Quantum LLL with an Application to Mersenne Number Cryptosystems - - PowerPoint PPT Presentation

Quantum LLL

with an Application to Mersenne Number Cryptosystems

Marcel Tiepelt1 Alan Szepieniec2

1Karlsruhe Institute of Technology 2Nervos Foundation

Latincrypt 2019 Santiago de Chile, Oct. 2-4

KIT – The Research University in the Helmholtz Association

www.kit.edu

Overview

Quantum circuit representation of LLL

for (textbook) rational numbers for floating-point approximation

Resource estimates of (sub)circuits, in Toffoli-gates Focus on qubits count

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 2/18

Why quantum translation of LLL?

Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O(2256) expected number of oracle calls

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 3/18

Why quantum translation of LLL?

Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O(2256) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O(2128)

→ Requires efficient translation of LLL into quantum setting!

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 3/18

Why quantum translation of LLL?

Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O(2256) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O(2128)

→ Requires efficient translation of LLL into quantum setting!

But: translation of (text-book) LLL results in large overhead w.r.t. the number of qubits!

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 3/18

Why quantum translation of LLL?

Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O(2256) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O(2128)

→ Requires efficient translation of LLL into quantum setting!

But: translation of (text-book) LLL results in large overhead w.r.t. the number of qubits! Does Grover with a QLLL give us the desired improvement?

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 3/18

(Classical) LLL

1: Input: Basis B = (b1, b2, ..., br) 2: Output: Reduced Basis ˆ

B

3: B∗, M ← GSO(B) 4: k ← 2 5: while k ≤ r do 6:

Size-reduce(bk, bk−1)

7:

if Lov´ asz condition holds on bk, bk−1 then

8:

Size-reduce(bk, {bj}0≤j≤k−1), update M

9:

k++

10:

else

11:

swap bk, bk−1, update M

12:

k := max(2, k − 1)

13:

end if

14: end while

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 4/18

Variants

Rational M: Lenstra, Lenstra, and Lov´ asz [2] Floating-point approximation M: Schnorr [4] “Best” variant: L2 Nguyen and Stehl´ e [3] (many more)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 5/18

Quantum LLL Setup

Registers |B Basis representing a superposition of integer lattices |M(i) transformation M in iteration i s.t.: B = MB∗ |K, |cntl counters, controls

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 6/18

Quantum LLL Setup

Registers |B Basis representing a superposition of integer lattices |M(i) transformation M in iteration i s.t.: B = MB∗ |K, |cntl counters, controls Operations Arithmetic in Q or R, vector operations in Z misc compare, round, max(x, y), ...

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 6/18

Quantum LLL Setup

Registers |B Basis representing a superposition of integer lattices |M(i) transformation M in iteration i s.t.: B = MB∗ |K, |cntl counters, controls Operations Arithmetic in Q or R, vector operations in Z misc compare, round, max(x, y), ... Notations function f (X) uncompute (run circuit backwards) (f (X))−1

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 6/18

Quantum LLL

|L |B |M |Lov |K |ctl1 |ctl2 |J

QGSO 0 ≤ |K ≤ r

size-reduce: |bK , |bK−1

Lov´ asz 0 ≥ |J ≤ |K − 2 branch: size-reduce (0 ≥ |J ≤ |K − 2)−1 +1 0 ≥ |J ≤ |K − 2 branch: swap (0 ≥ |J ≤ |K − 2)−1 max(2, |K − 1)

|L |B |M |Lov |K |ctl1 |ctl2 |J bound(K) cycles rank(L) cycles rank(L) cycles

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 7/18

Quantum LLL

|L |B |M |Lov |K |ctl1 |ctl2 |J

QGSO 0 ≤ |K ≤ r

size-reduce: |bK , |bK−1

Lov´ asz 0 ≥ |J ≤ |K − 2 branch: size-reduce (0 ≥ |J ≤ |K − 2)−1 +1 0 ≥ |J ≤ |K − 2 branch: swap (0 ≥ |J ≤ |K − 2)−1 max(2, |K − 1)

|L |B |M |Lov |K |ctl1 |ctl2 |J bound(K) cycles rank(L) cycles rank(L) cycles

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 8/18

Pitfall I: unbounded loops

Classical Apply operation until loop terminates

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 9/18

Pitfall I: unbounded loops

Quantum Apply as often as necessary, but not too often Classical Apply operation until loop terminates

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 9/18

Pitfall I: unbounded loops

Quantum Apply as often as necessary, but not too often Classical Apply operation until loop terminates Loop k := 2; while(k ≤ r);

|K |cntl1 |cntl2 |ψ |K ≥ 2 |K ≤ r

Apply Task

(|K ≤ r)−1

(|K ≥ 2)−1

±1 |K |cntl1 |cntl2 |ψ bound(K) cycles

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 9/18

Pitfall I: unbounded loops

Quantum Apply as often as necessary, but not too often Classical Apply operation until loop terminates Loop k := 2; while(k ≤ r);

|K |cntl1 |cntl2 |ψ |K ≥ 2 |K ≤ r

Apply Task

(|K ≤ r)−1

(|K ≥ 2)−1

±1 |K |cntl1 |cntl2 |ψ bound(K) cycles

Quantum: worst-case running time for all (unbounded) loops

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 9/18

Pitfall Part II: size-reduction cleanup

Size reduction: bi

reduce by bj

− − − − − − − → ˆ bi Update M s.t. ˆ B = M ˆ B∗ Classical

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 10/18

Pitfall Part II: size-reduction cleanup

Size reduction: bi

reduce by bj

− − − − − − − → ˆ bi Update M s.t. ˆ B = M ˆ B∗ Classical ⌈mij⌋ ← round(mij) ˆ bi ← bi − ⌈mij⌋bj ˆ mij ← mij − ⌈mij⌋ free(⌈mij⌋), free(bi), free(mij)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 10/18

Pitfall Part II: size-reduction cleanup

Size reduction: bi

reduce by bj

− − − − − − − → ˆ bi Update M s.t. ˆ B = M ˆ B∗ Classical ⌈mij⌋ ← round(mij) ˆ bi ← bi − ⌈mij⌋bj ˆ mij ← mij − ⌈mij⌋ free(⌈mij⌋), free(bi), free(mij) mij, bi can not be recomputed from ˆ mij, ˆ bij ⇒ information about larger basis is lost

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 10/18

Pitfall Part II: size-reduction cleanup

Quantum

mij − ⌈·⌋ ⌈mij⌋ ˆ mij

|mij, |bi can not be recomputed from | ˆ mij, | ˆ bij ⇒ |bi, |mij or |⌈mij⌋ need to be preserved for reversibility

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 11/18

Pitfall Part II: size-reduction cleanup

Quantum

mij − ⌈·⌋ ⌈mij⌋ ˆ mij

|mij, |bi can not be recomputed from | ˆ mij, | ˆ bij ⇒ |bi, |mij or |⌈mij⌋ need to be preserved for reversibility Quantum: need fresh memory in every size-reduction (similar issues arises from divisions/ preserving the remainder for fp-numbers)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 11/18

Impact?

|M(0)|0...|0 |M(0)|M(1)|0...|0 size-reduce

Size reduction is conditionally applied to all vectors of |M(i) Reversible size-reduction: |M(i)|B|0 ⇒ |M(i)|B|M(i+1)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 12/18

Impact?

|M(0)|0...|0 |M(0)|M(1)|0...|0 size-reduce |M(0)|M(1)|M(2)|0...|0 size-reduce ... size-reduce |M(0)|M(1)...|M(bound(K)) size-reduce

Size reduction is conditionally applied to all vectors of |M(i) Reversible size-reduction: |M(i)|B|0 ⇒ |M(i)|B|M(i+1)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 12/18

Impact?

|M(0)|0...|0 |M(0)|M(1)|0...|0 size-reduce |M(0)|M(1)|M(2)|0...|0 size-reduce ... size-reduce |M(0)|M(1)...|M(bound(K)) size-reduce

Size reduction is conditionally applied to all vectors of |M(i) Reversible size-reduction: |M(i)|B|0 ⇒ |M(i)|B|M(i+1) How many qubits does this require?

sizeOf(M) qubits for each reduction bound(K) many iterations → bound(K) × sizeOf(M)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 12/18

Impact?

|M(0)|0...|0 |M(0)|M(1)|0...|0 size-reduce |M(0)|M(1)|M(2)|0...|0 size-reduce ... size-reduce |M(0)|M(1)...|M(bound(K)) size-reduce

Size reduction is conditionally applied to all vectors of |M(i) Reversible size-reduction: |M(i)|B|0 ⇒ |M(i)|B|M(i+1) How many qubits does this require?

sizeOf(M) qubits for each reduction bound(K) many iterations → bound(K) × sizeOf(M)

Bad if bound(K) is large

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 12/18

Can we do better?

|M(0)|0...|0 |M(0)|M(1)|0...|0 ... |M(0)|M(1)...|M(j−2)|M(j−1)|0 |M(0)|M(1)...|M(j−2)|M(j−1)|M(j) size-reduce size-reduce

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 13/18

Can we do better?

|M(0)|0...|0 |M(0)|M(1)|0...|0 ... |M(0)|M(1)...|M(j−2)|M(j−1)|0 |M(0)|M(1)...|M(j−2)|M(j−1)|M(j) size-reduce size-reduce |M(0)|M(1)...|M(j−2)|0|M(j) (size-reduce)−1 |M(0)|M(1)|0...|0|M(j) ... |M(0)|0...|0|M(j) (size-reduce)−1 (size-reduce)−1

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 13/18

Can we do better?

|M(0)|0...|0 |M(0)|M(1)|0...|0 ... |M(0)|M(1)...|M(j−2)|M(j−1)|0 |M(0)|M(1)...|M(j−2)|M(j−1)|M(j) size-reduce size-reduce |M(0)|M(1)...|M(j−2)|0|M(j) (size-reduce)−1 |M(0)|M(1)|0...|0|M(j) ... |M(0)|0...|0|M(j) (size-reduce)−1 (size-reduce)−1

→ Requires at most: j×sizeOf(M) qubits

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 13/18

Impact?

|M(0)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 14/18

Impact?

|M(0) → |M(0)|M(j)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 14/18

Impact?

|M(0) → |M(0)|M(j) → ... → |M(0)|M(j)...|M(bound(K)) (Optimal for j =

• bound(K))

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 14/18

Impact?

|M(0) → |M(0)|M(j) → ... → |M(0)|M(j)...|M(bound(K)) (Optimal for j =

• bound(K))

Trade-off: (Maximal) number of qubits:

• bound(K)×sizeOf(M)

For # additional iterations: bound(K)

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 14/18

Resource Estimate

Given basis B := (b1, b2, ..., br), bi ∈ Zd (qu)bit-length n in bi bound(K) := r 2 log ˆ B, ˆ B := bounds norm of initial basis

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 15/18

Resource Estimate

Given basis B := (b1, b2, ..., br), bi ∈ Zd (qu)bit-length n in bi bound(K) := r 2 log ˆ B, ˆ B := bounds norm of initial basis #Toffoli #Qubits QLLL O

• 2 log ˆ

B(r 3d + r 4)

• n2

log n + 2n

• max(d, r) · n

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 15/18

Resource Estimate

Given basis B := (b1, b2, ..., br), bi ∈ Zd (qu)bit-length n in bi bound(K) := r 2 log ˆ B, ˆ B := bounds norm of initial basis #Toffoli #Qubits QLLL O

• 2 log ˆ

B(r 3d + r 4)

• n2

log n + 2n

• max(d, r) · n

#QubitsM text-book O

• r 3d log ˆ

B(log ˆ B)

1 2

• Schnorr

O

• r 2d log ˆ

B(log ˆ B)

1 2

• L2

O

• r(log ˆ

B)

1 2 (1.6d + o(d))

• Marcel Tiepelt, Alan Szepieniec – Quantum LLL

15/18

Application: Groverization of Attack

• n Mersenne number cryptosystems

Problem Given a, b

$

← − Zp with low Hamming weight , G

$

← − Zp Given pk := aG + b = H mod p, Find a, b

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 16/18

Application: Groverization of Attack

• n Mersenne number cryptosystems

Problem Given a, b

$

← − Zp with low Hamming weight , G

$

← − Zp Given pk := aG + b = H mod p, Find a, b (Best) approach due to Beunardeau et al. [1] applies lattice reduction after partitioning sparse a, b, such that each partition represents small number

msb lsb

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 16/18

Resource Estimate of Grover Oracle

Instantiation for 256-bits of security with n = 756839 the QLLL

• racle requires:

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 17/18

Resource Estimate of Grover Oracle

Instantiation for 256-bits of security with n = 756839 the QLLL

• racle requires:

#Toffoli #Qubits text-book ≈ 285 ≈ 252 Schnorr ≈ 265 ≈ 244 L2 ≈ 255 ≈ 233

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 17/18

Conclusions

Quantum vs. Apply size-reduction and swap conditionally Average is worst-case, domain knowledge gives significant improvements! Split LLL reduction to improve qubit overhead O

• r 3d log ˆ

B(log ˆ B)

1 2

• Classical

Apply either size-reduction

• r swap

Bad worst-case, good (empirical) average time

Marcel Tiepelt, Alan Szepieniec – Quantum LLL 18/18