Skip to content

Top New Best Ask Show Jobs

Quantum Algorithms for Lattice Problems | Better HN

Quantum Algorithms for Lattice Problems (opens in new tab)

(eprint.iacr.org)

233 pointstrotro1y ago124 comments

124 comments

j2kun1y ago

I work on homomorphic encryption, and there are some rumors circulating that, if this checks out, it will break some of the leading FHE schemes like BFV, where the moduli used are quite large (in the hundreds of bits or even over a thousand bits).

ilya_m1y ago

… only if scalable quantum computers exist.

warkdarrior1y ago

If scalable quantum computers do not exist, we do not need PQC.

I wouldn't bet against the existence of a modern Bletchley Park analogue.

troq131y ago

Just a bit more improvement and they might be able to use a computer that doesn't exist to break an encrypting scheme nobody uses. Alarming.

j2kun1y ago

Major systems and big companies like Google are already mid-transition to PQC. So it is alarming.

AnthonyMouse1y ago

More to the point, the purpose of the encrypting system nobody uses is to have something to use if anybody ever makes the computer that doesn't exist. Now if that happens, what?

anonymousDan1y ago

Furthermore this could have implications for fully homomorphic encryption schemes based on lattices. But nonetheless I laughed :)

troq131y ago

Google has dozens of chrome extensions in their app store that anyone can check in 2 mins are plain malware, and they do nothing about it. If they cared about security that's what they would be working on, these guys just want to publish papers.

adastra221y ago

Their deployment is additive. You would need to break both the PCQ and classical schemes, so they’d be unaffected here.

Beldin1y ago

Headline should be "polynomial time quantum algorithms for solving lattices" or somesuch. The polynomial time aspect is the main contribution here - and also why this is attracting attention.

anonymousDan1y ago

Some initial Reddit discussion here: https://www.reddit.com/r/cryptography/comments/1c0vlfx/the_f...

JohnKemeny1y ago

And a question at crypto.stackexchange: https://crypto.stackexchange.com/q/111385

tromp1y ago

How does this affect these statements on Wikipedia [1]

> some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

and [2] ?

> One class of quantum resistant cryptographic algorithms is based on a concept called "learning with errors" introduced by Oded Regev in 2005.

[1] https://en.wikipedia.org/wiki/Lattice-based_cryptography

[2] https://en.wikipedia.org/wiki/Ring_learning_with_errors_key_...

The idea of "appear to be resistant to attack" is an empirical one. When someone says that, they are saying that we simply have not found a good attack against this problem. That can change any day, in principle. Unfortunately, "we don't know of an attack" is about as strong a statement you can make in cryptography, when talking about a fundamental hardness assumption. More verbosely, you'd say "the best known attacks take 2^whatever operations on a computer (classical or quantum), and that's expensive, so we're probably fine unless someone makes a significant leap tomorrow"

adgjlsfhk11y ago

imo, this isn't quite true. there are a lot of areas where we can say "this looks sufficiently secure for now, but given the rate of advancement in this area in the last decade, we expect it will probably lose a few bits of security in the next decade"

westurner1y ago

CRYSTALS-Kyber, NTRU, SABER, CRYSTALS-Dilithium, and FALCON are lattice-based method finalists in NIST PQC Round 3.

[1] NIST Post-Quantum Cryptography Standardization: https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography...

The NTRU article mentions PQ resistance to Shor's only, other evaluations, and that IEEE Std 1363.1 (2008) and the X9 financial industry spec already specify NTRU, which is a Round 3 Finalist lattice-based method.

In [1] Under "Selected Algorithms 2022", the article lists "Lattice: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON; Hash-based: SPHINCS+".

Round 4 includes Code-based and Supersingular elliptic curve isogeny algos.

FWIU There's not yet a TLS 1.4/2.0 that specifies which [lattice-based] PQ algos webservers would need to implement to support a new PQ TLS spec.

wbl1y ago

Do you know how little we know? We don't even know P isn't PSPACE!

People seemed to be focusing on the fact that this wouldn’t break the NIST leading PQC public key cryptosystem, but I think that misses the point. This takes a problem at the core of this security, which previously only had an exponential approximation, and finds a polynomial approximation. Sure that polynomial is too high O(n^4.5) to break the leading proposed systems, but I mean are you really feeling safe when an exponential just changed to a polynomial?

An analogy would be something like this. Factoring is hard. We base RSA on the hardness of this problem and there we use numbers that are the product of two primes. Someone just found an algorithm that doesn’t work to find the product of two primes, but can take a product of four primes and return two products of two primes. Do you feel safe with RSA?

Anyway the paper could be wrong or it could be right, it will take a while for those in the field to dig through this. As a cautionary tale, there have been a few extra good quantum people who have proposed quantum attacks on lattice problems that have later been shown to have bugs.

Ar-Curunir1y ago

The running time of attacks hasn't suddenly become O(n^4.5). The latter figure describe the noise ratio for which the LWE assumption becomes broken in quantum polynomial time.

The proposed post-quantum encryption schemes use a much smaller noise ratio which (at the moment) is not affected by these attacks.

I didn’t say the runtime did I? The approximation ratio went from exponential to polynomial noise ratio. This just went from 2^n to n^4.5 and everyone seems to say “oh this is fine”.

deknos1y ago

Are the OpenSSH lattice instances or the ones of DJB affected by this problem?

Does this result apply to all LWE problems? Does this approach care about LWE vs Ring-LWE at all?

If so, it's a big blow to systems like FrodoKEM that banked on unstructured lattices providing higher security.

tux31y ago

Not a lattice expert, so add salt to taste, but it looks like LWE in general (incluring RLWE)

But the current attack essentially wants q > n^2, so even if it is confirmed, not all LWE schemes are dead. There will certainly be people who tweak the params in response and carry on.

However, attacks only get better. And for people in FHE who are squeezed between performance problems and dangerously thin security parameters, it is a bad day if confirmed. There's no credible practical alternative to LWE for FHE...

j2kun1y ago

RingLWE security reduces to LWE via a relatively simple reduction (see https://www.jeremykun.com/2022/12/28/estimating-the-security...).

Hello everyone. I am a college student and currently new to this field. If possible can somone explain in simple terms that what real future impacts would this paper can create?

It would be silly not to first ask your interpretation, given that you are a college student.

Since this is about quantum computing, real world effects are very likely to be none except an exorbitant amount of grant money.

tschumacher1y ago

Some post-quantum signatures like CRYSTALS-Dilithium are based on lattices. Makes me think that quantum key distribution (what I've been working on for the past 6 months) has a chance to actually become useful instead of being only of interest to academics and to a few companies that sell overpriced solutions to paranoids.

hannob1y ago

QKD does not solve the problem that quantum computers create, and cannot replace public key cryptography. That's a common misconception that the marketing departments of QKD research tries to keep alive.

Even under ideal conditions (whether these can exist is debatable), the best QKD gives you is a securely encrypted channel only when you already have a securely authenticated channel. The latter is extremely important, makes the whole thing mostly useless, and is often omitted by QKD advocates.

HappyPanacea1y ago

If you don't have an authenticated channel, you are susceptible to a MITM attack which makes any asymmetric crypto useless. Thus I think there is an implicit assumption in any asymmetric crypto that you already have an authenticated channel. Or did I miss something?

Vecr1y ago

Code based systems are still in, and classic McEliece could be extended to ~50 MiB for a keypair and still be way more practical than QKD. Just run the max current classic McEliece spec hybrid post quantum with X448.

sgt1011y ago

NSA is that you?

ColinWright1y ago

There is an update:

https://news.ycombinator.com/item?id=40086515

"Update on April 18: Step 9 of the algorithm contains a bug, which I don’t know how to fix."

...

"Now the claim of showing a polynomial time quantum algorithm for solving LWE with polynomial modulus-noise ratios does not hold."

From the paper:

> Let us remark that the modulus-noise ratio achieved by our quantum algorithm is still too large to break the public-key encryption schemes based on (Ring)LWE used in practice. In particular, we have not broken the NIST PQC standardization candidates. For example, for CRYSTALS-Kyber [BDK+18], the error term is chosen from a small constant range, the modulus is q = 3329, the dimension is n = 256 · k where k ∈ {3, 4, 5}, so we can think of q as being almost linear in n. For our algorithm, if we set αq ∈ O(1), then our algorithm applies when q ∈ Ω^~(n^2), so we are not able to break CRYSTALS-Kyber yet. We leave the task of improving the approximation factor of our quantum algorithm to future work.

(of course, this doesn't mean we are in the clear -- a polynomial-time algorithm is alarming)

I don't understand your comment in the context of the previous comment you posted. AIUI, the excerpt says "our algorithm only applies when the modulus q is larger than n^2" where n is 2563 or 2566 (I guess?). So the excerpt would be saying that the algorithm does not apply in this case, because 3000 << (256*3)^2. Right?

Ar-Curunir1y ago

The algorithm is only quantum-polynomial time for a parameter regime not applicable to the PQC candidates.

pclmulqdq1y ago

Factorization and discrete log are also polynomial on a quantum computer, and we are very good at just increasing bit widths. If CRYSTALS is also polynomial in BQP, there is very little reason to invest so much into it.

I am still of the (very controversial) opinion that the only PQC algorithm worth investing in at the expense of classical algorithms is Classic McEliece. This is a code that has stood up to classical and quantum cracking attempts for a very long time - cracking these codes is equivalent to creating a very valuable algorithm in error correcting codes.

The NIST also is dead set on people using only PQC or classical crypto, not a wrapper with both. That is stupid IMO.

less_less1y ago

It's NSA who wants only PQC and not hybrid. NIST is fine with hybrid. They don't plan to standardize hybrids as entire units, but they said they plan to standardize the KDF modes you'd need to build them.

cryptonik1y ago

Thanks for your comment, very interesting. About your last paragraph : Do you know why NIST refuses hybridization, when European agencies imposes it ? What is the political behind it ?

> The NIST also is dead set on people using only PQC or classical crypto, not a wrapper with both. That is stupid IMO.

Yeah, this is rather baffling. After SIKE got broken, you'd think they would have realized the importance of combining these new cutting-edge candidates with something reliable.

Ar-Curunir1y ago

The remark clearly states that CRYSTALs is not affected by this attack.

There was an update of the paper 2024-04-18:

"Note: Update on April 18: Step 9 of the algorithm contains a bug, which I don’t know how to fix. See Section 3.5.9 (Page 37) for details. I sincerely thank Hongxun Wu and (independently) Thomas Vidick for finding the bug today. Now the claim of showing a polynomial time quantum algorithm for solving LWE with polynomial modulus-noise ratios does not hold. I leave the rest of the paper as it is (added a clarification of an operation in Step 8) as a hope that ideas like Complex Gaussian and windowed QFT may find other applications in quantum computation, or tackle LWE in other ways."

ColinWright1y ago

Posted here: https://news.ycombinator.com/item?id=40086515

dogeprotocol1y ago

Will be interesting to see how this pans out.

deyiao1y ago

If the findings of this paper hold up, I believe it could pretty much undo a decade of NIST's efforts in post-quantum cryptography. a seismic shift in the world of cryptography.

kyoji1y ago

Not entirely true, there are other PKE and DSA algorithms that were/are a part of the competition that used problems not related to lattices. However, the lattice-based options were often among the fastest and smallest.

tux31y ago

Isogenies vindicated? :)

No? One of the side effects of running an open competition is that it focused attention on a variety of competing options for this, all of which were formalized, recorded, and publicly evaluated by the world's academic cryptography experts. We're strictly better off as a result, and much of NIST's own work would still be valuable even in a hypothetical scenario in which none of LWE was quantum-safe.

This is the reason why nist did the decade of work - to focus effort on figuring out what options are secure. Finding out an option is not secure is a good thing. Its why we are putting effort into PQC now before quantum computers are a real threat.

j / k navigate · click thread line to collapse