Quantum sieving for code-based cryptanalysis and its limitations for ISD

Abstract

Sieving using near-neighbor search techniques is a well-known method in lattice-based cryptanalysis, yielding the current best runtime for the shortest vector problem in both the classical and quantum setting. Recently, sieving has also become an important tool in code-based cryptanalysis. Specifically, a variant of the information-set decoding (ISD) framework, commonly used for attacking cryptographically relevant instances of the decoding problem, has been introduced that involves a sieving subroutine. The resulting sieving-based ISD framework yields complexities close to the best-performing classical algorithms for the decoding problem. It is therefore natural to ask how well quantum versions perform. In this work, we introduce the first quantum algorithms for code sieving by designing quantum variants of the aforementioned sieving subroutine. In particular, using quantum-walk techniques, we provide a speed-up over classical code sieving and over a variant using Grover’s algorithm. Our quantum-walk algorithm exploits the structure of the underlying search problem by adding a layer of locality sensitive filtering, inspired by a quantum-walk algorithm for lattice sieving. We complement our asymptotic analysis of the quantum algorithms with numerical results, and observe that our quantum speed-ups for code sieving behave similarly as those observed in lattice sieving. In addition, we show that a natural quantum analog of the sieving-based ISD framework does not provide any speed-up over the first quantum ISD algorithm. Our analysis highlights that the framework should be adapted in order to outperform state-of-the-art quantum ISD algorithms.