One of the main candidates of post-quantum cryptography is lattice-based cryptography. Its cryptographic security against quantum attackers is based on the worst-case hardness of lattice problems like the shortest vector problem (SVP), which asks to find the shortest non-zero vector in an integer lattice. Asymptotic quantum speedups for solving SVP are known and rely on Grover's search. However, to assess the security of lattice-based cryptography against these Grover-like quantum speedups, it is necessary to carry out a precise resource estimation beyond asymptotic scalings. In this work, we perform a careful analysis on the resources required to implement several sieving algorithms aided by Grover's search for dimensions of cryptographic interests. For such, we take into account fixed-point quantum arithmetic operations, non-asymptotic Grover's search, the cost of using quantum random access memory (QRAM), different physical architectures, and quantum error correction. We find that even under very optimistic assumptions like circuit-level noise of $10^{-5}$, code cycles of 100 ns, reaction time of 1 $\mu$s, and using state-of-the-art arithmetic circuits and quantum error-correction protocols, the best sieving algorithms require $\approx 10^{13}$ physical qubits and $\approx 10^{31}$ years to solve SVP on a lattice of dimension 400, which is roughly the dimension for minimally secure post-quantum cryptographic standards currently being proposed by NIST. We estimate that a 6-GHz-clock-rate single-core classical computer would take roughly the same amount of time to solve the same problem. We conclude that there is currently little to no quantum speedup in the dimensions of cryptographic interest and the possibility of realising a considerable quantum speedup using quantum sieving algorithms would require significant breakthroughs in theoretical protocols and hardware development.

翻译：后量子密码学的主要候选方案之一是格基密码学。其抵御量子攻击的密码安全性基于格问题（如最短向量问题（SVP））的最坏情况困难性，该问题要求找出整数格中最短的非零向量。已知求解SVP存在渐近量子加速，其依赖于Grover搜索算法。然而，为评估格基密码学抵御此类Grover式量子加速的安全性，有必要在渐近标度之外进行精确的资源估算。本工作中，我们对在密码学关注维度下实现若干借助Grover搜索的筛法所需资源进行了细致分析。为此，我们综合考虑了定点量子算术运算、非渐近Grover搜索、使用量子随机存取存储器（QRAM）的成本、不同物理架构以及量子纠错等因素。我们发现，即使在非常乐观的假设下（如电路级噪声为$10^{-5}$、代码周期100 ns、反应时间1 $\mu$s，并使用最先进的算术电路和量子纠错协议），最佳筛法仍需要约$10^{13}$个物理量子比特和约$10^{31}$年才能在维度400的格上求解SVP——该维度大致对应NIST当前提出的最低安全后量子密码标准所需维度。我们估算，一台6 GHz时钟频率的单核经典计算机求解同一问题所需时间大致相当。我们的结论是：在当前密码学关注维度下，量子加速效应微乎其微甚至不存在；要实现量子筛法带来的显著量子加速，需要在理论协议和硬件发展方面取得重大突破。