 Hello, everybody, and thank you for watching this YouTube video. I'm going to be presenting work on estimating quantum speedups for lattice sieves. And this is joint with my wonderful co-authors, Martin Albrecht, Vlad Gehrig and John Skank. And I'm Aimen. So what are we doing? We're trying to understand lattice sieves, and in particular the quantum variance of them in the non-asymptotic regime. So for particular dimensions of lattices that might be interesting for cryptanalysis. And we're going to try and approach this problem by designing particular quantum circuits for some subroutines of these lattice sieves. And we're also going to design some software which then optimizes these quantum circuits with respect to some well-chosen cost metrics. And finally, we're doing this because a number of lattice-based cryptosystems have their concrete security estimated using such sieves. So to begin with the what, what is a lattice? For the purposes of this talk, a lattice is a discrete additive subgroup of real space, here two-dimensional real space. And it's usually described by a basis, which is any collection of linearly independent real vectors whose integer span gives all of the points of a lattice. And any lattice of dimension two or greater is going to have an infinite number of such bases. Now the problems that lattice sieves solve are shortest vector type problems. Currently is the exact form of this problem whereby you're given a basis of a lattice and you're asked to find a non-zero vector in that lattice, which is shorter than or as short as every other non-zero vector. And here short means Euclidean and also throughout this talk. The sieves that we consider actually solve in approximate variant of this problem, but it's really much the same. And briefly, how do these sieves work? Well, the first thing that they do is sample a very large number of lattice vectors, a number that is exponential in the dimension of the lattice. And if you're given a basis that has no special structure, which it shouldn't really if you're thinking in terms of cryptanalysis, then the vectors you sample this way are going to be very long. In particular, they're going to be an exponential factor again in the dimension of the lattice longer than the shortest vector in the lattice. And this operation is cheap. At least it is cheap to sample a single lattice vector. And a heuristic introduced in the Nuremberg work of 2008 says that all of these long vectors that you sample using the basis are going to be approximately the same length. And so you can consider them in some thin annulus or even better on the surface of some very large sphere. And then to ease analysis, you normalize space and you end up with all of these lattice vectors that you're assuming on the surface of the unit sphere. And then what a lattice sieve does is it calls the nearest neighbor search subroutine. Now in generality, this is some procedure that given a list tries to find tuples of elements from that list that satisfy some condition. And this condition usually encodes some idea of being close or being near. And the two sieves that we consider are going to be two sieves. So these tuples are going to be pairs. And this nearest condition is that the inner product of these lattice vectors is going to be greater than or equal to cause of pi over three. And now this is because on the surface of a unit sphere, this condition simply means that their difference is going to be length one or less. And lattice sieves call nearest neighbor search subroutines and somewhere within this nearest neighbor, nearest neighbor search subroutine is going to be a list search. Now the idea of a lattice sieve is to start with sufficiently many points that you can find enough pairs of points that satisfy this nearness condition. So that after you find these pairs, you actually take their difference, end up with a similarly sized list of slightly shorter lattice vectors and then iterate this procedure. And then iterate this nearest neighbor search within your lattice. And indeed a lot of the progress that's been made in practical lattice serving over the past decade or so has been coming up with more and more efficient ways of implementing this nearest neighbor search subroutine. So we're going to consider three, the Nguyen-Vidic style, which sort of started off practical lattice serving, which is a double loop over the list. And then these last two random bucket and list decoding are nearest neighbor search style subroutines that use something called locality sensitive filtering, which is the idea that you somehow pre process your list of lattice points, which maybe costs you something in complexity, but also gives you the sub lists of in which points are more likely to satisfy the nearest neighbor condition. And we pick these two random bucket because it was implemented in the general sieving kernel and list decoding because it represents the fastest known asymptotic nearest neighbor search subroutine. Now something important to notice here is that the quantum versions of all of these lattice sieves, they consider the nearest neighbor search subroutine and somewhere within that nearest neighbor search subroutine is a subroutine that searches through a list. At some point you must do that. And the quantum variants replace that classical list search with Grover's search algorithm. Another thing to notice here is that all of the lattice sieves that we're going to consider and indeed all lattice sieves require exponential space and the exact value of this exponent is not important, but it's it's exponential it grows exponentially with the dimension of the lattice. So, now we have a brief understanding of how lattice is operate. How are we going to get to this non asymptotic understanding of their complexity. So we're going to produce a series of search routines which is going to end with a filtered quantum search routine. And just to give a frame of reference, this function F which we're calling a predicate. This is going to be encoding the condition that's on the bottom of the screen here. So we're going to be in a product condition ultimately, but we're going to speak about it in generality for a little while we're going to call F from square brackets and which is the integers want and an unstructured predicate so we don't know any internal structural workings of F. And we're going to call its roots all of the elements upon which it evaluates to zero. And we're going to call its kernel the collection of all of these roots. Depending whether we're in the classical or quantum world we find a route in a different way. Classically, we can certainly find a route if one exists by simply evaluating F on its entire kernel and entire domain, sorry. And quantumly, we can actually measure this expression here so this is Grover's algorithm in a succinct form. You have this D of the ket of zero, which says put the elements one to end in an equal superposition. G of F, which is the Grover iteration and coding the predicate F. So it's some reversible implementation of F and then a reflection operator. And if you apply this to the equal superposition J times and measure it, then you're meant to receive a root of F. In particular, if we're in the following regime, where the kernel of F is small, so there's perhaps a small constant number of roots, then classically we expect this process to take order of enquiries. And quantumly, we expect to have to apply this Grover iteration order of N Q, order of square root of N times. And this is the magic of Grover's algorithm, but of course the relative costs of F in the classical world and G of F in the quantum world are important. So staying in the classical world for a little while longer, if F is very expensive, we might somehow like to filter the calls we make to F. And to do this, we're going to define some second predicate, which we're calling a filter or G with the same domain and codomain, and we're going to demand that it has at least one root in common with F. And classically we could then think about evaluating G1 and then only evaluating F1 if we've hit a root of G1 and continuing this process. Now, this is not always a good idea, depending on the exact properties of G, but there are certain properties which if G has, this is probably going to be a good filter. So in particular, if G is cheap to evaluate, and certainly cheaper than F, otherwise you would just evaluate F, then this maybe is a good idea. But also if these false positive and false negative rates are small, again this points to this being a good filter. So just to take one of these quantities, rho F of G, the false positive rate of G, if this is large, it says that not many of the roots of G are roots of F. And therefore, a lot of the time when you hit a root of G, you're going to evaluate F and you're not going to get a root of F. Whereas if this is small, it says that most of the roots of G are roots of F. And the false negative rate is somehow the opposite. So the problem with applying this kind of idea immediately to the quantum world is you can't perform this kind of conditional branching within Grover's algorithm. And one of the first contributions of our work is to give a technical lemma that roughly says the following. So let G be a filter for predicate F, and then we have two conditions using these real numbers P, Q and gamma, which I shall come back to in a second. But the upshot of this lemma is that we can find a root of F with some constant probability, a cost dominated by this number of calls to the Grover iteration, but the Grover iteration that encodes the filter and not the predicate. And so in particular, if the filter is a much cheaper quantum circuit than the predicate, then this, this might be a good thing. Now there are some details being swept under the rug here, but the most pertinent of them is that we actually have to make sure that this is the dominating cost, but we do this in our analysis. So I'm presenting it this way for the sake of clarity. Now these two conditions using P, Q and gamma effectively encode how much we know about the sizes of the kernels and the intersection of various kernels. So gamma can go as small as one. And as gamma gets smaller we're saying we know more about the size of the kernel of G. We might know, for example, it's expected value or something like this. But if gamma is one, then we know the size of the kernel of G exactly and indeed the cost decreases with gamma. Similarly, the larger that Q can be the bigger the intersection of the kernel of the predicate and the filter. And the larger this is, if you think back to the false positive and false negative rates on the previous slide, then the lower those are going to be. And so yes, the crucial thing now is that we're talking about this filtered quantum search routine in terms of the cost of the growth iteration of the filter and not of the predicate itself. So to move back to the case of lattice sieving and in particular nearest neighbor search subroutines, we have this large list of lattice vectors. We're going to fix one of them and call it U and our predicates going to be F U. And then we have these other list of vectors V1 through to VN and we're trying to find the VIs such that the inner product is greater equal cause of pi over three. So this is the predicate. What's the filter? We're going to use something called XOR and pop count, which was introduced to the sieving world in this paper of Fitzpatrick et al. And the idea here is that you have a certain number of planes, which is represented by N. So in this two dimensional example, these are the lines H1 and H2. And you have a threshold K. And the idea is if some VI is the same side of at least K planes as U is, then it passes the filter. And so in particular V1 and V2 pass the filter here because they're the same side of at least one plane as U, but V0 doesn't because it's the same side of no planes as U. So we had a filtered quantum search routine that was costed in terms of the Grover iteration encoding the filter. And I've just introduced a filter called pop count. So the natural, the natural thing to do next is to design a quantum circuit for this filter. This is what's on screen at the moment. I think this is the case N equals 31. And it's reversible. This is just the forward direction. But given this, we now know the size of the quantum circuit for pop count and the quantum circuit for the Grover iteration of pop count. And another thing that we do in our work is to give a heuristic analysis of the false positive and false negative rates of this filter as a function of its two parameters K, the cutoff and N, the number of planes, but also the dimension D of the lattice that we're sitting in. And so we almost have all of the pieces of the puzzle. Now, the final thing that we need is a collection of cost metrics. And we're going to follow the work of Jason Skank from crypto last year, which cost the quantum computation in terms of the classical control required to run it. And depending what assumptions you're willing to make about quantum memory, this leads to a number of different cost metrics. The first of which is the so-called gates metric. And in this world, you're assuming that self-correcting quantum memory exists. I if you just have an identity wire in your circuit, then to make sure that for that layer of depth of your circuit that wire maintains its correct state, that's a free operation. You know, they're self-correcting quantum memory. You don't have to do anything. The cost therefore of your circuit is just the classical cost of enacting all of the quantum gates in your quantum circuit. And so you assign some constant cost to each gate. Now, it's an open problem whether self-correcting quantum memory exists or not. And if you don't think that it does, then you end up in a world where you have to actively correct your quantum memory. And in this world, it's not only gates, but also identity wires in your circuit. So that is again a wire in a layer of depth of your circuit that has no gate on it. They themselves also have to be acted upon to make sure they maintain the correct quantum state. And so the first metric in this world of active error correction is the depth width metric that simply says every part of your circuit needs to have classical control somehow. And so the cost of your circuit is some constant times the depth, times the width of your circuit. But then you can concretize further and actually talk about how you're going to ensure that all the correct states are kept. And to do this, you need some sort of error correction routine. And in particular, we use the surface code in this work. And roughly how this works is you have a logical qubit for each wire in your quantum circuit. And it's actually formed somehow of log squared depth times width noisy physical qubits. So the number of physical qubits required for each logical qubit actually grows as your circuit grows. And for each layer of quantum depth, some number of these noisy physical qubits have to be measured. There has to be some classical sort of routine run on those measurements and they have to be reinitialized. And this is to keep the noise of those physical quantum qubits sort of low enough that the logical qubit maintains the correct state. And so if you think about that procedure, then every quantum gate and every identity wire in your circuit actually costs you something like big omega of log squared depth times the width of your circuit. But the whole point of this work is to move past asymptotics as far as possible. So we concretize even further and look at a recent and very fidelity study of the surface code for particular quantum computations, which was given by kidney and Acura, and we adapt their scripts to our use case. And so now we find ourselves in the position where we have a filtered quantum search routine, we have a quantum circuit for filter we want to use we have an understanding. Therefore, if it costs we have an understanding of its false positive and false negative rates. And we have a series of cost metrics that represent different physical realities. And we write some software that says, well, it's effectively an optimization piece of software. You give it access to the K and N which determine your pop count filter, and you give it access to any other sort of internal parameters of your nearest neighbor search sub routine. And you ask for a given D in a given metric, what's the cheapest way that this can be performed. And so we produce a number of figures in our work and we're going to reproduce some of them here. We're going to look only at the list of coding civ which was the fastest asymptotic known nearest neighbor search sub routine. We see the dashed lines are the asymptotic complexities of classical and quantum, the solid lines are the complexities suggested by our optimization software. And in this depth width metric, and the quantum crossover I either point at which the quantum variant becomes faster is quite low down in the dimensions. This was the more optimistic of the two active error correction or active memory correction sorry cost metrics that we considered. If you actually look at the kidney echora study of the surface code, then this crossover point moves quite far up into your dimensions. Now, what to take away from our estimates in this paper is that they suggest a great deal less quantum advantage than the asymptotics would suggest. Point 292 is the asymptotic for the classical list of coding seven point two six five for the quantum. But we also must say that they don't entirely rule out the relevance of quantum civs encrypt analytically interesting ranges. So here are some hopefully pertinent numbers we have with again talking about list of coding as in the previous two figures, and the quantum metric runs down the left so in the kidney echo metric the crossover point where the classical and quantum aerosave research routine has roughly the same cost is about dimension three hundred and twelve. And then if you consider the range of crypt analytically interesting sort of time complexities two to the hundred and twenty eight to two to the two hundred and fifty six. You see that at the bottom of that range you really make very little advantage, quantumly, but as you get towards the top end of that range your quantum advantage begins to grow. However, if you consider constraining a different thing such as memory, be that classical or quantumly accessible classical run. Then the picture is a little different in the kidney echo metric, you make an advantage of about two to the seven. Whereas in the depth width metric, which was the more optimistic of the active memory correction metrics, you have a similar sort of advantage to what you had at the top end of the time complexities for the kidney echo metric. And so depending on what you're willing to constrain you get much more or much less quantum advantage. Now, we do stress that what we give in this work are ultimately estimates. We have made some approximations throughout this work. We have appealed to some heuristics. We've also set some costs to be zero. Although the costs that we set to be zero tend to be costs that would be exactly the same in the quantum and the classical versions of these algorithms. And so to include them and to consider some maximum cost would only reduce the range of dimensions for which there would be a quantum advantage. But ultimately they could the quantum advantage could grow it could shrink it could disappear altogether. And here are three reasons why we think in a more perfect analysis or more complete analysis the quantum advantage would actually shrink further. So while we're able to capture error correction and our advantage what we don't capture are the relative costs of curam and Ram. So this is the act of making a query and receiving a superposition of registers that's curam and making a query and receiving a register that's Ram. And we need these queries to enact the algorithms as we've described them. And in our work we assign both of these operations unit cost. Now, neither of them really cost unit cost. But all roads point towards curam having a far higher cost than Ram. And so that if it were to be incorporated into our analysis, we think that the quantum advantage would shrink. Similarly, I described how in the give me accurate. Sorry in the surface code cost model, you have to measure a certain number of physical qubits per layer of quantum circuit depth and perform some classical computation on those measurements before re initializing them. Well, the time that this classical computation takes sets the clock speed for your progression through your quantum circuit and our model doesn't capture that in any way at all. And finally, we don't apply any depth constraints to our circuit. So a depth constraint says the depth of your circuit cannot be greater than blah. And for example, in the NIST post quantum standardization process, the most linear depth constraint they suggest is two to the 96. Now, in the face of depth constraints, classical search can be trivially paralyzed. You just split the search space. And it's known that Grover search doesn't parallelize as well in the face of depth constraints. So another thing that were we to take them into account, we think would lessen quantum advantage. A final subtlety to note is that what we've tried to cost is the nearest neighbor search subroutine within lattice civs. And while it's always, I think the most expensive part of a lattice civ, it's not the full story. And it shouldn't necessarily be used as a direct stand in for the cost of solving shortest vector type problems. So for example, within a lattice of this nearest neighbor subroutine is iterated many times. And so it could lead to it being an underestimate for the cost of SVP. And there are also other subroutines such as some parts of the locality sense to filtering that some nearest neighbor search subroutines use, and also the cost of sampling the vectors to begin with that we don't account for. But equally, there are ways in which it could be an overestimate for the cost of solving SVP. For example, there's a dimensions for free technique that do cat introduced, which says that you can use nearest neighbor search in some dimension D to help solve the shortest vector problem in a slightly larger dimension D prime. Although we note that if you understand for a concrete instance, the relationship between D prime and D, then you can use our analysis in this case. And there were also many heuristic tricks, both in implementations and in the literature that are simply not captured by our model. We recommend caution when using the nearest neighbor search subroutine costs that we present in this work as a stand in for the cost of the shortest vector problem. So all that remains for me to say is, thank you, and all of our data and software can be found at this GitHub repo and the paper at this ePrint address. I look forward to doing a lot of the talks for the excellent schedule that Azure Crypt has this year and I look forward to your questions. So thank you.