Improved Dual Attack and Trapdoor Sampling via Quantum Rejection Sampling
Published 24 May 2026 in quant-ph and cs.DS | (2605.24798v1)
Abstract: In this work, we revisit the dual attack and GPV trapdoor sampling, focusing on the lattice Gaussian sampling term, which can be a significant bottleneck in the overall complexity. We show that this sampling step can be quantumly accelerated by combining the lower bound underlying Wang and Ling's analysis of Klein's algorithm with the quantum rejection sampling (QRS) framework proposed by Ozols et al. Specifically, this lower bound gives precisely the pointwise domination condition required for quantum rejection sampling when given coherent oracle access to a truncated Klein proposal distribution, which yields a quantum procedure for preparing the truncated dual $q$-ary lattice Gaussian with a quadratic reduction in the sampling complexity. The truncation radius is chosen so that the truncated distribution is negligibly close to the full lattice Gaussian in total variation distance. Substituting this sampler into the dual attack framework results in reduced overall attack-cost estimates. Compared with Pouly and Shen's modern dual attack under the same parameter choices, our estimates reduce the attack cost by (9), (4), and (13) bits for Kyber-512, Kyber-768, and Kyber-1024, respectively. We also report the corresponding estimates with modulus switching. Finally, by replacing the Markov chain Monte Carlo (MCMC) sampler with the QRS algorithm, we achieve a similar quadratic speedup in the GPV signing process.
The paper establishes a domination bound for Klein’s truncated proposal, enabling quadratic speedups in lattice Gaussian sampling via quantum rejection sampling.
It integrates the QRS algorithm into the dual attack framework, reducing sampling complexity and lowering attack costs for lattice-based schemes like Kyber.
The study extends QRS to GPV trapdoor sampling, significantly accelerating signature generation in post-quantum cryptography.
Improved Dual Attack and Trapdoor Sampling via Quantum Rejection Sampling
Background and Motivation
Lattice-based cryptographic schemes rely fundamentally on the hardness of problems such as LWE and SIS. Assessing the concrete security margins of deployed schemes (e.g., Kyber and FALCON) necessitates accurate estimations of attack complexities. In the dual attack paradigm, the dominant computational bottleneck is the sampling of short vectors from the dual lattice, typically realized through MCMC techniques embedded with a Klein proposal. Prior quantum-augmented attacks (e.g., [AlbrechtShen2022]) yielded quadratic improvements in guessing stages via quantum algorithms, but the lattice Gaussian sampling cost remained classical, circumscribing the quantum advantage.
Quantum rejection sampling (QRS), as formulated in [OzolsRoettelerRoland2013], offers quantum amplitude amplification for dominating-proposal constructions, which can potentially yield quadratic speedups in sampling complexity. The present work establishes the necessary domination bound for lattice Gaussian sampling based on Klein's truncated proposal, thereby establishing QRS as a viable quantum-accelerated sampler for lattice Gaussians.
Quantum Rejection Sampling for Lattice Gaussians
Domination Bound and QRS Framework
The essential technical insight is the realization that the truncated Klein distribution lower-bounds the target lattice Gaussian distribution pointwise, up to a constant pR​. This aligns precisely with the QRS requirements. For a lattice L=BZn, the truncated coefficient space XR​ is chosen so that the total variation distance to the full distribution becomes negligible.
Given oracle access to the basis B, Gaussian parameter s, center c, and truncation radius R, the QRS algorithm prepares
with expected query complexity O(1/pR​​)≤O(1/ΔR​​), where ΔR​ is the mass ratio between the truncated target and proposal distributions. Measurement outputs lattice vectors sampled from the truncated discrete Gaussian.
(Figure 1)
Figure 1: Oracle-level quantum circuit for sampling from the truncated lattice Gaussian via quantum rejection sampling.
The truncation radius is calibrated using tail bounds (cf. [StephensDavidowitz2017]) to ensure L=BZn0, thus the output distribution is statistically close to the full lattice Gaussian. The dependence on L=BZn1 preserves the quadratic speedup inherent in amplitude amplification relative to classical rejection sampling, which scales as L=BZn2.
Integration with Dual Attack Framework
The QRS sampler is integrated into the dual attack pipeline delineated in [PoulyShen2024]. The attack splits the secret, performs BKZ reduction on the dual submatrix, and replaces the classical MCMC sampler for producing the dual lattice Gaussian samples with QRS. This reduces the sampling factor from L=BZn3 to L=BZn4 in the attack complexity:
L=BZn5
Parameterizing for Kyber variants, the attack costs are reduced by L=BZn6, L=BZn7, and L=BZn8 bits for Kyber-512, Kyber-768, and Kyber-1024, respectively, when modulus switching is not used. With modulus switching, reductions are primarily significant for Kyber-1024.
(Figure 2)
Figure 2: Comparison of attack costs for Kyber parameters with and without QRS integration in sampling (see Table 1 in the original document).
This quadratic speedup addresses the previously dominating bottleneck, thereby recalibrating concrete post-quantum lattice security estimates.
GPV Trapdoor Sampling Acceleration
The QRS technique extends to trapdoor sampling in GPV/FALCON signing, where the discrete Gaussian sampler ensures basis-independence of signature distribution. The classical trapdoor sampling step depends on the mixing time of MCMC, quantified as L=BZn9, above smoothing, where XR​0 and XR​1 is the Jacobi theta function.
The QRS-enabled sampler reduces this to XR​2, i.e., its square root in the lattice dimension:
Figure 3: MCMC and QRS upper bounds derived from Wang and Ling's XR​3 estimate for FALCON-512 [wang_lattice_2019].
Numerically, for FALCON-512 parameters, this changes the XR​4 upper bound from XR​5 to XR​6, yielding noteworthy reductions in signature generation complexity for large-scale post-quantum schemes.
Related Work and Distinctions
Concurrent work [cryptoeprint:2026/984] implements coordinate-wise QRS for discrete Gaussians and demonstrates dual attack quantum speedup, including QRACM-free compositions for fully quantum attack pipelines. This paper's formulation abstains from explicit QRACM replacement, encapsulating QRS within an abstract oracle model and favoring spherical truncations. The comparative analysis within fixed-parameter regimes clarifies implications for Kyber and FALCON standards.
Practical and Theoretical Implications
The presented quantum algorithm for lattice Gaussian sampling rebalances the quantum/classical dichotomy in lattice attack cost models, rendering quantum attacks more consistent in their speedups across pipeline components. Theoretical implications include tighter security reductions for cryptographic standards driven by lattice problems. Practically, it necessitates reevaluation of recommended parameter sets (e.g., for Kyber and FALCON) vis-Ã -vis quantum adversaries equipped with QRS acceleration.
Integration with QRACM-free quantum mean estimation and quantum search routines leads toward genuinely quantum end-to-end attack strategies. Additionally, trapdoor sampling acceleration affects signing throughput and resource requirements in quantum-enabled secure digital signature schemes.
Future Developments
A foreseeable advancement is the realization of QRACM-free quantum attack pipelines, leveraging coherent lattice Gaussian state preparation. Further research may focus on circuit-level optimizations for the QRS oracle, error scaling in tail truncation, and extension to more general lattice structures (e.g., module or ring lattices). Complexity-theoretic analysis may refine lower bounds for quantum attacks in parameter regimes relevant to cryptographic standards.
Hardware implementations and empirical validation of QRS circuits for cryptographic primitives (including their impact on key generation and signing latencies) constitute a critical direction. The adaptability of QRS to SIS-based constructions and its implications for FHE primitives merit further investigation.
Conclusion
By synthesizing the domination condition for quantum rejection sampling from Klein's truncated proposal and integrating it into discrete Gaussian sampling procedures for dual attacks and GPV trapdoor sampling, this work achieves quadratic reductions in the dominant lattice sampling complexity term. The improvements are validated for Kyber and FALCON parameters and substantially recalibrate quantum threat models for deployed lattice-based cryptographic mechanisms, with broader consequences for post-quantum cryptography.