LWE with Quantum Amplitudes: Algorithm, Hardness, and Oblivious Sampling

TL;DR

A quantum oblivious LWE sampler where the core quantum sampler requires only quasi-linear sample complexity is given, which improves upon the previous oblivious LWE sampler given by Debris-Alazard, Fallahpour, Stehl\'{e} [STOC 2024].

Abstract

In this paper, we show new algorithms, hardness results and applications for $\sf{S|LWE\rangle}$ and $\sf{C|LWE\rangle}$ with real Gaussian, Gaussian with linear or quadratic phase terms, and other related amplitudes. Let $n$ be the dimension of LWE samples. Our main results are 1. There is a $2^{\tilde{O}(\sqrt{n})}$-time algorithm for $\sf{S|LWE\rangle}$ with Gaussian amplitude with \emph{known} phase, given $2^{\tilde{O}(\sqrt{n})}$ many quantum samples. The algorithm is modified from Kuperberg's sieve, and in fact works for more general amplitudes as long as the amplitudes and phases are completely \emph{known}. 2. There is a polynomial time quantum algorithm for solving $\sf{S|LWE\rangle}$ and $\sf{C|LWE\rangle}$ for Gaussian with quadratic phase amplitudes, where the sample complexity is as small as $\tilde{O}(n)$. As an application, we give a quantum oblivious LWE sampler where the core quantum sampler requires only quasi-linear sample complexity. This improves upon the previous oblivious LWE sampler given by Debris-Alazard, Fallahpour, Stehlé [STOC 2024], whose core quantum sampler requires $\tilde{O}(nr)$ sample complexity, where $r$ is the standard deviation of the error. 3. There exist polynomial time quantum reductions from standard LWE or worst-case GapSVP to $\sf{S|LWE\rangle}$ with Gaussian amplitude with small \emph{unknown} phase, and arbitrarily many samples. Compared to the first two items, the appearance of the unknown phase term places a barrier in designing efficient quantum algorithm for solving standard LWE via $\sf{S|LWE\rangle}$.

Figures (3)

• Figure 1: Interesting $\mathsf{S|LWE\rangle}$ error amplitudes (top) and their DFTs (bottom). All pictures are depicting the real parts of the functions. The $x$-axis is the input (from $-30$ to $29$, all examples are given over $\mathbb{Z}_{60}$). The $y$-axis is the amplitude. Four pictures on the top from left to right are: (1) Gaussian, where our sub-exponential algorithm applies; (2) Gaussian with imaginary linear phase, where our reductions apply when the phase (or the center of the DFT) is unknown; (3) Gaussian with imaginary quadratic phase, where our oblivious LWE sampler uses; (4) Gaussian where the phase changes in the middle, where the oblivious LWE sampler in debris2024quantum uses.
• Figure 2: The correspondence between Regev's reduction (from $\mathsf{DGS}$ to $\mathsf{LWE}$) and our reduction (from $\mathsf{|DGS\rangle}$ to $\mathsf{S|LWE\rangle}^{\sf phase}$).
• Figure 3: Illustration of two iterations of the reduction algorithm.

Theorems & Definitions (84)

• Definition 1: Learning with errors (LWE) DBLP:journals/jacm/Regev09
• Definition 2: Solve $|\mathsf{LWE}\rangle$, $\mathsf{S|LWE\rangle}$
• Definition 3: Construct $|\mathsf{LWE}\rangle$ states, $\mathsf{C|LWE\rangle}$
• Theorem 4: \ref{['thm:subexp_alg_gen']}, informal
• Theorem 5
• Theorem 6: Informal version of \ref{['coro:OSAMP']}
• Definition 7: $\mathsf{S|LWE\rangle}^{\sf phase}$
• Theorem 8: \ref{['thm:Regev_MainThm']}, informal
• Definition 9: Statistical distance
• Lemma 10: Poisson Summation Formula