The learning with errors problem (LWE) is one of the most important building blocks for post-quantum cryptography. To better understand the quantum hardness of LWE, it is crucial to explore quantum variants of LWE, show quantum algorithms for those variants, or prove they are as hard as standard LWE. To this end, Chen, Liu, and Zhandry [Eurocrypt 2022] define the $\sf{S|LWE\rangle}$ problem, which encodes the error of LWE samples into quantum amplitudes. They then show efficient quantum algorithms for $\sf{S|LWE\rangle}$ with a few interesting amplitudes. However, the hardness of the most interesting amplitude, Gaussian, was not addressed by Chen et al., or only known for some restricted settings (for example, when the number of $\sf{S|LWE\rangle}$ samples is very small, it is well known that $\sf{S|LWE\rangle}$ is as hard as standard LWE). In this paper, we show new hardness and algorithms for $\sf{S|LWE\rangle}$ with Gaussian and other amplitudes. Our main results are 1. There exist quantum reductions from standard LWE or worst-case GapSVP to $\sf{S|LWE\rangle}$ with Gaussian amplitude with unknown phase, and arbitrarily many $\sf{S|LWE\rangle}$ samples. 2. There is a $2^{\widetilde{O}(\sqrt{n})}$-time algorithm for $\sf{S|LWE\rangle}$ with Gaussian amplitude with known phase, given $2^{\widetilde{O}(\sqrt{n})}$ many quantum samples. The algorithm is modified from Kuperberg's sieve, and in fact works for more general amplitudes as long as the amplitudes and phases are completely known. One way of interpreting our result is: to show a sub-exponential time quantum algorithm for standard LWE, all we need is to handle phases in $\sf{S|LWE\rangle}$ amplitudes better, either in the algorithm or the reduction.

翻译：容错学习问题（LWE）是后量子密码学最重要的基础构件之一。为深入理解LWE的量子困难性，探索LWE的量子变体、设计针对这些变体的量子算法，或证明它们与标准LWE具有同等难度至关重要。为此，Chen、Liu和Zhandry [Eurocrypt 2022] 定义了 $\sf{S|LWE\rangle}$ 问题，该问题将LWE样本的误差编码为量子振幅。他们随后针对若干特殊振幅情形给出了高效的量子算法。然而，最具研究价值的正态分布振幅的困难性并未被Chen等人解决——仅在受限场景下（例如当 $\sf{S|LWE\rangle}$ 样本数极小时，已知其与标准LWE难度相当）有所结论。本文展示了关于正态分布及其他振幅的 $\sf{S|LWE\rangle}$ 困难性新结论与算法。主要结果包括：1. 存在从标准LWE或最坏情形GapSVP到未知相位、任意数量样本的正态振幅 $\sf{S|LWE\rangle}$ 的量子归约；2. 给定 $2^{\widetilde{O}(\sqrt{n})}$ 个量子样本时，存在 $2^{\widetilde{O}(\sqrt{n})}$ 时间复杂度的算法求解已知相位的正态振幅 $\sf{S|LWE\rangle}$。该算法基于Kuperberg筛法改进，事实上适用于振幅和相位完全已知的更一般情形。本文结论的一种解读是：要得到标准LWE的次指数时间量子算法，只需在算法或归约中更有效地处理 $\sf{S|LWE\rangle}$ 振幅中的相位信息。