|
|
|
|
|
|
by 3PS
795 days ago
|
|
|
Condolences to the author, but this is a huge relief. A polytime quantum algorithm for LWE would have been a scary prospect for the future of asymmetric key crypto. (Not to mention all the other cool stuff people are building on top like fully homomorphic encryption.) Even if it wasn't quite fast enough to break the current schemes that NIST is standardizing, I (and I'm sure many others) would much prefer those problems to stay in exptime. |
|
|
Not only that Yilei annotated with the bug his paper(p37):
"Yilei (April 18) Here is the bug: the amplitude of |φ8.f ⟩ does not satisfy M/2 -periodicity. Another way of explaining the bug is: the support of |φ8.f ⟩ contains p1...pκ vectors. After domain extension, we should have got p1p2...pκ · p2...pκ vectors, but as the way |φ8.g⟩ is written, it only contains p1...pκ vectors. So the expression of |φ8.g⟩ is wrong."
https://eprint.iacr.org/2024/555.pdf