Full text

1. Introduction

The Learning with Errors (LWE) problem [1] has become a cornerstone of post-quantum cryptography, serving as the security foundation for numerous cryptographic constructions [2,3,4]. In its standard form, LWE tries to find a secret vector $s\in {\mathbb{Z}}_q^n$ given $(A,b)\in {\mathbb{Z}}_q^{m\times n}\times {\mathbb{Z}}_q^m$, where A is a random matrix and $b=As+emodq$ for some small error vector e. The hardness of LWE is supported by worst-case lattice reduction proofs [5], making it a robust basis for cryptographic constructions.

A particularly efficient variant is ternary LWE, where the entries of s and e are restricted to $\{-1,0,1\}$. This variant is employed in several practical schemes, including NTRU-based cryptosystems [6,7,8] and signature protocols such as BLISS [9] and GLP [10]. While the small domain of the secret and error does not fundamentally break LWE’s security, it does enable more efficient combinatorial attacks that exploit the sparsity and structure of the secrets.

Combinatorial attacks offer a distinct approach to cryptanalyzing LWE with small secrets, beginning with early Meet-in-the-Middle (MitM) attacks on NTRU by Odlyzko [11] and Howgrave-Graham [12]. A significant advancement came from May [13], who adapted the representation technique from subset-sum attacks [14,15,16] to reduce MitM complexity from ${\mathcal{S}}^{0.5}$ to approximately ${\mathcal{S}}^{0.25}$ for a search space of size $\mathcal{S}$. However, this improvement required guessing sub-linear error coordinates, which, while asymptotically negligible, raised concrete complexities to ${\mathcal{S}}^{0.3}$ for practical NTRU, BLISS, and GLP parameters. This limitation was later addressed by Kirshanova and May [17] through an Odlyzko-based locality-sensitive hashing (LSH) technique that eliminated error guessing, finally achieving complexities near the asymptotic ${\mathcal{S}}^{0.25}$ bound.

In the quantum setting, van Hoof et al. [18] investigated quantum speedups for May’s algorithm. Their asymptotic analysis demonstrates that the approach achieves a time complexity close to the ${\mathcal{S}}^{0.193}$ bound; however, for concrete instantiations, the method only reaches a ${\mathcal{S}}^{0.251}$ bound. Despite employing quantum search to accelerate the guessing phase, their quantum approach inherits the same fundamental limitation: for concrete cryptographic parameters, the realized complexity substantially deviates from the asymptotic bound, failing to bridge the gap between theoretical and practical performance.

1.1. Our Contribution

This work introduces a quantum adaptation of the LSH-based algorithm by Kirshanova and May [17] for solving ternary LWE. We reformulate the key recovery problem within a graph search framework. By implementing an optimized quantum walk over this graph, we eliminate the need for guessing the error coordinates—a fundamental limitation inherent to the quantum approach of van Hoof et al. [18]. As a result, our method substantially narrows the gap between asymptotic and concrete complexity, achieving a concrete bound of approximately $S^{0.225}$ compared to the $S^{0.251}$ bound of vHKM. For concrete parameters of major schemes such as NTRU, BLISS, and GLP, our method demonstrates speedup factors ranging from $2^{16}$ to $2^{60}$ over the vHKM [18] attack.

Our algorithm establishes the state of the art for quantum combinatorial attacks on ternary LWE. A comparison with quantum sieving algorithm shows a split in dominance: our method is superior for small-weight parameters, while lattice-based attacks maintain the lead for most others.

Current LWE parameter selection relies heavily on lattice reduction heuristics (e.g., Gaussian Heuristic and Geometric Series Assumption) and diverse BKZ runtime models, potentially underestimating security. In contrast, our combinatorial approach builds on heuristic principles derived from subset-sum or knapsack problems, which possess a stronger theoretical foundation. For knapsack-type distributions, it can be rigorously proven that pathological instances form only an exponentially small fraction, enabling the construction of provable probabilistic algorithms that avoid heuristics entirely. This theoretical robustness, combined with experimental validation in prior work [15], provides runtime predictions with significantly enhanced precision compared to lattice reduction heuristics that depend on unproven assumptions.

Our second contribution focuses on LWE key recovery under polynomial quantum memory constraints. While previous quantum-walk-based approaches achieve optimal time complexity among combinatorial methods, they require exponential qubit resources and rely on the strong Quantum Random Access Quantum Memory (QRAQM) model.

Building on recent work by Benedikt [19], who applied the quantum claw-finding algorithm of Chailloux et al. [20] to ternary LWE problems, we adopt a more practical approach that combines the Kirshanova–May framework [17] with this claw-finding technique. This hybrid strategy operates efficiently with only $\mathcal{O}\left(n\right)$ qubits under the Quantum Random Access Classical Memory (QRACM) model.

While Benedikt [19] provided valuable asymptotic analysis, their work left open the question of concrete security estimates for practical cryptographic parameter sets. Our work specifically addresses this gap by performing the first comprehensive concrete security analysis of real-world LWE-based schemes under polynomial-qubit constraints, providing crucial insights for post-quantum security assessments.

Furthermore, we provide the time–classical memory trade-offs for concrete schemes and explicitly compare our approach with the vHKM [18] method under strict polynomial classical memory constraints. Notably, across all evaluated schemes, our algorithm consistently achieves lower time complexity than vHKM under the same polynomial memory bound, further establishing its practical relevance in constrained settings.

1.2. Organization

The rest of this paper is organized as follows. In Section 2, we provide the necessary background, including the definition of the Ternary LWE, an introduction to Generalized Odlyzko’s Locality-Sensitive Hashing, and a review of the quantum primitives used in this work: amplitude amplification and quantum walks. Section 3 reviews the classical LSH-based MitM attack on ternary LWE by Kirshanova and May, which serves as the foundation for our quantum algorithms. In Section 4, we present our main contribution. We reformulate the ternary LWE key search problem as a graph search problem and introduce our novel quantum algorithm that combines the Kirshanova–May framework with a quantum walk. We provide a detailed description of the algorithm and a comprehensive concrete security analysis for major cryptographic schemes. Section 5 addresses the scenario of polynomial quantum memory constraints. We present a second algorithm that hybridizes the Kirshanova–May framework with a quantum claw-finding technique, requiring only a polynomial number of qubits. The concrete security of real-world schemes under this new algorithm is thoroughly analyzed. Finally, we conclude the paper in Section 6 with a summary of our findings.

2. Preliminaries

2.1. Notational Conventions

We adopt the following notation throughout this paper:

Let ${\mathbb{Z}}_q$ represent the quotient ring of integers modulo $q\ge 2$.

2.2. Ternary LWE Secret Key

We focus on LWE instances where both the secret and error vectors are ternary and matrix A is square. This specific case captures numerous practical implementations in lattice-based cryptography.

The ternary constraint ensures cryptographic efficiency while maintaining security guarantees. For a randomly chosen A, the correct solution s is uniquely identifiable with high probability through the condition that $As-b$ also falls within ${\mathcal{T}}^n$.

Practical implementations often impose additional structural constraints by fixing the number of non-zero entries in ternary vectors, leading to optimized security parameters and implementation characteristics.

Rounding considerations are handled appropriately in concrete parameterizations. Weight restrictions naturally emerge in the context of NTRU-type cryptosystems, where optimal values typically reside in the interval $\omega \in [\frac{1}{3},\frac{2}{3}]$. The specific choice $\omega =\frac{3}{8}$ appears in several standardized parameter sets, representing a careful equilibrium between security and performance requirements.

2.3. Generalized Odlyzko’s Locality-Sensitive Hashing

A key technique in combinatorial attacks on ternary LWE is the use of LSH to efficiently identify pairs of vectors that are close in the ${\ell }_{\infty }$-norm. Odlyzko’s original LSH function [11] partitions ${\mathbb{Z}}_q$ into two halves and assigns binary labels, but it requires special handling of border values.

Kirshanova and May [17] generalized this approach to avoid explicit border checks and to enable more flexible bucketing. Their LSH family is defined as follows. For a bucket size parameter $B\in \{1,\dots ,q\}$ and a random shift vector $u\in {\mathbb{Z}}_q^n$, the hash function $h_{u,B}:{\mathbb{Z}}_q^n\to {\left[0,\lceil q/B\rceil -1\right]}^n$ is given by

(3)$h_{u,B}\left(x\right)=\left(⌊{\displaystyle \frac{x_1+u_1}{B}}⌋,\dots ,⌊{\displaystyle \frac{x_n+u_n}{B}}⌋\right).$

This function maps each coordinate of x to a bucket index after a random cyclic shift. The probability that two vectors $x,y$ with ${\parallel x-y\parallel }_{\infty }=1$ collide under a random $h_{u,B}$ is ${(1-1/B)}^n$.

Algorithm 1 solves the close pairs problem in the ${\ell }_{\infty }$-norm: given two lists $L_1,L_2\subset {\mathbb{Z}}_q^n$, find a $(1-o(1\left)\right)$-fraction of all pairs $(x,y)\in L_1\times L_2$ such that ${\parallel x-y\parallel }_{\infty }=1$.

The space and time complexities of Algorithm 1 are given by

(4)$\begin{array}{cc}\hfill S& =max\left\{{\left|L\right|,\left|L\right|}^2·{\left({\displaystyle \frac{3}{q}}\right)}^n\right\}·\mathrm{poly}\left(n\right),\hfill \\ \hfill T_{\mathsf{LSH}}\left(\right|L|,n,B)& =max\left\{{S,\left|L\right|}^2·{\left({\displaystyle \frac{B^2}{(B-1)q}}\right)}^n·\mathrm{poly}\left(n\right)\right\}.\hfill \end{array}$

When combining approximate matching on $k_1$ coordinates with exact matching on $k_2$ coordinates, the complexity becomes

(5)$\begin{array}{cc}\hfill S& =max\left\{{\left|L\right|,\left|L\right|}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{k_1}·{\left({\displaystyle \frac{1}{q}}\right)}^{k_2}\right\},\hfill \\ \hfill T_{\mathsf{LSH}+\mathsf{Exact}}\left(\right|L|,k_1,k_2,B)& =max\left\{{S,\left|L\right|}^2·{\left({\displaystyle \frac{B^2}{(B-1)q}}\right)}^{k_1}·{\left({\displaystyle \frac{1}{q}}\right)}^{k_2}·nlogn\right\}.\hfill \end{array}$

This generalized LSH technique is crucial for efficiently merging partial solutions in Meet-in-the-Middle attacks on ternary LWE, as it allows for approximate matching without guessing error coordinates.

2.4. Amplitude Amplification

Amplitude amplification [21] is a fundamental technique in quantum computing that amplifies the probability amplitudes of the target states, which are identified by an oracle.

Consider a quantum algorithm $\mathcal{A}$ that prepares a uniform superposition $|\varphi \rangle ={\sum }_{x\in \mathcal{X}}{\displaystyle \frac{1}{\left|\mathcal{X}\right|}}|x\rangle$ over some subset $\mathcal{X}\subseteq {\{0,1\}}^n$. Let $f:\mathcal{X}\to \{0,1\}$ be a computable Boolean function with its quantum oracle $O_f$ acting as $O_f|x\rangle |b\rangle \mapsto |x\rangle |b\oplus f\left(x\right)\rangle$.

Define ${\mathcal{X}}_f=\{x\in \mathcal{X}\mid f\left(x\right)=1\}$ as the set of “good” elements. The probability of obtaining a good element by measuring $|\varphi \rangle$ is $p=|{\mathcal{X}}_f|/|\mathcal{X}|$. The amplitude amplification algorithm finds an element $x\in {\mathcal{X}}_f$ with high probability using only $\mathcal{O}(1/\sqrt{p})$ iterations, where each iteration comprises one call each to $\mathcal{A}$, ${\mathcal{A}}^{†}$, and $O_f$.

Let $T_{\mathcal{A}}$ and $T_f$ denote the time complexities of implementing $\mathcal{A}$ and $O_f$, respectively. The total time complexity of amplitude amplification is

(6)$T=\mathcal{O}\left({\displaystyle \frac{1}{\sqrt{p}}}·(T_{\mathcal{A}}+T_f)\right).$

Amplitude amplification generalizes Grover search [22]. In the Grover setting, we take $\mathcal{X}={\{0,1\}}^n$, and $\mathcal{A}$ applies a Hadamard gate to each qubit, which can be implemented efficiently with $T_{\mathcal{A}}=\mathcal{O}\left(1\right)$.

2.5. Quantum Walk Search on Graphs

Consider a connected, d-regular, undirected graph $G=(V,E)$ with a subset of marked vertices. The objective is to find a marked vertex. The classical random walk on the graph G is characterized by a symmetric transition matrix P of size $\left|V\right|\times \left|V\right|$, where the entry $P_{u,v}$ is defined as $1/d$ if $(u,v)\in E$, and zero otherwise. A classical random walk search proceeds as follows:

Sample a vertex $u\in V$ from an initial probability distribution over V and initialize an associated data structure $d\left(u\right)$.

Let $\delta$ denote the spectral gap of G, defined as the difference between the two largest eigenvalues of its adjacency matrix. The mixing time required to approximate the uniform distribution from an arbitrary starting vertex is known to satisfy $t_2=1/\delta$.

Let $ϵ$ be the fraction of marked vertices, so that a vertex sampled uniformly at random is marked with probability $ϵ$. Then, the expected number of trials needed to find a marked vertex is $t_1=1/ϵ$.

We define the following cost parameters:

Setup cost $T_S$: the cost of sampling the initial vertex and constructing the data structure $d\left(u\right)$.

The overall cost of the classical random walk search is then given by

(7)$T_{\mathrm{RW}}=T_S+{\displaystyle \frac{1}{ϵ}}\left({\displaystyle \frac{1}{\delta }}{T}_U+T_C\right).$

In the quantum setting, the walk is initialized by preparing a uniform superposition over all vertices, together with two auxiliary registers (we omit normalization for simplicity):

(8)$|\pi \rangle =\sum _{u\in V}|u\rangle |p_u\rangle |d\left(u\right)\rangle ,$

The coin register $|p_u\rangle$ uses the same number of qubits as the vertex register $|u\rangle$ and encodes the direction of the quantum walk. The data register $\left|d\right(u)\rangle$ contains the classical data structure associated with vertex u, which is used to determine if u is marked.

The quantum walk step is a unitary operation that coherently simulates one step of the random walk. It consists of a coin operation followed by a shift operation. The coin operation creates a superposition over the neighbors of the current vertex, while the shift operation updates the vertex register accordingly. Throughout this process, the data structure in the register $\left|d\right(u)\rangle$ is updated coherently to reflect the new vertex. The checking operation is a phase oracle that applies a $-1$ phase to marked vertices.

We define the quantum analogues of the classical cost parameters as follows:

Setup cost $T_S$: The cost of preparing the initial state $|\pi \rangle$.

The quantum walk search algorithm achieves a quadratic speedup over classical approaches, requiring only $1/\sqrt{ϵ}$ iterations via amplitude amplification. A key component of this algorithm is the implementation of a reflection operator about the stationary state of the quantum walk, which corresponds to the quantum analog of the classical stationary distribution. Remarkably, this reflection can be approximated using phase estimation applied to the quantum walk operator, which requires only $1/\sqrt{\delta }$ steps. This efficiency stems from the quadratic relationship between the classical spectral gap $\delta$ and the phase gap of the quantum walk: while the classical mixing time scales as $1/\delta$, the quantum phase estimation converges in time $1/\sqrt{\delta }$.

The cost of the quantum walk search is given by the following theorem:

The graphs used in our quantum walk search algorithms are the Cartesian products of Johnson graphs.

3. LSH-Based MitM Attacks for Ternary LWE

The combinatorial attack on ternary LWE by Kirshanova and May [17] introduces a MitM approach improved with LSH and representation techniques. We refer to the two instantiations of their attack as Rep-0 and Rep-1, which we will introduce in turn, as they form the basis for our quantum algorithms.

3.1. Rep-0: First Instantiation of LSH-Based MitM Attacks

Let $s\in {\mathcal{T}}^n(w/2)$ be a ternary LWE secret vector of weight w. Rep-0 represents the secret vector $s\in {\mathcal{T}}^n(w/2)$ into two vectors $s_1^{\left(1\right)},s_2^{\left(1\right)}\in {\mathcal{T}}^n(w/4)$ such that $s=s_1^{\left(1\right)}+s_2^{\left(1\right)}$. Such a pair $(s_1^{\left(1\right)},s_2^{\left(1\right)})$ is called a representation of s. There are $R={\left({\displaystyle \genfrac{}{}{0pt}{}{w/2}{w/4}}\right)}^2$ such representations in total. The key idea is to leverage this representation to split the LWE equation $As=b+emodq$ into two parts:

(12)$A{s}_1^{\left(1\right)}=-A{s}_2^{\left(1\right)}+b+emodq.$

In the standard MitM approach, one would enumerate all possible $s_1^{\left(1\right)}$ and $s_2^{\left(1\right)}$ and look for pairs where $A{s}_1^{\left(1\right)}$ and $-A{s}_2^{\left(1\right)}+b$ differ by a ternary error vector e. However, this requires checking all pairs, which is inefficient. Instead, Rep-0 uses a tree-based search with LSH to efficiently find matching pairs.

Rep-0 constructs a depth-2 search tree as illustrated in Figure 1. At the top level (level 2), each $s_i^{\left(1\right)}$ is further splitted into two vectors, yielding a total of four lists:

(13)$\begin{array}{cc}\hfill L_1^{\left(2\right)}& =\left\{s_1^{\left(2\right)}\in {\mathcal{T}}^{n/2}(w/8)\times 0^{n/2}\right\},\hfill \\ \hfill L_2^{\left(2\right)}& =\left\{s_2^{\left(2\right)}\in 0^{n/2}\times {\mathcal{T}}^{n/2}(w/8)\right\},\hfill \\ \hfill L_3^{\left(2\right)}& =\left\{s_3^{\left(2\right)}\in {\mathcal{T}}^{n/2}(w/8)\times 0^{n/2}\right\},\hfill \\ \hfill L_4^{\left(2\right)}& =\left\{s_4^{\left(2\right)}\in 0^{n/2}\times {\mathcal{T}}^{n/2}(w/8)\right\}.\hfill \end{array}$

The merge process proceeds level by level. At each step, we perform both exact matching and approximate matching, employing the LSH-Odlyzko method from Section 2.3 for the latter. To ensure that expect one solution survives after merging, the parameter k must satisfy $q^{{\displaystyle \frac{k}{2}}}{\left({\displaystyle \frac{q}{3}}\right)}^{{\displaystyle \frac{k}{2}}}\approx R$. More precisely, k is calculated as

(14)$k=⌊{\displaystyle \frac{{log}_{2}R}{{log}_{2}q-0.5{log}_{2}3}}⌋.$

The pseudocode of Rep-0 is presented in Algorithm 2.

After Step 3–4 in Algorithm 2, we obtain two level-1 lists with the following structure:

(15)$\begin{array}{cc}\hfill L_1^{\left(1\right)}& =\left\{s_1^{\left(1\right)}\in {\mathcal{T}}^n(w/4):A{s}_1^{\left(1\right)}\in {\mathbb{Z}}_q^{n-k}\times 0^{k/2}\times {\{\pm 1,0\}}^{k/2}\right\},\hfill \\ \hfill L_2^{\left(1\right)}& =\left\{s_2^{\left(1\right)}\in {\mathcal{T}}^n(w/4):A{s}_2^{\left(1\right)}\in {\mathbb{Z}}_q^{n-k}\times {\{\pm 1,0\}}^{k/2}\times 0^{k/2}\right\}.\hfill \end{array}$

This means that vectors in $L_1^{\left(1\right)}$ satisfy $A{s}_1^{\left(1\right)}=0$ on $k/2$ coordinates (exact matching) and $A{s}_1^{\left(1\right)}\in \{\pm 1,0\}$ on another $k/2$ coordinates (approximate matching), while vectors in $L_2^{\left(1\right)}$ satisfy $A{s}_2^{\left(1\right)}\in \{\pm 1,0\}$ on $k/2$ coordinates and $A{s}_2^{\left(1\right)}=0$ on the other $k/2$ coordinates.

Step 5 in Algorithm 2 merges $L_1^{\left(1\right)}$ and $L_2^{\left(1\right)}$ using LSH-Odlyzko on the $n-k$ coordinates that were not involved in the previous matching steps. This finds pairs $(s_1^{\left(1\right)},s_2^{\left(1\right)})$ such that $A{s}_1^{\left(1\right)}$ and $b-A{s}_2^{\left(1\right)}$ are 1-close in the ${\ell }_{\infty }$-norm, which ensures that $s=s_1^{\left(1\right)}+s_2^{\left(1\right)}$ satisfies $As=b+e$ with $e\in {\mathcal{T}}^n$.

The correctness of Algorithm 2 follows from the representation technique: each valid secret s has multiple representations as $s_1^{\left(1\right)}+s_2^{\left(1\right)}$, and we expect that one of these representations survives the merging process. The LSH-based matching efficiently identifies pairs that satisfy Equation (12) without explicitly checking all possible pairs.

Let $L^{\left(j\right)}$ denote the common size of the lists at level j, for $j=0,1,2$. We have

(16)$\begin{array}{cc}\hfill L^{\left(2\right)}& =\left({\displaystyle \genfrac{}{}{0pt}{}{n/2}{w/8,w/8,·}}\right),\hfill \\ \hfill L^{\left(1\right)}& ={\left(L^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}},\hfill \\ \hfill L^{\left(0\right)}& ={\displaystyle \frac{{\left(L^{\left(1\right)}\right)}^2}{2^{n-k}}}.\hfill \end{array}$

The space complexity is determined by the maximum list size encountered during the merging process:

(17)$S_{\mathrm{Rep}-0}=max\left\{L^{\left(2\right)},L^{\left(1\right)},L^{\left(0\right)}\right\}.$

The time complexity is dominated by the largest list size and the cost of LSH-based merging at each level:

(18)$\begin{array}{cc}\hfill T_{\mathrm{Rep}-0}& =max\left\{S_{\mathrm{Rep}-0},T_{\mathsf{LSH}+\mathsf{Exact}}\left(L^{\left(2\right)},{\displaystyle \frac{k}{2}},{\displaystyle \frac{k}{2}},B\right),T_{\mathsf{LSH}+\mathsf{Exact}}\left(L^{\left(1\right)},n-k,0,{\displaystyle \frac{q}{2}}\right)\right\}\hfill \\ \hfill & =max\left\{S_{\mathrm{Rep}-0},{\left(L^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{B^2}{(B-1)q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·nlogn,{\displaystyle \frac{{\left(L^{\left(1\right)}\right)}^2·nlogn}{2^{n-k}}}\right\}.\hfill \end{array}$

Here, the last equality follows from Equation (5). The bucket size B is a parameter that needs to be optimized.

3.2. Rep-1: Optimized LSH-Based MitM Attacks

Rep-1 generalizes Rep-0 by allowing more flexible decompositions. In addition to representing non-zero entries of s as sums of non-zero entries in $s_1^{\left(1\right)}$ and $s_2^{\left(1\right)}$, Rep-1 also allows zero entries in s to be represented as $1+(-1)$ or $(-1)+1$. This increases the number of representations and allows for a more efficient search tree.

We now describe Rep-1 with depth-3, as illustrated in Figure 2. The ternary LWE secret vector $s\in {\mathcal{T}}^n(w/2)$ is decomposed as

(19)$s=s_1^{\left(1\right)}+s_2^{\left(1\right)},\mathrm{where}{s}_1^{\left(1\right)}, s_2^{\left(1\right)}\in {\mathcal{T}}^n(w/4+\epsilon \left[1\right]).$

Here, $\epsilon \left[1\right]\ge 0$ is a parameter that controls the number of additional $\pm 1$ entries used to represent zeros in s. The total number of representations at level 1 is

(20)$R^{\left(1\right)}={\left({\displaystyle \genfrac{}{}{0pt}{}{w/2}{w/4}}\right)}^2·\left({\displaystyle \genfrac{}{}{0pt}{}{n-w}{\epsilon \left[1\right],\epsilon \left[1\right],·}}\right).$

Each $s_i^{\left(1\right)}$ is further decomposed into two vectors at level 2:

(21)$s_i^{\left(1\right)}=s_{2i-1}^{\left(2\right)}+s_{2i}^{\left(2\right)},\mathrm{where}{s}_{2i-1}^{\left(2\right)}, s_{2i}^{\left(2\right)}\in {\mathcal{T}}^n\left({\displaystyle \frac{w}{8}}+{\displaystyle \frac{\epsilon \left[1\right]}{2}}+\epsilon \left[2\right]\right).$

The number of representations at level 2 is

(22)$R^{\left(2\right)}={\left({\displaystyle \genfrac{}{}{0pt}{}{w/4+\epsilon \left[1\right]}{w/8+\epsilon \left[1\right]/2}}\right)}^2·\left({\displaystyle \genfrac{}{}{0pt}{}{n-w/2-2\epsilon \left[1\right]}{\epsilon \left[2\right],\epsilon \left[2\right],·}}\right).$

Finally, at level 3, Rep-1 enumerates the vectors $s_j^{\left(3\right)}\in {\mathcal{T}}^{n/2}\left({\displaystyle \frac{w}{16}}+{\displaystyle \frac{\epsilon \left[1\right]}{4}}+{\displaystyle \frac{\epsilon \left[2\right]}{2}}\right)$ directly. The merging process uses a combination of exact and approximate matching at each level, with the number of matched coordinates $k\left[i\right]$ chosen to satisfy

(23)$k\left[i\right]=⌊{\displaystyle \frac{{log}_2{R}^{\left(i\right)}}{{log}_{2}q-{0.5}^i{log}_{2}3}}⌋.$

The pseudocode of Rep-1 is outlined in Algorithm 3.

Let $L^{\left(j\right)}$ denote the common size of the lists at level j, for $j=0,1,2,3$. We have

(24)$\begin{array}{cc}\hfill L^{\left(3\right)}& =\left({\displaystyle \genfrac{}{}{0pt}{}{n/2}{g(w,\epsilon [1],\epsilon [2\left]\right),g(w,\epsilon [1],\epsilon [2\left]\right),·}}\right),\hfill \\ \hfill L^{\left(2\right)}& ={\left(L^{\left(3\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k\left[2\right]}{4}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{3k\left[2\right]}{4}}},\hfill \\ \hfill L^{\left(1\right)}& ={\left(L^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}},\hfill \\ \hfill L^{\left(0\right)}& ={\displaystyle \frac{{\left(L^{\left(1\right)}\right)}^2}{2^{n-k}}},\hfill \end{array}$

The space complexity is determined by the maximum list size encountered during the merging process:

(25)$S_{\mathrm{Rep}-1}=max\left\{L^{\left(3\right)},L^{\left(2\right)},L^{\left(1\right)},L^{\left(0\right)}\right\}.$

The time complexity is dominated by the largest list size and the cost of LSH-based merging at each level:

(26)$T_{\mathrm{Rep}-1}=max\left\{T^{\left(3\right)},T^{\left(2\right)},T^{\left(1\right)},T^{\left(0\right)}\right\},$

(27)$\begin{array}{cc}\hfill T^{\left(3\right)}& =L^{\left(3\right)},\hfill \\ \hfill T^{\left(2\right)}& =max\left\{L^{\left(3\right)},L^{\left(2\right)},{\left(L^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{B{\left[2\right]}^2}{\left(B\right[2]-1)q}}\right)}^{{\displaystyle \frac{k\left[2\right]}{4}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{3k\left[2\right]}{4}}}·nlogn\right\},\hfill \\ \hfill T^{\left(1\right)}& =max\left\{L^{\left(2\right)},L^{\left(1\right)},{\left(L^{\left(1\right)}\right)}^2·{\left({\displaystyle \frac{B{\left[1\right]}^2}{\left(B\right[1]-1)q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}}·nlogn\right\},\hfill \\ \hfill T^{\left(0\right)}& =max\left\{L^{\left(1\right)},L^{\left(0\right)},{\displaystyle \frac{{\left(L^{\left(1\right)}\right)}^2}{2^{n-k}}}\right\}.\hfill \end{array}$

The parameters $\epsilon \left[1\right], \epsilon \left[2\right], B\left[1\right], B\left[2\right]$ are optimized to minimize the overall complexity.

4. LSH-Based MitM Attacks on Ternary LWE via Quantum Walks

In this work, we develop new LSH-based MitM quantum algorithms for ternary LWE, which transform the key recovery problem into a graph search task amenable to quantum walks. We first present QRep-0, the quantum adaptation of Rep-0, to establish the foundational approach. We then introduce QRep-1, which builds upon Rep-1 and achieves a lower complexity through enhanced representation techniques.

4.1. QRep-0: Foundational Instantiation of LSH-Based MitM Quantum Algorithms

The ternary LWE problem aims to recover a ternary secret vector $s\in {\mathcal{T}}^n(w/2)$ satisfying $As=b+emodq$, with a ternary error vector e. We cast this cryptographic recovery problem as a graph search task solvable by quantum walks, where marked vertices represent valid LWE solutions.

Rep-0 features a level-2 search tree, as illustrated in Figure 1. The quantum walk operates on a graph constructed as the Cartesian product of four identical Johnson graphs. The construction begins with the four level-2 lists $L_j^{\left(2\right)}(1\le j\le 4)$, each of size $L^{\left(2\right)}=\left({\displaystyle \genfrac{}{}{0pt}{}{n/2}{w/8,w/8,·}}\right)$. From these, we define restricted subsets $U_j^{\left(2\right)}\subseteq L_j^{\left(2\right)}$ of size $U^{\left(2\right)}:={\left(L^{\left(2\right)}\right)}^{\gamma }$, where $\gamma \in [0,1]$ is a parameter to be optimized. Setting $N=L^{\left(2\right)}$ and $k=U^{\left(2\right)}$, the graph is formally given by

(28)$G_{\mathrm{QRep}-0}(V_{\mathrm{QRep}-0},E_{\mathrm{QRep}-0}):=J(N,k)\times J(N,k)\times J(N,k)\times J(N,k).$

Each vertex $u\in V_{\mathrm{Rep}-0}$ is a 4-tuple $(U_1^{\left(2\right)},U_2^{\left(2\right)},U_3^{\left(2\right)},U_4^{\left(2\right)})$. Two vertices u and v are adjacent if and only if, for some index j, the components $U_j^{\left(2\right)}$ of u and v differ by exactly one element, while the other three components are identical.

The data structure associated with a vertex in $G_{\mathrm{QRep}-0}$ comprises all intermediate lists $U_j^{\left(i\right)}$ generated during the execution of Rep-0, which takes the vertex’s 4-tuple $(U_1^{\left(2\right)},\dots ,U_4^{\left(2\right)})$ as its level-2 input lists. Here, $U_j^{\left(i\right)}$ corresponds to the j-th list at level-i, for $0\le i\le 1$ and $1\le j\le 2^i$.

A vertex is marked if its resultant top-level list $U_1^{\left(0\right)}$ contains at least one valid ternary secret s satisfying $s\in {\mathcal{T}}^n(w/2)$ and $As-bmodq\in {\mathcal{T}}^n$. This direct correspondence guarantees that finding any marked vertex solves the original LWE problem.

We begin by explaining the role of the parameter $\gamma$: it governs the trade-off between the setup cost of QRep-0 and the cost of the quantum walk required to reach a marked vertex.

When $\gamma$ is large (close to 1), the setup cost dominates the overall complexity. In the extreme case of $\gamma =1$, all vertices become marked (since $U^{\left(2\right)}=L^{\left(2\right)}$), and QRep-0 reduces to the classical Rep-0 method, no longer relying on quantum walk.

Conversely, when $\gamma$ is small (close to 0), the setup cost is minimized, but the fraction of marked vertices becomes negligible. As a result, the cost of amplifying these marked vertices via quantum walk becomes the dominant factor in the overall complexity.

We now analyze the quantum resources—specifically, circuit width and depth—required by QRep-0 as detailed in Algorithm 4.

Let $U^{\left(i\right)}$ denote the size of level-i lists in QRep-0, for $i=0,1$. These sizes follow the recurrence relations:

(29)$\begin{array}{cc}\hfill U^{\left(2\right)}& ={\left(L^{\left(2\right)}\right)}^{\gamma }={\left({\displaystyle \genfrac{}{}{0pt}{}{n/2}{w/8,w/8,·}}\right)}^{\gamma },\hfill \\ \hfill U^{\left(1\right)}& ={\left(U^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}},\hfill \\ \hfill U^{\left(0\right)}& ={\displaystyle \frac{{\left(U^{\left(1\right)}\right)}^2}{2^{n-k}}}.\hfill \end{array}$

The quantum circuit width, which corresponds to the space complexity, is determined by three registers: the vertex register $|u\rangle$ encoding a 4-tuple of subsets $(U_1^{\left(2\right)},\dots ,U_4^{\left(2\right)})$, requiring $4U^{\left(2\right)}$ qubits; the coin register $|p_u\rangle$ of similar size; and the data register $\left|d\right(u)\rangle$, which dominates the space complexity with $2U^{\left(1\right)}+U^{\left(0\right)}$ qubits. Hence, the overall circuit width (space complexity) is given by

(30)$S_{\mathrm{QRep}-0}=\mathcal{O}\left(max\left\{U^{\left(2\right)},U^{\left(1\right)},U^{\left(0\right)}\right\}\right).$

The circuit depth, which corresponds to the time complexity, follows the quantum walk complexity:

(31)$T_{\mathrm{QRep}-0}=T_S+{\displaystyle \frac{1}{\sqrt{ϵ}}}\left({\displaystyle \frac{1}{\sqrt{\delta }}}{T}_U+T_C\right),$

From Equation (11), the spectral gap of $G_{\mathrm{QRep}-0}$ is

(32)$\delta =\Omega \left({\displaystyle \frac{1}{k}}\right)=\Omega \left({\displaystyle \frac{1}{U^{\left(2\right)}}}\right).$

Since the classical Rep-0 algorithm yields, in expectation, a single element in $L_1^{\left(0\right)}$, the fraction of marked vertices $ϵ$ corresponds to the probability that all four subsets $U_j^{\left(2\right)}$ contain the necessary elements to reconstruct s. This fraction is given by

(33)$ϵ={\left({\displaystyle \frac{U^{\left(2\right)}}{L^{\left(2\right)}}}\right)}^4={\left(L^{\left(2\right)}\right)}^{4(\gamma -1)}.$

To determine the circuit depth, we analyze the setup cost $T_S$ and update cost $T_U$ for the quantum walk in QRep-0. Following the methodology in Section 6 of [24], these costs correspond to the classical computational complexity of constructing and updating the hierarchical data structure used in Rep-0.

The setup cost $T_S$ involves creating the hierarchical lists according to Rep-0. The level-2 lists $U_j^{\left(2\right)}$ (for $j=1,2,3,4$) are constructed by randomly sampling $U^{\left(2\right)}$ elements from $L_j^{\left(2\right)}$. The level-1 lists such as $U_1^{\left(1\right)}$ are formed by mergeing $U_1^{\left(2\right)}$ and $U_2^{\left(2\right)}$ via exact matching and LSH. Finally, the level-0 list $U_1^{\left(0\right)}$ is built from the two level-1 lists using LSH. Therefore,

(34)$\begin{array}{cc}\hfill T_S& =max\left\{S_{\mathrm{QRep}-0},T_{\mathsf{LSH}+\mathsf{Exact}}\left(U^{\left(2\right)},{\displaystyle \frac{k}{2}},{\displaystyle \frac{k}{2}},B\right),T_{\mathsf{LSH}+\mathsf{Exact}}\left(U^{\left(1\right)},n-k,0,{\displaystyle \frac{q}{2}}\right)\right\}\hfill \\ \hfill & =max\left\{S_{\mathrm{QRep}-0},{\left(U^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{B^2}{(B-1)q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·nlogn,{\displaystyle \frac{{\left(U^{\left(1\right)}\right)}^2·nlogn}{2^{n-k}}}\right\}.\hfill \end{array}$

The update cost $T_U$ involves involves inserting or deleting an element from one of the level-2 lists. Without loss of generality, we assume the element to be updated, denoted as x, belongs to $U_1^{\left(2\right)}$. The update of x in $U_1^{\left(2\right)}$ can be performed in time $\mathcal{O}\left(1\right)$.

The insertion or deletion of x subsequently triggers updates in the level-1 list $U_1^{\left(1\right)}$, which is formed by merging $U_1^{\left(2\right)}$ and $U_2^{\left(2\right)}$. Specifically, this requires inserting or deleting all elements $z\in U_1^{\left(1\right)}$ that are constructed by pairing x with some $y\in U_2^{\left(2\right)}$, where x and y satisfy the matching conditions on k coordinates: approximate matching on $k/2$ coordinates and exact matching on the other $k/2$ coordinates.

To analyze the number of such elements y (and thus the corresponding z) and the time complexity of locating them, we employ the following theorem:

Applying Theorem 2, the time required to update $U_1^{\left(1\right)}$ due to the modification of x is given by

(36)$T_U^{\left(1\right)}=max\left\{U^{\left(2\right)}·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}},U^{\left(2\right)}·{\left({\displaystyle \frac{B^2}{(B-1)q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·nlogn,\right\}$

The number of elements $z\in U_1^{\left(1\right)}$ that need to be updated is $U^{\left(2\right)}·{(3/q)}^{k/2}·{(1/q)}^{k/2}$. For each such z, applying Theorem 2 again, the time required to update the level-0 list $U^{\left(0\right)}$ is $(U^{\left(1\right)}·nlogn)/2^{n-k}$. Therefore, the total update time for the level-0 list is

(37)$T_U^{\left(0\right)}=U^{\left(2\right)}·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k}{2}}}·{\displaystyle \frac{U^{\left(1\right)}·nlogn}{2^{n-k}}}$

Consequently, the overall update cost is given by

(38)$T_U=max\left\{\mathcal{O}\left(1\right),T_U^{\left(1\right)},T_U^{\left(0\right)}\right\}.$

An important observation is that $T_S$ and $T_U$ satisfy the relation $T_S=U^{\left(2\right)}{T}_U$. Combining this observation with Equations (31)–(33) and $T_C=\mathcal{O}\left(1\right)$, we obtain the circuit depth (time complexity) of QRep-0:

(39)$\begin{array}{cc}\hfill T_{\mathrm{QRep}-0}& =T_S+{\displaystyle \frac{1}{\sqrt{ϵ}}}\left({\displaystyle \frac{1}{\sqrt{\delta }}}{T}_U+T_C\right)\hfill \\ \hfill & =\mathcal{O}\left(U^{\left(2\right)}{T}_U+{\left({\displaystyle \frac{L^{\left(2\right)}}{U^{\left(2\right)}}}\right)}^2\left(\sqrt{U^{\left(2\right)}}{T}_U+1\right)\right)\hfill \\ \hfill & ={\left(L^{\left(2\right)}\right)}^{\gamma }{T}_U+{\left(L^{\left(2\right)}\right)}^{2(1-\gamma )+{\displaystyle \frac{\gamma }{2}}}{T}_U.\hfill \end{array}$

The parameter $\gamma$ is chosen to minimize the overall time complexity by balancing the two dominant terms in the expression: the setup cost ${\left(L^{\left(2\right)}\right)}^{\gamma }{T}_U$ and the cost of performing the quantum walk to find a marked vertex ${\left(L^{\left(2\right)}\right)}^{2(1-\gamma )+{\displaystyle \frac{\gamma }{2}}}{T}_U$.

To achieve this balance, we set the exponents of the two terms equal to each other:

(40)$\gamma =2(1-\gamma )+\gamma /2.$

Solving this equation for $\gamma$ yields the optimal value $\gamma =4/5$.

4.2. Concrete Security Analysis of QRep-0

We now present the concrete security analysis of our foundational QRep-0 algorithm and compare it with the vHKM’s QRep-0. Table 1 evaluates both methods on major ternary-LWE-based cryptographic schemes that were also analyzed by van Hoof et al. [18], including NTRU variants (Encrypt and Prime), BLISS signatures, and GLP signatures. These schemes all rely on the hardness of ternary LWE, where both the secret and error vectors have entries in $\{-1,0,1\}$.

The parameter triple $(n,q,w)$ for each scheme specifies the polynomial dimension n (ring dimension), the modulus q, and the weight w (number of non-zero entries in the ternary secret vector). The complexity is measured in ${log}_{2}T$, where T represents the time complexity of the attack. For quantum walk-based combinatorial attacks, including both our approach and vHKM’s method, the time complexity T and quantum space complexity M (measured in qubits) are essentially equivalent, i.e., ${log}_{2}T={log}_{2}M$. This resource equivalence arises because both methods rely on quantum walks over Johnson graphs that require storing the entire quantum state during computation.

Table 1 provides concrete complexity estimates for QRep-0. Across all cryptographic schemes evaluated, our QRep-0 implementation demonstrates superior performance over the vHKM variant in all cases except for BLISS I+II. As will be shown subsequently, when enhanced with improved representation techniques, our quantum algorithm achieves comprehensive advantage over the vHKM approach.

As shown in Table 1, our QRep-0 implementation outperforms the vHKM variant in all cases except for BLISS I+II. As will be shown subsequently, when enhanced with improved representation techniques, our quantum algorithm achieves comprehensive advantage over the vHKM approach.

4.3. QRep-1: Improved LSH-Based MitM Quantum Algorithms

Following the introduction of the foundational instantiation, we proceed to QRep-1—a superior instantiation of our quantum algorithm which leverages a more powerful representation technique. In this instantiation, the depth of the search tree is also treated as an optimization parameter.

We begin by describing QRep-1 with a depth of 3; its search tree structure is illustrated in Figure 2. Since the top level (level 3) contains 8 lists, the quantum walk is performed on the Cartesian product of 8 identical Johnson graphs. Consider subsets $U_j^{\left(3\right)}\subseteq L_j^{\left(3\right)}$ of size $U^{\left(3\right)}={\left(L^{\left(3\right)}\right)}^{\gamma },$ where parameter $\gamma \in [0,1]$ balances the quantum walk cost.

The spectral gap of the graph $J^8(L^{\left(3\right)},U^{\left(3\right)})$ is $\Omega (1/U^{\left(3\right)})$, and the fraction of marked vertices is ${(U^{\left(3\right)}/L^{\left(3\right)})}^8$.

Analogously to Section 4.1, we can recursively derive the list sizes from level 2 down to level 0:

(41)$\begin{array}{cc}\hfill U^{\left(2\right)}& ={\left(U^{\left(3\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k\left[2\right]}{4}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{3k\left[2\right]}{4}}},\hfill \\ \hfill U^{\left(1\right)}& ={\left(U^{\left(2\right)}\right)}^2·{\left({\displaystyle \frac{3}{q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}}·{\left({\displaystyle \frac{1}{q}}\right)}^{{\displaystyle \frac{k\left[1\right]-k\left[2\right]}{2}}},\hfill \\ \hfill U^{\left(0\right)}& ={\displaystyle \frac{{\left(U^{\left(1\right)}\right)}^2}{2^{n-k}}}.\hfill \end{array}$

The space complexity of QRep-1 with depth 3 is

(42)$S_{\mathrm{QRep}-1}=\mathcal{O}\left(max\left\{U^{\left(3\right)},U^{\left(2\right)},U^{\left(1\right)},U^{\left(0\right)}\right\}\right).$

Similarly, the setup cost of the quantum walk for QRep-1 with depth 3 is

(43)$T_S=max\left\{T_S^{\left(3\right)},T_S^{\left(2\right)},T_S^{\left(1\right)},T_S^{\left(0\right)}\right\},$