Optimal Merging in Quantum k -xor and k -sum Algorithms Mara - - PowerPoint PPT Presentation

Optimal Merging in Quantum k-xor and k-sum Algorithms

María Naya-Plasencia, André Schrottenloher

Inria, France

Merging with many Solutions Quantum Merging With a Single Solution

Outline

1

Merging with many Solutions

2

Quantum Merging

3

With a Single Solution

María N.-P., André S. Quantum Merging Algorithms 2/28

Merging with many Solutions Quantum Merging With a Single Solution

Generalized Birthday Problem(s)

In this talk (⊕ can be replaced by +): Problem 1: “oracle” Given oracle access to a random n-bit to n-bit function H, find x1, . . . xk such that H(x1) ⊕ . . . ⊕ H(xk) = 0. Problem 2: “unique solution” Given oracle access to a random n/k-bit to n-bit function H, find the single k-tuple x1, . . . xk such that H(x1) ⊕ . . . ⊕ H(xk) = 0.

María N.-P., André S. Quantum Merging Algorithms 3/28

Merging with many Solutions Quantum Merging With a Single Solution

Applications

Subset-sum: given n integers a0, . . . an−1 on poly(n) bits, find a binary ¯ e such that ¯ a · ¯ e = 0 = ⇒ reduces to k-sum Parity check problem: given P(X) of degree n, find a low-weight multiple of P = ⇒ reduces to k-sum LPN: given samples a, a · s + e with n-bit uniform random a and Bernoulli noise e, find s = ⇒ reduces to k-sum Multiple-encryption: given a few plaintext-ciphertext pairs (x, Ek1 ◦ . . . ◦ Ekr (x)), find the independent keys k1, . . . kr = ⇒ similar algorithms applicable

María N.-P., André S. Quantum Merging Algorithms 4/28

Merging with many Solutions Quantum Merging With a Single Solution

Merging with many Solutions

María N.-P., André S. Quantum Merging Algorithms 5/28

Merging with many Solutions Quantum Merging With a Single Solution

Known classical complexities

To get a k-xor on n bits (with oracle access to H : {0, 1}n → {0, 1}n): The optimal query complexity is Θ(2n/k) The time complexity is O

• 2n/(1+⌊log2(k)⌋)

* Logarithmic improvements in time (but we focus on exponents)

* Wagner, “A Generalized Birthday Problem”, CRYPTO 02

María N.-P., André S. Quantum Merging Algorithms 6/28

Merging with many Solutions Quantum Merging With a Single Solution

Wagner’s algorithm in a single slide

Merging From two lists L1, L2 of outputs of H, compute the join L1 ⊲ ⊳u L2: the pairs x1, x2 ∈ L1 × L2 with x1 ⊕ x2|u = 0 (partial collision on u bits). All lists are presumed sorted, the time is: MAX (|L1 ⊲ ⊳u L2|, MIN (|L1|, |L2|)) Wagner’s algorithm is a sequence of pairwise joins The strategy (optimal u) depends on ⌊log2(k)⌋; we merge 2⌊log2(k)⌋ lists

Wagner, “A Generalized Birthday Problem”, CRYPTO 02

María N.-P., André S. Quantum Merging Algorithms 7/28

Merging with many Solutions Quantum Merging With a Single Solution

An example with k = 4

1

Query 2n/3 elements for each list L4 of size 2n/3 L3 of size 2n/3 L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 8/28

Merging with many Solutions Quantum Merging With a Single Solution

An example with k = 4

1

Query 2n/3 elements for each list

2

Compute the joins L1 ⊲ ⊳n/3 L2 and L3 ⊲ ⊳n/3 L4 L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 8/28

Merging with many Solutions Quantum Merging With a Single Solution

An example with k = 4

• 1. Query 4 lists of x, H(x): L1, L2, L3, L4 of size 2n/3
• 2. Compute the joins L1 ⊲

⊳n/3 L2 and L3 ⊲ ⊳n/3 L4 of size 2n/3

• 3. Compute the join (L1 ⊲

⊳n/3 L2) ⊲ ⊳2n/3 (L3 ⊲ ⊳n/3 L4) of size 1 Single 4-xor to 0

• n n bits

L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 8/28

Merging with many Solutions Quantum Merging With a Single Solution

Known quantum complexities

To get a k-xor on n bits (with quantum oracle access to H): The optimal query complexity is Θ

• 2n/(k+1)

* For k = 2 (collisions), the time is O

• 2n/3

using O

• 2n/3

classical memory with quantum access (QACM) For any k, exponent αk =

1 2+⌊log2(k)⌋) using quantum memory with quantum

access (QAQM)

* Belovs and Spalek, “Adversary lower bound for the k-sum problem”, ACM 13 Brassard, Høyer, and Tapp, “Quantum Cryptanalysis of Hash and Claw-Free Functions”, LATIN Grassi, Naya-Plasencia, and S., “Quantum Algorithms for the k -xor Problem”, AC 18

María N.-P., André S. Quantum Merging Algorithms 9/28

Merging with many Solutions Quantum Merging With a Single Solution

Previous exponents (with QAQM)

5 10 15 20 0.1 0.2 0.3 0.4 0.5 k αk Classical time Quantum time [AC 18] time = O (2αkn)

María N.-P., André S. Quantum Merging Algorithms 10/28

Merging with many Solutions Quantum Merging With a Single Solution

Our results (with QACM)

5 10 15 20 0.1 0.2 0.3 0.4 0.5 k αk Classical [AC 18] New time = O (2αkn)

María N.-P., André S. Quantum Merging Algorithms 11/28

Merging with many Solutions Quantum Merging With a Single Solution

Quantum Merging

María N.-P., André S. Quantum Merging Algorithms 12/28

Merging with many Solutions Quantum Merging With a Single Solution

Classical search

Let X

• Search space,

size N

= G

• Good ones,

size T

∪ B

• Bad ones, size

N − T

Let Sample and Test be functions to sample x from X and test if x ∈ G, in time tSample and tTest. There exists a function SampleG that samples from G in time: N T

• tSample + tTest
• ⇒ we transform a sampling procedure for the “search space” into a sampling procedure

for the “solution space”.

María N.-P., André S. Quantum Merging Algorithms 13/28

Merging with many Solutions Quantum Merging With a Single Solution

Quantum search

X

• Search space,

size N

= G

• Good ones,

size T

∪ B

• Bad ones, size

N − T

Let QSample and QTest be quantum algorithms to sample X and test if x ∈ G, in time tSample and tTest. There exists an algorithm QSampleG that samples G in time:

• N

T

• tQSample + tQTest
• Grover, “A Fast Quantum Mechanical Algorithm for

Database Search”, STOC 96 Brassard et al., “Quantum amplitude amplification and estimation”, Contemp. Math. 02

María N.-P., André S. Quantum Merging Algorithms 14/28

Merging with many Solutions Quantum Merging With a Single Solution

Classical merging as a sampling procedure

List L = L1 ⊲ ⊳c L2 size |L| = |L1||L2|/2c prefix u + c List L2 u-bit prefix List L1 u-bit prefix Sampling from L We sample from list L1 We try to match against list L2 tSample(L) = max 2c |L2|, 1

• tSample(L1)

Computing the full “join” ⊲ ⊳ means sampling from L repeatedly.

María N.-P., André S. Quantum Merging Algorithms 15/28

Merging with many Solutions Quantum Merging With a Single Solution

Depth-first traversal of Wagner’s tree

We sample from L0 (the solution) once. L0 of size 1 L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 16/28

Merging with many Solutions Quantum Merging With a Single Solution

Depth-first traversal of Wagner’s tree

We sample from L0 (the solution) once. = ⇒ we sample from L1 ⊲ ⊳ L2 2n/3 times. L0 of size 1 L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 16/28

Merging with many Solutions Quantum Merging With a Single Solution

Depth-first traversal of Wagner’s tree

We sample from L0 (the solution). = ⇒ we sample from L1 ⊲ ⊳ L2 2n/3 times. = ⇒ we sample from L1 2n/3 times. L0 of size 1 L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 16/28

Merging with many Solutions Quantum Merging With a Single Solution

Quantum merging

List L = L1 ⊲ ⊳c L2 size |L| = |L1||L2|/2c prefix u + c List L2 u-bit prefix List L1 u-bit prefix Sampling from L We sample from list L1 We try to match against list L2 We have a square-root speedup tQSample(L) =

• max

2c |L2|, 1

• tQSample(L1)

María N.-P., André S. Quantum Merging Algorithms 17/28

Merging with many Solutions Quantum Merging With a Single Solution

4-xor example

“The time of the red branch is reduced to a square-root.” (Quantum) sampling from L1: time 1 Sampling from L1 ⊲ ⊳n/3 L2: time 1 again Sampling from L0: 2n/6 instead of 2n/3 L0 of size 1 L3 ⊲ ⊳n/3 L4

• f size 2n/3

L4 of size 2n/3 L3 of size 2n/3 L1 ⊲ ⊳n/3 L2

• f size 2n/3

L2 of size 2n/3 L1 of size 2n/3

María N.-P., André S. Quantum Merging Algorithms 18/28

Merging with many Solutions Quantum Merging With a Single Solution

We have to re-optimize the tree

The “intermediate” L3 ⊲ ⊳n/4 L4 and L2 are produced classically Sampling L0 costs time 2n/4 with Grover’s algorithm

L0 of size 1

L3 ⊲ ⊳n/4 L4

• f size 2n/4

L4 of size 2n/4 L3 of size 2n/4

L1 ⊲ ⊳n/4 L2

• f size 2n/2

L2 of size 2n/4

L1 of size 2n/2

María N.-P., André S. Quantum Merging Algorithms 19/28

Merging with many Solutions Quantum Merging With a Single Solution

General strategy

There are several possible decompositions of the problem into subproblems (“merging trees”) Each new list is sampled using quantum searches Optimizing the exponents is a linear problem: we implemented a MILP-based search for the best merging strategies Theorem (with QACM) If k ≥ 2 and κ = ⌊log2(k)⌋, the best merging-tree quantum time exponent is αk = 2κ (1 + κ)2κ + k .

María N.-P., André S. Quantum Merging Algorithms 20/28

Merging with many Solutions Quantum Merging With a Single Solution

Merging with a Single Solution

María N.-P., André S. Quantum Merging Algorithms 21/28

Merging with many Solutions Quantum Merging With a Single Solution

Merging 4 lists with a single solution

All merges become trivial: this is a simple collision search in time O

• 2n/2

and memory

• O
• 2n/2

. Merging is not enough! Single result L3 ⊲ ⊳0 L4

• f size 2n/2

L4 of size 2n/4 L3 of size 2n/4 L1 ⊲ ⊳0 L2

• f size 2n/2

L2 of size 2n/4 L1 of size 2n/4

María N.-P., André S. Quantum Merging Algorithms 22/28

Merging with many Solutions Quantum Merging With a Single Solution

Classical “extended” merging

We merge on an arbitrary prefix s (not 0), and we repeat the computation for all values

• f s.

Subsumes Schroeppel and Shamir’s 4-list algorithm and the Dissection technique Classically, this saves memory Quantumly, this reduces also the time complexity

Schroeppel and Shamir, “A T = O(2n/2), S = O(2n/4) Algorithm for Certain NP-Complete Problems”, SIAM 81 Dinur et al., “Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems”, CRYPTO 12

María N.-P., André S. Quantum Merging Algorithms 23/28

Merging with many Solutions Quantum Merging With a Single Solution

Schroeppel and Shamir’s 4-list method

Loop over a chosen prefix s of n/4 bits. Time: O

• 2n/2

and memory: O

• 2n/4

. List “of size 2−n/4” L3 ⊲ ⊳n/4,s L4

• f size 2n/4

L4 of size 2n/4 L3 of size 2n/4 L1 ⊲ ⊳n/4,s L2

• f size 2n/4

L2 of size 2n/4 L1 of size 2n/4

María N.-P., André S. Quantum Merging Algorithms 24/28

Merging with many Solutions Quantum Merging With a Single Solution

From classical to quantum

We loop over s (n/4 bits) and 1 ≤ i ≤ 2n/8, where i defines a choice of sublist: L3 =

1≤i≤2n/8 Li 3.

List “of size 2−3n/8” Li

3 ⊲

⊳n/4,s L4

• f size 2n/8

L4 of size 2n/4 Li

3 of size

2n/8 Find y ∈ L2 such that x ⊕ y = s|∗ L2 of size 2n/4 Grover search x ∈ L1

María N.-P., André S. Quantum Merging Algorithms 25/28

Merging with many Solutions Quantum Merging With a Single Solution

Time complexity of this example

2(3n/8)/2

• Grover:

choice of L′

3 and of s

• 2n/8
• Compute

L′

3 ⊲

⊳n/4,s L4

+ 2(n/4)/2

• Grover: search

in L1 for a match

• = 25n/16 = 20.3125n < 2n/3

The best is k = 5 (or a multiple): 2(n/5)/2

• Grover:

choice of s

• 2n/5
• Compute

L4 ⊲ ⊳n/5,s L5

+ 2(2n/5)/2

• Grover: search

in L1 × L2 for a match

• = 23n/10 = 20.3n < 2n/3

María N.-P., André S. Quantum Merging Algorithms 26/28

Merging with many Solutions Quantum Merging With a Single Solution

General comparison

4 6 8 10 12 14 16 0.25 0.3 0.35 0.4 k Complexity exponent Ambainis (SIAM 07)

• r BJLM (PQCrypto 13)

This paper: 1

k k+⌈k/5⌉ 4

Ambainis, “Quantum Walk Algorithm for Element Distinctness”, SIAM 07 Bernstein et al., “Quantum Algorithms for the Subset-Sum Problem”, PQCrypto 13

María N.-P., André S. Quantum Merging Algorithms 27/28

Merging with many Solutions Quantum Merging With a Single Solution

Conclusion

Parity-check Problem: Improved k-list and approximate k-list algorithms for any target weight (many or few solutions) k-encryption: Better time complexity for k ≥ 3, time O

• 20.3n

for 5-encryption Subset-sum: Best quantum time-memory product for dense knapsacks: O

• 25n/12

by cutting into 12 lists (prev. 0.452 > 0.412) LPN: Building block in the c-sum-BKW algorithm of Esser et al. (CRYPTO 18); ex. N3

c time for an 8-sum with Nc memory instead of N4 c

Full version: ePrint report 2019/501 (some code available to compute the best strategies)

María N.-P., André S. Quantum Merging Algorithms 28/28

Thank you!

María N.-P., André S. Quantum Merging Algorithms

María N.-P., André S. Quantum Merging Algorithms