Does quantum lattice sieving require quantum RAM?

TL;DR

A lower bound on the cost of quantum lattice sieving with a bounded size QRAM is obtained and a new interpolation between classical and quantum lattice sieving is obtained, which is the first quantum speedup for lattice sieving without QRAM in the standard quantum circuit model.

Abstract

In this paper, we study the requirement for quantum random access memory (QRAM) in quantum lattice sieving, a fundamental algorithm for lattice-based cryptanalysis. First, we obtain a lower bound on the cost of quantum lattice sieving with a bounded size QRAM. We do so in a new query model encompassing a wide range of lattice sieving algorithms similar to those in the classical sieving lower bound by Kirshanova and Laarhoven [CRYPTO 21]. This implies that, under reasonable assumptions, quantum speedups in lattice sieving require the use of QRAM. In particular, no quantum speedup is possible without QRAM. Second, we investigate the trade-off between the size of QRAM and the quantum speedup. We obtain a new interpolation between classical and quantum lattice sieving. Moreover, we show that further improvements require a novel way to use the QRAM by proving the optimality of some subroutines. An important caveat is that this trade-off requires a strong assumption on the efficient replacement of QRAM data, indicating that even speedups with a small QRAM are already challenging. Finally, we provide a circuit for quantum lattice sieving without using QRAM. Our circuit has a better depth complexity than the best classical algorithms but requires an exponential amount of qubits. To the best of our knowledge, this is the first quantum speedup for lattice sieving without QRAM in the standard quantum circuit model. We explain why this circuit does not contradict our lower bound, which considers the query complexity.

Figures (4)

• Figure 1: Comparison between BKZ using quantum enumeration with full quadratic speedup, and BKZ using our lower bound on quantum sieving with no QRAM. We also include the best quantum algorithm with no constraints on the QRAM.
• Figure 2: Trade-off relations given in \ref{['thm: laa_lsf_tradeoff_wrt_query_result', 'thm: laa_lsf_tradeoff_wrt_filter_result', 'thm: heiser_lsf_tradeoff_result']}. The top-left point represents the result of classical LSF BDGL16. The bottom-right point of each line represents the result of quantum LSF with no constraint on the QRAM size. In particular, we recover the results of \ref{['thm: laa_lsf_terminal_result']}Laa16CL21 (blue and red), and obtain a new trade-off from \ref{['thm: heiser_lsf_terminal_result']}Heiser21 (green).
• Figure 3: Circuit diagram that outputs the vector in $B_i$ closest to the input vector ${\vec{w}}$. Every vector in $B_i$ is hardcoded in the circuit, and serially compared to ${\vec{w}}$. See \ref{['lem:cloest_vector_list']}.
• Figure 4: Complexity of the sieve algorithm with no QRACM as a function of the number of qubits. The red line corresponds to the best classical complexity.

Theorems & Definitions (42)

• theorem 1: Quantum amplitude amplification BHMT02
• theorem 2: Quantum Minimum Finding Algorithm DH96
• lemma 1
• proof : Proof (sketch)
• lemma 2
• proof : Proof (sketch)
• theorem 3
• lemma 3
• theorem 4: BDGL16
• proof : Proof (sketch)