An Improved Quantum Algorithm for 3-Tuple Lattice Sieving

TL;DR

This work advances quantum attacks on the Shortest Vector Problem by refining 3-tuple lattice sieving. It introduces a two-level amplitude amplification strategy supplemented by a preprocessing step that uses random product codes to focus searches within local neighborhoods, achieving a new quantum time exponent of 0.2846d for 3-tuple sieving while maintaining memory at 0.1887d. The approach leverages QCRAM-backed data structures and a sophisticated nested search (two-oracle style) to locate many 3-tuple solutions efficiently, yielding the fastest known SVP algorithm under a subexponential qubit regime. The results illuminate how combining preprocessing with amplitude amplification can push quantum sieving further, while still keeping memory demands moderate and memory-access overhead manageable. Overall, the paper tightens the gap between quantum speedups and practical memory constraints, contributing a notable improvement to post-quantum cryptanalytic capability under memory-limited settings.

Abstract

The assumed hardness of the Shortest Vector Problem in high-dimensional lattices is one of the cornerstones of post-quantum cryptography. The fastest known heuristic attacks on SVP are via so-called sieving methods. While these still take exponential time in the dimension $d$, they are significantly faster than non-heuristic approaches and their heuristic assumptions are verified by extensive experiments. $k$-Tuple sieving is an iterative method where each iteration takes as input a large number of lattice vectors of a certain norm, and produces an equal number of lattice vectors of slightly smaller norm, by taking sums and differences of $k$ of the input vectors. Iterating these ''sieving steps'' sufficiently many times produces a short lattice vector. The fastest attacks (both classical and quantum) are for $k=2$, but taking larger $k$ reduces the amount of memory required for the attack. In this paper we improve the quantum time complexity of 3-tuple sieving from $2^{0.3098 d}$ to $2^{0.2846 d}$, using a two-level amplitude amplification aided by a preprocessing step that associates the given lattice vectors with nearby ''center points'' to focus the search on the neighborhoods of these center points. Our algorithm uses $2^{0.1887d}$ classical bits and QCRAM bits, and $2^{o(d)}$ qubits. This is the fastest known quantum algorithm for SVP when total memory is limited to $2^{0.1887d}$.

Figures (3)

• Figure 1: Illustration of the two-oracle search setup, where the task is to search for elements in the search space $M_0$ that belong to a marked subset $M_2 \subseteq M_0$, given the ability to check membership in both $M_2$ and some subset $M_1$ satisfying $M_2 \subseteq M_1 \subseteq M_0$.
• Figure 2: Structure of the algorithm 3List, which repeats the following. First, the Sampling phase produces a pair $(R,R')$ of random relations that are stored in a data structure during the Preprocessing phase. The algorithm then repeatedly calls SolutionSearch, which is instructed to find an element of ${\mathcal{T}}_{\mathrm{sol}}$ using a nested amplitude amplification ( AA). Given a subroutine RCollisionSamp that creates a superposition over $R$-collisions $(\mathbf{x},\mathbf{y})\in L^2$, the first AA amplifies those that satisfy $\langle \mathbf{x}, \mathbf{y} \rangle \approx_{\epsilon}\cos(\theta)$. Next, TupleSamp extends them to triples $(\mathbf{x},\mathbf{y},\mathbf{z})$ such that $(\tfrac{\mathbf{x}-\mathbf{y}}{\lVert\mathbf{x}-\mathbf{y}\rVert}, \mathbf{z})$ forms an $R'$-collision (if such a $\mathbf{z}$ exists), and the final ${\tt AA}$ amplifies those triples that belong to ${\mathcal{T}}_{\mathrm{sol}}$.
• Figure 3: Summary of the relations between vectors encountered during the Search phase. Part (a) visualizes the relations during the subroutine RCollisionSamp, which first creates a superposition over all $\mathbf{x}\in L$, followed by taking, for each such $\mathbf{x}$, a superposition over all $\mathbf{c}$ such that $(\mathbf{x},\mathbf{c}) \in R_L$, and then, for each such $\mathbf{c}$, over all $\mathbf{y}$ such that $(\mathbf{y},\mathbf{c}) \in R_L$. This results in a superposition over all $R_L$-collisions (that is, all $R$-collisions in $L^2$). Part (b) visualizes what happens after the first step of TupleSamp, which amplifies those $R_L$-collisions $(\mathbf{x},\mathbf{y})$ that satisfy $\langle \mathbf{x}, \mathbf{y} \rangle \approx_\epsilon \cos(\theta)$. Namely, the second step creates, for any such $(\mathbf{x},\mathbf{y})$, a superposition over $\mathbf{c}' \in C'$ satisfying $(\tfrac{\mathbf{x}-\mathbf{y}}{\lVert\mathbf{x}-\mathbf{y}\rVert}, \mathbf{c}') \in R'$, and, for each such $\mathbf{c}'$, the third step creates a superposition over all $\mathbf{z}$ such that $(\mathbf{z},\mathbf{c}') \in R_L'$, as visualized in the figure, and amplifies those $\mathbf{z}$ satisfying $\langle \tfrac{\mathbf{x}-\mathbf{y}}{\lVert\mathbf{x}-\mathbf{y}\rVert}, \mathbf{z} \rangle\approx_\epsilon\cos(\theta')$. As for most $(\mathbf{x},\mathbf{y})$ no such $\mathbf{z}$ exists, SolutionSearch applies amplitude amplification on top of TupleSamp to amplify exactly those $(\mathbf{x},\mathbf{y})$ where such a $\mathbf{z}$ does exist.

Theorems & Definitions (54)

• Lemma 2.1: Chernoff bound chernoff1952Bound, MU05probability
• Corollary 2.2: Simple application of the Chernoff bound
• proof
• Lemma 2.3: Fixed-point amplitude amplification (implicit in gilyen2018QSingValTransfyoder2014FixedPointSearch)
• proof
• Remark 1: Choice of $\delta$
• Remark 2: Unstructured search as a special case
• Lemma 2.4: Folklore
• proof
• Definition 2.5