Paper 2019/234

On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm

Léo Ducas, Maxime Plançon, and Benjamin Wesolowski


The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms. But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most $\alpha = \exp({\tilde O(n^{1/2})})$ than the shortest non-zero vector in a cyclotomic ideal lattice, where $n$ is the dimension. In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor $\alpha$ are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments. This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about $24000$.

Note: *Erratum.* A previous version (Feb. 2019) of this report included errors in Figure~\ref{fig:compare_with_bkz}: our plotting script had a mistake overpredicting the root-Hermite factor. After correction (Aug. 2021), various cross-over points with BKZ have therefore noticeably decreased. We are grateful to Daniel J. Bernstein, Kirsten Eisenträger, Tanja Lange, Karl Rubin, Alice Silverberg, and Christine van Vredendaal for detecting, identifying, and reporting this mistake.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
Quantum CryptanalysisCyclotomic Ideal Lattices.
Contact author(s)
ducas @ cwi nl
2021-08-23: last of 2 revisions
2019-02-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Léo Ducas and Maxime Plançon and Benjamin Wesolowski},
      title = {On the Shortness of Vectors to be found  by the Ideal-SVP Quantum Algorithm},
      howpublished = {Cryptology ePrint Archive, Paper 2019/234},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.