420                                                        软件学报  2026  年第  37  卷第  1  期


                      IEEE, 1994. 116–123. [doi: 10.1109/SFCS.1994.365701]
                  [6]   Wang XY, Liu MJ. Survey of Lattice-based cryptography. Journal of Cryptologic Research, 2014, 1(1): 13–27 (in Chinese with English
                      abstract). [doi: 10.13868/j.cnki.jcr.000002]
                  [7]   Wang  C,  Yao  HN,  Wang  BN,  Hu  F,  Zhang  HG,  Ji  XM.  Progress  in  quantum  computing  cryptography  attacks.  Chinese  Journal  of
                      Computers, 2020, 43(9): 1691–1707 (in Chinese with English abstract). [doi: 10.11897/SP.J.1016.2020.01691]
                  [8]   Chardouvelis O, Goyal V, Jain A, Liu JH. Quantum key leasing for PKE and FHE with a classical lessor. In: Proc. of the 2025 Annual
                      Int’l Conf. on the Theory and Applications of Cryptographic Techniques. Cham: Springer, 2025: 248–277. [doi: 10.1007/978-3-031-
                      91131-6_9]
                  [9]   Bos J, Costello C, Ducas L, Mironov I, Naehrig M, Nikolaenko V, Raghunathan A, Stebila D. Frodo: Take off the ring! Practical,
                      quantum-secure key exchange from LWE. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security.
                      Vienna: ACM, 2016. 1006–1018. [doi: 10.1145/2976749.2978425]
                 [10]   Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schwabe P, Seiler G, Stehlé D. CRYSTALS-Dilithium: A lattice-based digital signature
                      scheme. IACR Trans. on Cryptographic Hardware and Embedded Systems, 2018, 2018(1): 238–268. [doi: 10.13154/tches.v2018.i1.238-
                      268]
                 [11]   Bos J, Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schanck JM, Schwabe P, Seiler G, Stehle D. CRYSTALS-Kyber: A CCA-secure
                      module-lattice-based KEM. In: Proc. of the 2018 IEEE European Symp. on Security and Privacy. London: IEEE, 2018. 353–367. [doi:
                      10.1109/EuroSP.2018.00032]
                 [12]   Wang YR. Research on quantum security for lattice cryptography [Ph.D. Thesis]. Zhengzhou: PLA Strategic Support Force Information
                      Engineering University, 2023 (in Chinese with English abstract). [doi: 10.27188/d.cnki.gzjxu.2023.000022]
                 [13]   Pan YB, Xu J, Wadleigh N, Cheng Q. On the ideal shortest vector problem over random rational primes. In: Proc. of the 40th Annual Int’l
                      Conf. on the Theory and Applications of Cryptographic Techniques. Zagreb: Springer, 2021. 559–583. [doi: 10.1007/978-3-030-77870-
                      5_20]
                 [14]   Regev O. On lattices, learning with errors, random linear codes, and cryptography. In: Proc. of the 37th Annual ACM Symp. on Theory
                      of Computing. Baltimore: ACM, 2005. 84–93. [doi: 10.1145/1060590.1060603]
                 [15]   van Tilborg HCA, Jajodia S. Encyclopedia of Cryptography and Security. 2nd ed., New York: Springer, 2011. [doi: 10.1007/978-1-4419-
                      5906-5]
                 [16]   Grover LK. Quantum mechanics helps in searching for a needle in a haystack. Physical Review Letters, 1997, 79(2): 325–328. [doi: 10.
                      1103/PhysRevLett.79.325]
                 [17]   Tani S. Claw finding algorithms using quantum walk. Theoretical Computer Science, 2009, 410(50): 5285–5297. [doi: 10.1016/j.tcs.
                      2009.08.030]
                 [18]   Nemec  M,  Sys  M,  Svenda  P,  Klinec  D,  Matyas  V.  The  return  of  coppersmith’s  attack:  Practical  factorization  of  widely  used  RSA
                      moduli. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas: ACM, 2017. 1631–1648. [doi:
                      10.1145/3133956.3133969]
                 [19]   Aranha DF, Novaes FR, Takahashi A, Tibouchi M, Yarom Y. LadderLeak: Breaking ECDSA with less than one bit of nonce leakage.
                      In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 225–242. [doi: 10.1145/3372297.
                      3417268]
                 [20]   Feng  TF.  Analysis  of  a  quantum  attack  on  the  Blum-Micali  pseudorandom  number  generator.  IACR  Cryptology  ePrint  Archive,
                      2023.1639.
                 [21]   Liu WJ, Gao JT. Quantum security of Grain-128/Grain-128a stream cipher against HHL algorithm. Quantum Information Processing,
                      2021, 20(10): 343. [doi: 10.1007/s11128-021-03275-x]
                 [22]   Wroński M, Burek E, Leśniak M. (In)security of stream ciphers against quantum annealing attacks on the example of the Grain 128 and
                      Grain 128a ciphers. IEEE Trans. on Emerging Topics in Computing. [doi: 10.1109/TETC.2024.3474856]
                 [23]   Bonnetain X, Schrottenloher A. Single-query quantum hidden shift attacks. IACR Trans. on Symmetric Cryptology, 2024, 2024(3):
                      266–297. [doi: 10.46586/tosc.v2024.i3.266-297]
                 [24]   Ni BY, Ito G, Dong XY, Iwata T. Quantum attacks against type-1 generalized Feistel ciphers and applications to CAST-256. In: Proc. of
                      the 20th Int’l Conf. on Cryptology in India. Hyderabad: Springer, 2019. 433–455. [doi: 10.1007/978-3-030-35423-7_22]
                 [25]   Zhang ZY, Sun SW, Wang CB, Hu L. Classical and quantum meet-in-the-middle Nostradamus attacks on AES-like hashing. IACR
                      Trans. on Symmetric Cryptology, 2023, 2023(2): 224–252. [doi: 10.46586/tosc.v2023.i2.224-252]
                 [26]   Fehr S, Huang YH. On the quantum security of HAWK. In: Proc. of the 14th Int’l Conf. on Post-quantum Cryptography. College Park:
                      Springer, 2023. 405–416. [doi: 10.1007/978-3-031-40003-2_15]