm for $\sf{S|LWE\rangle}$ with Gaussian amplitude with \emph{known} phase, given $2^{\tilde{O}(\sqrt{n})}$ many quantum samples. The algorithm is modified from Kuperberg's sieve, and in fact works for more general amplitudes as long as the amplitudes and phases are completely \emph{known}. 2. There is a polynomial time quantum algorithm for solving $\sf{S|LWE\rangle}$ and $\sf{C|LWE\rangle}$ for Gaussian with quadratic phase amplitudes, where the sample complexity is as small as $\tilde{O}(n)$. As an application, we give a quantum oblivious LWE sampler where the core quantum sampler requires only quasi-linear sample complexity. This improves upon the previous oblivious LWE sampler given by Debris-Alazard, Fallahpour, Stehlé [STOC 2024], whose core quantum sampler requires $\tilde{O}(nr)$ sample complexity, where $r$ is the standard deviation of the error. 3. There exist polynomial time quantum reductions from standard LWE or worst-case GapSVP to $\sf{S|LWE\rangle}$ with Gaussian amplitude with small \emph{unknown} phase, and arbitrarily many samples. Compared to the first two items, the appearance of the unknown phase term places a barrier in designing efficient quantum algorithm for solving standard LWE via $\sf{S|LWE\rangle}$.

Quantum Physics,Cryptography and Security

Oded Regev

2024-01-08

Abstract:Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the `learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum).

Cryptography and Security,Computational Complexity,Quantum Physics