Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.
翻译:Lattice 加密法是后二次加密法的主要建议之一。 最短的矢量问题( SVP) 是基于 lattice 加密法的加密分析中最重要的问题, 许多基于 lattice 的加密法方案都有基于其硬度的安全要求。 SVP 的最佳量子算法是Laarhoven [Laa16 博士] 的最好量子算法, 并运行于( 超常) 时间 $2 ⁇ 0. 2653d + o( d)} $。 在文章中, 我们提出改进 Laarhoven 的结果, 并提出一种算法的算法, 其运行时间( 超常) 时间为 $2 ⁇ 0. 2570 d + o( d) o( d) } 。 我们还提出时间- 模拟交换法, 我们量化量量子内存和量子随机存取存储器的数量 。 核心想法是用量子 16 博士 来取代 [ Laa16 的 Grover 用于 缩算法 关键部分的算法 关键部分的算法, 由量子随机行走 增加一个敏感过滤法层 。