On the Shortness of Vectors to Be Found by the Ideal-SVP Quantum Algorithm

Abstract

The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms.

But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most \(\alpha = \exp ({\widetilde{O}(n^{1/2})})\) than the shortest non-zero vector in a cyclotomic ideal lattice, where n is the dimension.

In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor \(\alpha \) are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments.

This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about 24000.

L. Ducas—Supported by a Veni Innovational Research Grant from NWO under project number 639.021.645 and by the European Union Horizon 2020 Research and Innovation Program Grant 780701.

M. Plançon—Part of this work was realized during an internship at the Cryptology Group, CWI, Amsterdam.

B. Wesolowski—Supported by the ERC Advanced Investigator Grant 740972 (ALGSTRONGCRYPTO).

Appendices

A The Power of 2 Case

In this section we compare the power of 2 case to the prime case. The experimental behavior and lower bounds for step 2 and step 4 are given in Fig. 6. We see that the asymptotic lower bounds for the power of 2 case is similar to the prime case, yet for both step 2 and 4, the experimental behavior is slightly worse for the power of 2 case.

Fig. 6.

Comparison of the prime conductors and power of 2 conductor.

We also need to account for the inverse root discriminant, which is also a factor in final Hermite factor \(\eta \) given by Formula (5). A quick calculation shows that this factor is a similar function of the rank n in both cases. Indeed, when m is prime, the inverse root discriminant \(|\varDelta _K|^{-1/2n}\) appearing in the formula for the root Hermite factor (5) is given by

$$\begin{aligned} |\varDelta _K|^{-1/2n} = m^{-(n-1)/2n} \sim 1/\sqrt{m} \sim 1/\sqrt{n}. \end{aligned}$$

On the other hand for \(m=2^k\) we have

$$\begin{aligned} |\varDelta _K|^{-1/2n} = 2^{- n(k - 1) / 2n} = 2^{(1-k)/2} = \sqrt{2/m} = 1/\sqrt{n}. \end{aligned}$$

In conclusion, we expect that the quantum algorithm for Ideal-SVP at hand provides vectors slightly longer for power of 2 conductors than for prime conductors.

B Estimation of the Regulator

In this appendix we prove Theorem 3, which states that for any prime power \(m = p^k\), we have \(({{\,\mathrm{Vol}\,}}(\varLambda )/h^+)^{\frac{1}{n/2-1}} \sim \sqrt{m}/2\). First, we recall that the volume of the log-unit lattice is related to the so-called regulator R of K by the formula⁶

$${{\,\mathrm{Vol}\,}}(\varLambda ) = \frac{R\sqrt{n/2}}{2^{n/2-1}}.$$

Therefore \({{\,\mathrm{Vol}\,}}(\varLambda )^{\frac{1}{n/2-1}} \sim R^{\frac{1}{n/2-1}}/2\), and it remains to estimate \(Rh^+\). Let \(\varDelta _{K^+}\) denote the discriminant of \(K^+\), the maximal real subfield of K. We have that \(|\varDelta _{K^+}| = |\varDelta _{K}/p|^{1/2}\) when m is a power of \(p \ne 2\) (for \(p = 2\), the following results should adjust for the fact that \(|\varDelta _{K^+}| = |\varDelta _{K}/4|^{1/2}\)). From [Was12, p. 42], we get

$$Rh^+ = |\varDelta _K/p|^{1/4} \prod _{\chi \ne 1 \text { even}} L(1,\chi ),$$

where the product is over all non-trivial even Dirichlet characters modulo m. We have

Since

$$\sum _{\chi }\chi (a) = {\left\{ \begin{array}{ll}n/2 - 1 &{} \text { if } a \equiv \pm 1 \mod m,\\ -1 &{} \text {otherwise,}\end{array}\right. }$$

we deduce that

Let us first deal with the terms where \(i = 1\). From [Pom77], for any a such that \((a,m) = 1\), we have

$$\sum _{\begin{array}{c} q \le x\\ q \equiv a \mod m \end{array}} \frac{1}{q} = \frac{\log \log (x)}{n} + \frac{1}{P(m,a)} + O\left( \frac{\log (m)}{n}\right) ,$$

where P(m, a) is the first prime q such that \(q \equiv a\! \mod m\). We get

For the terms where \(i \ge 2\), we have from [AC49] that

$$\sum _{i \ge 2}\sum _{\begin{array}{c} q^i \le x\\ q^i \equiv \pm 1 \mod m \end{array}} \frac{1}{iq^i} = O(1/m).$$

The proof in [AC49] is given for m prime, but is easily adapted to powers of primes. We deduce that

$$\log \left( \prod _{\chi \ne 1 \text { even}} L(1,\chi ) \right) = O(\log (m)). $$

We get the estimate

$$\left( Rh^+\right) ^{\frac{1}{n/2-1}} = p^{\frac{p^{k-1}(pk - k - 1) - 1}{2(n-2)}} e^{O\left( \frac{\log (m)}{n}\right) } = m^{\frac{1}{2} + o(1)},$$

from which we conclude that \(({{\,\mathrm{Vol}\,}}(\varLambda )/h^+)^{\frac{1}{n/2-1}} \sim \sqrt{m}/2\).