# Improved Low-qubit Hidden Shift Algorithms

Hidden shift problems are relevant to assess the quantum security of various cryptographic constructs. Multiple quantum subexponential time algorithms have been proposed. In this paper, we propose some improvements on a polynomial quantum memory algorithm proposed by Childs, Jao and Soukharev in 2010. We use subset-sum algorithms to significantly reduce its complexity. We also propose new tradeoffs between quantum queries, classical time and classical memory to solve this problem.

## Authors

• 5 publications
• ### Improved Classical and Quantum Algorithms for Subset-Sum

We present new classical and quantum algorithms for solving random subse...
02/12/2020 ∙ by Xavier Bonnetain, et al. ∙ 0

• ### Improved quantum algorithm for the random subset sum problem

We propose a quantum algorithm for solving random subset sum instances w...
12/18/2019 ∙ by Yang Li, et al. ∙ 0

• ### Quantum Attacks without Superposition Queries: the Offline Simon's Algorithm

In symmetric cryptanalysis, the model of superposition queries has led t...
02/27/2020 ∙ by Xavier Bonnetain, et al. ∙ 0

• ### A Quantum Approach to Subset-Sum and Similar Problems

In this paper, we study the subset-sum problem by using a quantum heuris...
07/27/2017 ∙ by Ammar Daskin, et al. ∙ 0

• ### The dihedral hidden subgroup problem

We give an exposition of the hidden subgroup problem for dihedral groups...
06/18/2021 ∙ by Imin Chen, et al. ∙ 0

• ### Improved (Provable) Algorithms for the Shortest Vector Problem via Bounded Distance Decoding

The most important computational problem on lattices is the Shortest Vec...
02/19/2020 ∙ by Divesh Aggarwal, et al. ∙ 0

• ### Strong and Weak Optimizations in Classical and Quantum Models of Stochastic Processes

Among the predictive hidden Markov models that describe a given stochast...
08/26/2018 ∙ by Samuel Loomis, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

The hidden shift problem can be stated as follows:

Let , be two injective functions, a group. Given the promise that there exists such that, for all , , retrieve .

This is a generalization of the the hidden subgroup problem, which corresponds to the case , and is efficiently solved by Shor’s algorithm [DBLP:journals/siamcomp/Shor97] in the abelian case.

As the hidden subgroup problem, the hidden shift problem is of interest for cryptography. Notably, the security of multiple symmetric primitives [conf/eurocrypt/AlagicR17, DBLP:conf/asiacrypt/BonnetainN18] and the security of some post-quantum isogeny-based asymmetric schemes [cryptoeprint:2018:383, DBLP:journals/jmc/ChildsJS14, DBLP:journals/iacr/FeoG18, DBLP:conf/asiacrypt/FeoKS18] depends on its hardness.

It is also interesting for quantum computing, as solving this problem requires exponential classical time, but depending on the group structure, can be solved quantumly in either polynomial, sub-exponential or exponential time.

The first subexponential quantum algorithm for the hidden shift problem has been proposed by Kuperberg in [DBLP:journals/siamcomp/Kuperberg05], where he proposed multiple algorithms in quantum time, memory and query. A polynomial quantum memory variant has been proposed by Regev in [quant-ph/0406151v1], with a time cost in . This latter algorithm has been generalized and more precisely studied by Childs, Jao and Soukharev in [DBLP:journals/jmc/ChildsJS14], where they prove a time cost in for all abelian groups. In 2013, Kuperberg proposed a generalisation of his first algorithm and Regev’s variant [DBLP:conf/tqc/Kuperberg13]

with a heuristic cost estimate of

.

Asymptotic cost estimates provide little information on the concrete cost of the algorithm. Concrete cost estimates for groups of order a power of two for Kuperberg’s original algorithm have been done in [DBLP:conf/asiacrypt/BonnetainN18], obtaining a cost of around for the cyclic case. The used algorithm has later been generalised to arbitrary cyclic groups in [DBLP:journals/iacr/BonnetainS18], for a cost of around .

In this paper, we will focus on the quantum algorithm of Childs, Jao and Soukharev [DBLP:journals/jmc/ChildsJS14] and show how it can be improved.

### 1.1 Notations

We note

 Ln(α,c)=2((c+o(1))nαlog2(n)1−α).

We will focus here on the cyclic group , and denote . However, the algorithms can also be applied to arbitrary abelian groups, using the same approach as in [DBLP:journals/jmc/ChildsJS14]. We denote as . We note

the inner product of vectors.

We denote in the qubit phases.

### 1.2 Results

In this paper, we improve the quantum hidden shift algorithm of [DBLP:journals/jmc/ChildsJS14]. We use subset-sum algorithms to lower the exponent of the complexity, and propose different tradeoffs between quantum and classical cost. In particular, with the exponent to solve a subset-sum instance, we solve the hidden shift problem in classical time and quantum queries, and if we want a quadratic gap between the classical time cost and the quantum query cost, we can solve it in quantum queries and classical time.

The results are summarized in Table 1. The quantum time is roughly the number of quantum queries, as the only non-trivial quantum operation is the oracle evaluation.

## 2 Hidden Shift Algorithms

Hidden shift algorithms are in two steps: the first one uses the oracles to produce some random qubits with a specific structure (the elements), which are then refined by some combination routines until we manage to extract the value of the hidden shift.

### 2.1 Element Generation

 ∑x|0⟩|x⟩|f(x)⟩+|1⟩|x⟩|g(x)⟩.

After a measurement of the last register, one obtains

 |0⟩|x0⟩+|1⟩|x0+s⟩

for a given unknown

. Now, one can apply a Quantum Fourier Transform on the second register, to obtain

 ∑ℓ|0⟩χ(x0ℓN)|ℓ⟩+|1⟩χ((x0+s)ℓN)|ℓ⟩.

Finally, one can perform a measurement on the second register, and obtain and

 |ψℓ⟩=|0⟩+χ(sℓN)|1⟩.

### 2.2 Interesting Elements

If one manages to obtain , then can be retrieved with a Quantum Fourier Transform, as

 n⨂j=0∣∣ψ2j⟩=2n∑ℓ=0χ(sℓN)|ℓ⟩.

Hence, applying an inverse Quantum Fourier Transform allows to retrieve .

It is to be noted that, for groups of odd order, we only need to be able to construct

: the value can be obtained by multiplying all the labels by and constructing 1 from the new labels.

The situation is slightly easier if . In that case, directly gives . Likewise, as noted in [DBLP:conf/asiacrypt/BonnetainN18], both and allows to obtain the second bit of if is known, and so on, knowing the lower bits of allows to extract the next bit from .

### 2.3 Combination routines

We will use the combination routines of [DBLP:journals/jmc/ChildsJS14] to obtain the labels we are looking for, that is, either or .

The idea is to take a certain amount of elements (), and use them to produce one better element. Recall that the elements are of the form

. If we tensor them, we obtain

 ⨂i∣∣ψℓi⟩=∑j∈{0,1}kχ(j⋅(ℓ1,…,ℓk)N)|j⟩.

Now, the objective of the combination routine is to perform a partial measurement on , in order to ensure that the remaining have an interesting phase difference. After that, we only need to know the corresponding , project the state on a pair, and relabel the two values of the pair to 0 and 1 in order to obtain a better element.

Algorithm 1 computes the function and measures the second register. By definition, the remaining have a phase identical modulo . Hence, the output label will be a multiple of . This approach can be iterated, in order to obtain multiples of increasingly big powers of 2, and allows to reach .

Another approach to reach a specific element is to compute . This will produce elements with a close phase (their difference will be smaller than ). As before, this approach can be iterated to obtain smaller and smaller labels, until we reach . This is done in Algorithm 2.

Both algorithms are used in [DBLP:journals/jmc/ChildsJS14], the former to tackle cyclic groups of order a power of 2, the latter for cyclic groups of odd order.

Algorithm 3 projects on

with probability

, and otherwise projects to the supplementary vector space.

#### 2.3.1 Finding pairs

Finding the pairs for Algorithm 1 (Step 6) consists in finding the solutions of the equation . This is addressed by brute-force in [DBLP:journals/jmc/ChildsJS14], for a cost of . For the complexity analysis, we consider that this step costs , the brute-force case being the case . This brute-force approach can also be applied to Step 6 of Algorithm 2.

#### 2.3.2 Complexity

Algorithm 1 succeeds if, at step 7, we manage to project on a pair . Indeed, as they are both preimages of , we have

 ℓ′=(j2−j1)⋅(ℓ1,…,ℓk)=0mod2m.

In order to achieve this, we must:

1. Have at least two distinct solutions of the equation,

2. Manage to find the solutions,

3. Successfully project onto a pair.

The first point requires us to have . In [quant-ph/0406151v1], is used, while [DBLP:journals/jmc/ChildsJS14] uses . In both cases, we have a fixed probability to have at least 2 solutions: there are images, hence at most subsets have a sum for which there is a unique preimage, hence we have at least 2 solutions at least half the time. The third point is a problem when the number of solutions is odd: in that case, we may fail to project on a pair. As we have balanced superpositions, the probability of obtaining a singleton is half the probability of obtaining a pair. Hence, we fail to project with probability at most .

The case of Algorithm 2 is very similar. In [DBLP:journals/jmc/ChildsJS14], the authors chose . As the output labels depend on the sum of the inputs, they can be larger, and the output space is of size . Hence, in [DBLP:journals/jmc/ChildsJS14], a value of is chosen, to guarantee a constant success probability. Moreover, a step of rejection sampling (still with constant probability) is added, to guarantee a uniform sampling in the smaller interval.

To summarize, the two routines take elements, and produce with constant probability one refined element which is bits better, at a cost of , with the exponent of finding the solutions in the combination routines.

### 2.4 CJS algorithm [DBLP:journals/jmc/ChildsJS14]

If we want each routine in the pipeline to be the same, we will have routines, and we need in order to succeed. The total cost is then of queries, qubits (excluding the quantum oracle overhead), a classical time in and a polynomial classical memory. If , the query cost is in , and the time cost is in . The classical cost is minimized for , which implies , which leads to a quantum query cost in and a classical time cost in .

###### Remark 1

The quantum query exponent of [DBLP:journals/jmc/ChildsJS14, Theorem 5.2] is not tight.

## 3 Subset-sum algorithms

It turns out that solving with for random instances can be done more efficiently than brute-force. Indeed, as we have a small number of solutions, it corresponds to a random instance of a subset-sum problem with a density close to 1, for which multiple algorithms have been proposed [DBLP:journals/siamcomp/SchroeppelS81, DBLP:conf/eurocrypt/BeckerCJ11, DBLP:conf/tqc/HelmM18]. All these algorithms (classical and quantum) have an exponential complexity, in , for a given constant . As we consider a polynomial-quantum memory algorithm, we will focus on the classical subset-sum algorithms.

These algorithms rely on list-merging techniques: the complete solution is contructed from lists of candidate partials solutions.

A simple example is the Schroppel-Shamir algorithm [DBLP:journals/siamcomp/SchroeppelS81]. The space of possible solutions of is split into 4 parts , with , and so on.

The lists contains the possible partial sum on a fourth of the variables. The intermediate lists and contains the partial sums on the first and second half of the variables.

Without any other technique, the splitting would not gain anything, as the two intermediate lists would be of size . The Schroeppel-Shamir algorithm gains by guessing . With that guess, the list is expected to be of size . Conversely, imposes the value for . Hence all the lists are expected to be of size . The solution will only be found for the correct guess of the intermediate value, requiring guesses overall, for a total cost of time, but only memory.

Finally, the merging in itself is the efficient generation of the intermediate lists (and of the complete solution) from the previous lists. As we want to produce a list of values with a constrained sum, we can sort the first list, and then check for each element of the second list if there is an element leading to a correct sum in the first list. The cost of the merging is the cost of sorting the input list and constructing the output list, here .

The algorithm from [DBLP:conf/eurocrypt/BeckerCJ11] uses similar techniques, but with a different splitting. Instead of considering a subset of the variables, they considered a partial sum with a smaller number of terms in it. They also allowed the exponent of the subset sum in the intermediate step to lie in . With this approach, the merging has also to check for the consistency of the solutions, as the variables may overlap.

By splitting the sum in 8 and carefully choosing the size of the intermediate constraint and the ratio of -1, the authors of [DBLP:conf/eurocrypt/BeckerCJ11] obtained a complexity in in classical time and memory.

It is also possible to devise polynomial-memory algorithms for this problem. The method in [DBLP:conf/eurocrypt/BeckerCJ11] consists in merging only two lists, using a memoryless collision-finding algorithm, with a cost in .

In our case, we have some instances with more than one solution. As the expected number of solutions is fixed, this does not change the asymptotic cost for constructing all the solutions.

Finally, finding the pairs for Algorithm 2 consists in finding the solutions of the slightly different equation . This equation is slightly different, but the exact same techniques can be applied, as the merging can also check for values lying in an interval. Hence, the cost is similar for both.

For the polynomial variant, we do not have an equality to check between the two lists. This can be solved by truncating the first bits of the partial sum. In that case, two partial sums that lead to the correct interval have more than 50% chance to have the same truncated value. In the case that we missed, we only need to redo this by adding to the partial sum before truncating. We will also have a fixed proportion of false positives that we need to discard. Overall, this does not change the complexity cost of .

## 4 Improved hidden-shift algorithms

### 4.1 Improving the CJS algorithm

Instead of using brute-force to compute the output qubit value of each routine, we can use a subset-sum algorithm, which costs . The only difference is that the classical part cost less. With , we still have a quantum query cost in , but the classical time cost becomes and the optimal parameter becomes , leading to a quantum query complexity in and a classical time complexity in .

The classical time exponent of this hybrid algorithm is double the quantum query cost.

### 4.2 Minimizing the classical time

The classical cost of the previous approach is almost all in the first routine of the pipeline: the second routine is called time less, the third time less, and so on. We can change the size of each routine and increase to have each routine to cost overall roughly the same. The cost of a routine is in , hence can increase by for each routine. The optimal point is for increasing from 0 to , by steps of . With these parameters, the routine uses . We need to have , which implies . Hence, the cost of each routine will be in . As , we obtain a quantum time cost in . The first routine does nothing, hence its cost is the number of queries, which is also in .

### 4.3 Enforcing a quadratic gap

Section 4.1 had an algorithm with , Section 4.2 used . We can generalize this and consider It turns out the two previous approaches can be generalized, and we can consider routine input sizes of the form , and for example ensure a quadratic gap between the number of queries and the classical time. If we want to have each routine to cost the same, we still need . This implies , hence . The log of number of queries is in , as all the steps cost the same. Enforcing a quadratic gap between the two means that , hence . With these values, the quantum query cost is in , and the classical time cost is in .

As it is similar to the classical/quantum gap of Grover’s algorithm, this approach can be interesting for cases where the targeted hardness is defined with respect to some exhaustive search, as for example in the security levels 1, 3 and 5 of the NIST call for post-quantum primitives.

### 4.4 Minimizing the number of queries

The simplest way to minimize to number of queries is to have only one routine, and directly use Algorithm 1 or Algorithm 2 to solve the whole problem: in that case, the number of queries is in to obtain one target element, hence overall the quantum query cost is in . The classical cost is in . Interestingly, this beats the asymptotic cost of the best known classical algorithm if .

### 4.5 Algorithms complexity

From Section 3, we can take for a memory-heavy algorithm, or for a polynomial-memory algorithm. This leads to the exponents of Table 1.

If we only consider quantum algorithms (or that classical and quantum time and memory are equivalent), then we have sightly different complexities. Currently, an algorithm with the exponent has been proposed in [DBLP:conf/pqcrypto/BernsteinJLM13], and one with exponent in [DBLP:conf/tqc/HelmM18]. The costs are summarized in Table 2. It is to be noted that the non-polynomial quantum memory hidden shift algorithms we obtain perform asymptotically worse than the algorithms from [DBLP:conf/asiacrypt/BonnetainN18, DBLP:journals/siamcomp/Kuperberg05, DBLP:conf/tqc/Kuperberg13], which use a different combination routine.

Using Grover’s algorithm for a small number of queries produces an algorithm with the same cost as the exhaustive search, with a small number of queries. Overall, this is slightly worse than the approach of [DBLP:conf/stacs/EttingerH99], which performs an exhaustive search, but achieves a linear number of queries.

## 5 Conclusion

In this paper, we showed how to use subset-sum algorithms to reduce significantly the cost of a quantum hidden shift algorithm, and proposed different quantum/classical cost tradeoffs, allowing to divide the exponent by roughly 2.6 compared to [DBLP:journals/jmc/ChildsJS14], and even by 4.5 for the quantum query cost if we allow a quadratic gap between the classical time cost and the quantum query cost.

#### 5.0.1 Improving the complexity.

In order to obtain more efficient algorithms, one might study what happens if the combined elements can be chosen from a larger pool, as done in the quantum-memory heavy algorithms of [DBLP:journals/siamcomp/Kuperberg05]. This may allow to reduce the time cost at the expense of the quantum memory, while still offering a tradeoff between classical time and quantum query. Another approach would be to apply similar techniques to the algorithm of [DBLP:conf/tqc/Kuperberg13], if applicable.