Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the practicality of quantum sieving algorithms for the shortest vector problem

Joao F. Doriguello, George Giapitzakis, Alessandro Luongo, Aditya Morolia

TL;DR

The paper provides a thorough, resource-conscious assessment of quantum speedups for SVP-based lattice attacks by integrating Grover’s search with classical lattice sieving algorithms under realistic fault-tolerant constraints. It develops detailed models for fixed-point quantum arithmetic, QRAM costs, two architectural paradigms, and magic-state distillation, and applies them to Nguyen–Vidick and GaussSieve variants with LSH/LSF. Across D≈400, the results indicate that even optimistic hardware yields about $10^{13}$ physical qubits and roughly $10^{31}$ years to solve SVP, with a single-core classical machine at 6 GHz performing similarly, implying only modest quantum speedups at cryptographic dimensions. The findings suggest that substantial breakthroughs in quantum protocols, QRAM, or hardware would be required before quantum sieving offers practical advantages for standard-sized CVP/SVP instances. The work thus tempers expectations for near-term quantum cryptanalysis of lattice-based schemes and highlights QRAM and error-correction as critical bottlenecks for any substantial speedup.

Abstract

One of the main candidates of post-quantum cryptography is lattice-based cryptography. Its cryptographic security against quantum attackers is based on the worst-case hardness of lattice problems like the shortest vector problem (SVP), which asks to find the shortest non-zero vector in an integer lattice. Asymptotic quantum speedups for solving SVP are known and rely on Grover's search. However, to assess the security of lattice-based cryptography against these Grover-like quantum speedups, it is necessary to carry out a precise resource estimation beyond asymptotic scalings. In this work, we perform a careful analysis on the resources required to implement several sieving algorithms aided by Grover's search for dimensions of cryptographic interests. For such, we take into account fixed-point quantum arithmetic operations, non-asymptotic Grover's search, the cost of using quantum random access memory (QRAM), different physical architectures, and quantum error correction. We find that even under very optimistic assumptions like circuit-level noise of $10^{-5}$, code cycles of 100 ns, reaction time of 1 $μ$s, and using state-of-the-art arithmetic circuits and quantum error-correction protocols, the best sieving algorithms require $\approx 10^{13}$ physical qubits and $\approx 10^{31}$ years to solve SVP on a lattice of dimension 400, which is roughly the dimension for minimally secure post-quantum cryptographic standards currently being proposed by NIST. We estimate that a 6-GHz-clock-rate single-core classical computer would take roughly the same amount of time to solve the same problem. We conclude that there is currently little to no quantum speedup in the dimensions of cryptographic interest and the possibility of realising a considerable quantum speedup using quantum sieving algorithms would require significant breakthroughs in theoretical protocols and hardware development.

On the practicality of quantum sieving algorithms for the shortest vector problem

TL;DR

The paper provides a thorough, resource-conscious assessment of quantum speedups for SVP-based lattice attacks by integrating Grover’s search with classical lattice sieving algorithms under realistic fault-tolerant constraints. It develops detailed models for fixed-point quantum arithmetic, QRAM costs, two architectural paradigms, and magic-state distillation, and applies them to Nguyen–Vidick and GaussSieve variants with LSH/LSF. Across D≈400, the results indicate that even optimistic hardware yields about physical qubits and roughly years to solve SVP, with a single-core classical machine at 6 GHz performing similarly, implying only modest quantum speedups at cryptographic dimensions. The findings suggest that substantial breakthroughs in quantum protocols, QRAM, or hardware would be required before quantum sieving offers practical advantages for standard-sized CVP/SVP instances. The work thus tempers expectations for near-term quantum cryptanalysis of lattice-based schemes and highlights QRAM and error-correction as critical bottlenecks for any substantial speedup.

Abstract

One of the main candidates of post-quantum cryptography is lattice-based cryptography. Its cryptographic security against quantum attackers is based on the worst-case hardness of lattice problems like the shortest vector problem (SVP), which asks to find the shortest non-zero vector in an integer lattice. Asymptotic quantum speedups for solving SVP are known and rely on Grover's search. However, to assess the security of lattice-based cryptography against these Grover-like quantum speedups, it is necessary to carry out a precise resource estimation beyond asymptotic scalings. In this work, we perform a careful analysis on the resources required to implement several sieving algorithms aided by Grover's search for dimensions of cryptographic interests. For such, we take into account fixed-point quantum arithmetic operations, non-asymptotic Grover's search, the cost of using quantum random access memory (QRAM), different physical architectures, and quantum error correction. We find that even under very optimistic assumptions like circuit-level noise of , code cycles of 100 ns, reaction time of 1 s, and using state-of-the-art arithmetic circuits and quantum error-correction protocols, the best sieving algorithms require physical qubits and years to solve SVP on a lattice of dimension 400, which is roughly the dimension for minimally secure post-quantum cryptographic standards currently being proposed by NIST. We estimate that a 6-GHz-clock-rate single-core classical computer would take roughly the same amount of time to solve the same problem. We conclude that there is currently little to no quantum speedup in the dimensions of cryptographic interest and the possibility of realising a considerable quantum speedup using quantum sieving algorithms would require significant breakthroughs in theoretical protocols and hardware development.

Paper Structure

This paper contains 60 sections, 1 theorem, 53 equations, 12 figures, 5 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Previous works
  3. Our contributions
  4. Preliminaries
  5. Quantum computing
  6. Locality-sensitive hashing and locality-sensitive filtering
  7. Angular LSH
  8. Spherical LSH
  9. Spherical LSF
  10. Quantum error correction
  11. Physical error model
  12. Surface codes
  13. Baseline architecture vs active-volume architecture
  14. Magic state distillation
  15. Arithmetic on a quantum computer
  16. ...and 45 more sections

Key Result

Lemma 9

One bucket-brigade $\mathsf{QRAM}$ call of size $2^n$ and precision $\kappa$ requires (already including its uncomputation) $2^n - 2$$\mathsf{Toffoli}$ gates, $2^{n+1} - n - 1$ dirty ancillae (plus $n+\kappa$ input/output qubits), and has $\mathsf{Toffoli}$-width of $2^{n-1}$, reaction depth of $2(n

Figures (12)

  • Figure 1: Number of physical qubits and execution time of all Grover's searches in $\mathtt{GaussSieve}$ with LSH/LSF as a function of the lattice dimension $D$. We assume an underlying active-volume physical architecture. The execution time is the sum of the time spent searching for pairs of reducing vectors (either quantumly or classically) and the classical time spent hashing.
  • Figure 2: Gidney's out-of-place quantum adder (modulo $2^\kappa$) that adds two $\kappa$-bit numbers $a$ and $b$ stored in quantum registers.
  • Figure 3: Circuit for Grover's search algorithm (top) and the Grover oracle $\mathsf{G}$ (bottom).
  • Figure 4: The bucket-brigade $\mathsf{QRAM}$ circuit from Arunachalam et al. arunachalam2015robustness. In every layer, before the parallel layer of $\mathsf{Toffoli}$ gates, a log-depth linear-size gadget copy the index register so the $\mathsf{Toffoli}$ gates can be executed in parallel.
  • Figure 5: Number of physical qubits of all Grover's searches in $\mathtt{NVSieve}$ and $\mathtt{GaussSieve}$ with and without LSH/LSF as a function of the lattice dimension $D$. We assume an underlying active-volume physical architecture. The quantities are computed based on heuristic assumptions described in the main text.
  • ...and 7 more figures

Theorems & Definitions (4)

  • Definition 8: Quantum random access memory ($\mathsf{QRAM}$)
  • Lemma 9: Bucket-brigade $\mathsf{QRAM}$
  • proof
  • Definition 10: Shortest vector problem