We propose a new lattice reduction method. Our algorithm approximates shortest lattice vectors up to a factor ≤ (k/6)~(n/2k) and makes use of Grover's quantum search algorithm. The proposed method has the expected running time O(u~3(k/6)~(k/8)A + n~4A), That is about the square root of the running time O(n~3(k/6)~(k/4)A + n~4/A) of Schnorr's recent random sampling reduction which in turn improved the running time to the fourth root of previously known algorithms. Our result demonstrates that the availability of quantum computers will affect not only the security of cryptosystems based on integer factorization or discrete logarithms, but also of lattice based cryptosystems. Rough estimates based on our asymptotic improvements and experiments reported in [1] suggest that the NTRU security parameter needed to be increased from 503 to 1277 if sufficiently large quantum computer were available nowadays.
展开▼
