In this paper, we study the requirement for quantum random access memory (QRAM) in quantum lattice sieving, a fundamental algorithm for lattice-based cryptanalysis. First, we obtain a lower bound on the cost of quantum lattice sieving with a bounded size QRAM. We do so in a new query model encompassing a wide range of lattice sieving algorithms similar to those in the classical sieving lower bound by Kirshanova and Laarhoven [CRYPTO 21]. This implies that, under reasonable assumptions, quantum speedups in lattice sieving require the use of QRAM. In particular, no quantum speedup is possible without QRAM. Second, we investigate the trade-off between the size of QRAM and the quantum speedup. We obtain a new interpolation between classical and quantum lattice sieving. Moreover, we show that further improvements require a novel way to use the QRAM by proving the optimality of some subroutines. An important caveat is that this trade-off requires a strong assumption on the efficient replacement of QRAM data, indicating that even speedups with a small QRAM are already challenging. Finally, we provide a circuit for quantum lattice sieving without using QRAM. Our circuit has a better depth complexity than the best classical algorithms but requires an exponential amount of qubits. To the best of our knowledge, this is the first quantum speedup for lattice sieving without QRAM in the standard quantum circuit model. We explain why this circuit does not contradict our lower bound, which considers the query complexity.

翻译：本文研究了量子格点筛法（一种用于格基密码分析的基础算法）对量子随机存取存储器（QRAM）的需求。首先，我们在限定QRAM容量的条件下，推导出量子格点筛法的成本下界。为此，我们建立了一个新的查询模型，该模型涵盖了广泛的格点筛法算法类别，类似于Kirshanova与Laarhoven在经典筛法下界研究[CRYPTO 21]中所涵盖的算法范围。这一结果表明，在合理假设下，格点筛法的量子加速需要依赖QRAM。特别地，若不使用QRAM则无法实现任何量子加速。其次，我们探究了QRAM容量与量子加速效果之间的权衡关系。我们得到了经典与量子格点筛法之间的新型插值关系。此外，通过证明某些子程序的最优性，我们表明进一步的改进需要开发使用QRAM的新方法。一个重要限制在于，这种权衡关系需要基于QRAM数据高效替换的强假设，这意味着即使仅使用小型QRAM实现加速也已面临显著挑战。最后，我们提出了一种无需QRAM的量子格点筛法电路。该电路在深度复杂度上优于最佳经典算法，但需要指数级数量的量子比特。据我们所知，这是在标准量子电路模型中首次实现无需QRAM的格点筛法量子加速。我们解释了该电路为何不与我们基于查询复杂度的下界结论相矛盾。