Advances on quantum cryptanalysis of ideal lattices

knowledge, the same problems remain hard over arbitrary lattices, even with a quantum computer. More precisely, for certain sub-exponential approximation factors a, a-SVP on ideal lattices admit a polynomial-time algorithm, as depicted in Figure 1. In this survey, we give an overview of the techniques that have lead to these results. The first quantum attack on certain ideal lattices of cyclotomic fields was sketched by Campbell, Groves and Shefferd [5], and applies to a few schemes, in particular to one of the first Fully-Homomorphic Encryption schemes [17]. Yet those broken schemes were based on ad-hoc problems that do not benefit from worse-case hardness. The first step of this attack does not actually solve a lattice problem: it does not provide guarantees about the shortness of lattices, such as lattices generated by a circulant matrix. The earliest example of such a cryptosystem is the NTRUencrypt proposal from Hoffstein et al. [9] from 1998. Algebraically, those lattices can be viewed as ideals or modules over cyclotomic number fields. Nevertheless, there is no guarantee that hard lattice problems remain hard on particular classes of structured lattices, and indeed, a series of results [4–8] have lead to new quantum algorithms solving certain ideal lattice problems. To the best of our The problem of finding a shortest vector of a Euclidean lattice (the shortest vector problem, or SVP) is a central hard problem in complexity theory. Approximated versions of this problem (e.g. a-SVP, the problem of finding a vector at most a times longer than the shortest one) have become the theoretical foundation for many cryptographic constructions. Indeed, lattice-based cryptography typically benefits from worst-case hardness [1, 14, 18]: it is sufficient that there exists some lattices in which finding short vectors is hard for those cryptosystems to be secure. Among several advantages, lattice-based cryptography is also praised for its apparent resistance to quantum algorithms, unlike the current public-key schemes based on factoring or discrete logarithm. The main drawback of lattice-based cryptography is its large memory and bandwidth footprints: a lattice is represented by a basis, i.e. an n n # matrix for a dimension n of several hundreds. For efficiency reasons, it is tempting to rely on structured Advances on quantum cryptanalysis of ideal lattices