Quantum LLL with an Application to Mersenne Number Cryptosystems Marcel Tiepelt 1 Alan Szepieniec 2 1 Karlsruhe Institute of Technology 2 Nervos Foundation Latincrypt 2019 Santiago de Chile, Oct. 2-4 www.kit.edu KIT – The Research University in the Helmholtz Association
Overview Quantum circuit representation of LLL for (textbook) rational numbers for floating-point approximation Resource estimates of (sub)circuits, in Toffoli-gates Focus on qubits count 2/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Why quantum translation of LLL? Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O (2 256 ) expected number of oracle calls 3/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Why quantum translation of LLL? Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O (2 256 ) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O (2 128 ) → Requires efficient translation of LLL into quantum setting! 3/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Why quantum translation of LLL? Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O (2 256 ) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O (2 128 ) → Requires efficient translation of LLL into quantum setting! But : translation of (text-book) LLL results in large overhead w.r.t. the number of qubits! 3/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Why quantum translation of LLL? Consider LLL as a subroutine, e.g., SVP oracle in cryptanalysis Assume 256 bits of classical security, for O (2 256 ) expected number of oracle calls Quantumly: 128 bits of security, Groverization promises improvement to O (2 128 ) → Requires efficient translation of LLL into quantum setting! But : translation of (text-book) LLL results in large overhead w.r.t. the number of qubits! Does Grover with a QLLL give us the desired improvement? 3/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
(Classical) LLL 1: Input: Basis B = ( b 1 , b 2 , ..., b r ) 2: Output: Reduced Basis ˆ B 3: B ∗ , M ← GSO(B) 4: k ← 2 5: while k ≤ r do Size-reduce( b k , b k − 1 ) 6: if Lov´ asz condition holds on b k , b k − 1 then 7: Size-reduce( b k , { b j } 0 ≤ j ≤ k − 1 ), update M 8: k ++ 9: else 10: swap b k , b k − 1 , update M 11: k := max (2 , k − 1) 12: end if 13: 14: end while 4/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Variants Rational M : Lenstra, Lenstra, and Lov´ asz [2] Floating-point approximation M : Schnorr [4] “Best” variant: L 2 Nguyen and Stehl´ e [3] (many more) 5/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Quantum LLL Setup Registers | B � Basis representing a superposition of integer lattices | M ( i ) � transformation M in iteration i s.t.: B = MB ∗ | K � , | cntl � counters, controls 6/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Quantum LLL Setup Registers | B � Basis representing a superposition of integer lattices | M ( i ) � transformation M in iteration i s.t.: B = MB ∗ | K � , | cntl � counters, controls Operations Arithmetic in Q or R , vector operations in Z misc compare, round, max( x , y ), ... 6/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Quantum LLL Setup Registers | B � Basis representing a superposition of integer lattices | M ( i ) � transformation M in iteration i s.t.: B = MB ∗ | K � , | cntl � counters, controls Operations Arithmetic in Q or R , vector operations in Z misc compare, round, max( x , y ), ... Notations function f ( X ) uncompute (run circuit backwards) ( f ( X )) − 1 6/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Quantum LLL size-reduce: | b K � , | b K − 1 � | L � branch: size-reduce | L � branch: swap QGSO | B � | B � asz | M � Lov´ | M � | Lov � | Lov � | K � 0 ≤ | K � ≤ r +1 | K � max (2 , | K � − 1) (0 ≥ | J � ≤ | K � − 2) − 1 (0 ≥ | J � ≤ | K � − 2) − 1 0 ≥ | J � ≤ | K � − 2 0 ≥ | J � ≤ | K � − 2 | ctl 1 � | ctl 1 � | ctl 2 � | ctl 2 � | J � | J � rank ( L ) cycles rank ( L ) cycles bound ( K ) cycles 7/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Quantum LLL size-reduce: | b K � , | b K − 1 � | L � branch: size-reduce | L � branch: swap QGSO | B � | B � asz | M � Lov´ | M � | Lov � | Lov � 0 ≤ | K � ≤ r | K � +1 | K � max (2 , | K � − 1) (0 ≥ | J � ≤ | K � − 2) − 1 (0 ≥ | J � ≤ | K � − 2) − 1 0 ≥ | J � ≤ | K � − 2 0 ≥ | J � ≤ | K � − 2 | ctl 1 � | ctl 1 � | ctl 2 � | ctl 2 � | J � | J � rank ( L ) cycles rank ( L ) cycles bound ( K ) cycles 8/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall I: unbounded loops Classical Apply operation until loop terminates 9/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall I: unbounded loops Quantum Classical Apply as often as necessary, Apply operation until loop but not too often terminates 9/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall I: unbounded loops Quantum Classical Apply as often as necessary, Apply operation until loop but not too often terminates Loop k := 2; while ( k ≤ r ); ( | K � ≥ 2) − 1 | K � ± 1 | K � | K � ≥ 2 ( | K � ≤ r ) − 1 | K � ≤ r | cntl 1 � | cntl 1 � | cntl 2 � | cntl 2 � | ψ � | ψ � Apply Task bound( K ) cycles 9/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall I: unbounded loops Quantum Classical Apply as often as necessary, Apply operation until loop but not too often terminates Loop k := 2; while ( k ≤ r ); ( | K � ≥ 2) − 1 | K � ± 1 | K � | K � ≥ 2 ( | K � ≤ r ) − 1 | K � ≤ r | cntl 1 � | cntl 1 � | cntl 2 � | cntl 2 � | ψ � | ψ � Apply Task bound( K ) cycles Quantum: worst-case running time for all (unbounded) loops 9/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall Part II: size-reduction cleanup reduce by b j → ˆ Size reduction: b i − − − − − − − b i Update M s.t. ˆ B = M ˆ B ∗ Classical 10/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall Part II: size-reduction cleanup reduce by b j → ˆ Size reduction: b i − − − − − − − b i Update M s.t. ˆ B = M ˆ B ∗ Classical ⌈ m ij ⌋ ← round ( m ij ) ˆ b i ← b i − ⌈ m ij ⌋ b j m ij ← m ij − ⌈ m ij ⌋ ˆ free ( ⌈ m ij ⌋ ), free ( b i ), free ( m ij ) 10/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall Part II: size-reduction cleanup reduce by b j → ˆ Size reduction: b i − − − − − − − b i Update M s.t. ˆ B = M ˆ B ∗ Classical ⌈ m ij ⌋ ← round ( m ij ) ˆ b i ← b i − ⌈ m ij ⌋ b j m ij ← m ij − ⌈ m ij ⌋ ˆ free ( ⌈ m ij ⌋ ), free ( b i ), free ( m ij ) m ij , ˆ m ij , b i can not be recomputed from ˆ b ij ⇒ information about larger basis is lost 10/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall Part II: size-reduction cleanup Quantum m ij ˆ − m ij ⌈·⌋ ⌈ m ij ⌋ m ij � , | ˆ | m ij � , | b i � can not be recomputed from | ˆ b ij � ⇒ | b i � , | m ij � or |⌈ m ij ⌋� need to be preserved for reversibility 11/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Pitfall Part II: size-reduction cleanup Quantum m ij ˆ − m ij ⌈·⌋ ⌈ m ij ⌋ m ij � , | ˆ | m ij � , | b i � can not be recomputed from | ˆ b ij � ⇒ | b i � , | m ij � or |⌈ m ij ⌋� need to be preserved for reversibility Quantum: need fresh memory in every size-reduction (similar issues arises from divisions/ preserving the remainder for fp-numbers) 11/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Impact? | M (0) �| 0 � ... | 0 � Size reduction is conditionally applied to all vectors of | M ( i ) � size-reduce Reversible size-reduction: | M (0) �| M (1) �| 0 � ... | 0 � | M ( i ) �| B �| 0 � ⇒ | M ( i ) �| B �| M ( i +1) � 12/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Impact? | M (0) �| 0 � ... | 0 � Size reduction is conditionally applied to all vectors of | M ( i ) � size-reduce Reversible size-reduction: | M (0) �| M (1) �| 0 � ... | 0 � | M ( i ) �| B �| 0 � ⇒ | M ( i ) �| B �| M ( i +1) � size-reduce | M (0) �| M (1) �| M (2) �| 0 � ... | 0 � size-reduce ... size-reduce | M (0) �| M (1) � ... | M ( bound ( K )) � 12/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Impact? | M (0) �| 0 � ... | 0 � Size reduction is conditionally applied to all vectors of | M ( i ) � size-reduce Reversible size-reduction: | M (0) �| M (1) �| 0 � ... | 0 � | M ( i ) �| B �| 0 � ⇒ | M ( i ) �| B �| M ( i +1) � size-reduce How many qubits does this require? | M (0) �| M (1) �| M (2) �| 0 � ... | 0 � sizeOf(M) qubits for each reduction bound(K) many iterations size-reduce → bound(K) × sizeOf(M) ... size-reduce | M (0) �| M (1) � ... | M ( bound ( K )) � 12/18 Marcel Tiepelt , Alan Szepieniec – Quantum LLL
Recommend
More recommend
