I find that this is a great reaction to someone finding a bug in your paper. No trying to cover it up, but straight-up admitting a mistake. Also, the fact that he leaves the paper out because it does contain novel ideas that might be useful for further research is cool.
I had a similar thing happened to a paper of mine at the start of my career. Someone found an issue and published a paper to attack my paper. I felt like shit for a long time and thought about retracting. But then decided that my paper actually contained a lot of cool stuff, and so published an update with text highlighted in ted throughout the paper talking about the attack and about the sections that became obsolete.
In retrospect I’m really happy I did the right thing. It can be nerve wracking to publish something that ends up being wrong, but being transparent and not taking things personally, and understanding that whatever happened is still providing value to a lot of people, is the right path.
Condolences to the author, but this is a huge relief. A polytime quantum algorithm for LWE would have been a scary prospect for the future of asymmetric key crypto. (Not to mention all the other cool stuff people are building on top like fully homomorphic encryption.) Even if it wasn't quite fast enough to break the current schemes that NIST is standardizing, I (and I'm sure many others) would much prefer those problems to stay in exptime.
Not only that Yilei annotated with the bug his paper(p37):
"Yilei (April 18) Here is the bug: the amplitude of |φ8.f ⟩ does not satisfy M/2
-periodicity. Another way of
explaining the bug is: the support of |φ8.f ⟩ contains p1...pκ vectors. After domain extension, we should
have got p1p2...pκ · p2...pκ vectors, but as the way |φ8.g⟩ is written, it only contains p1...pκ vectors. So
the expression of |φ8.g⟩ is wrong."
I love this, great work for science overall. This is exactly the type of approach/response one should take, and I hope he gets praise for doing the right thing.
The CV of Thomas Vidick, one of the two people that found the bug, is quite impressive. Undergrad at ENS in France (ranked 1st), PhD at Berkeley (3.97/4.0), postdoc at MIT under Scott Aaronson, and now full professor at Caltech. He literally wrote a book on the topic (Introduction to Quantum Cryptography). So, yeah.
Thomas is indeed a beast - he was considered one of the smartest profs in the department when I was doing my PhD at Caltech. Just FYI, he left Caltech and moved to Israel a few years ago.
For context, as far as I am aware, ENS is the most prestigious non-engineering institute in France and is known for its extreme rigor. And l’X is the top engineering institute.
They have spent thousands, if not tens of thousands, of hours building this skill set. It's like saying "I find it amazing that someone can play Scriabin's piano sonata no. 5 perfectly".
This is a very good reminder that we don't know for various problems whether there is an efficient algorithm. For problems studied for decades (eg travelling salesman) we feel fairly confident that there is no polynomial-time algorithm - but even then, we don't know for sure.
As far as I know, the problems underpinning post-quantum cryptography have not yet enjoyed such extensive scrutiny / search for efficient (regular or quantum) algorithms.
In other words: stuff that is hoped to be post-quantum might turn out to be quantum -- or even in a feasible non-quantum class. The latter seems unlikely barring p=np-alike breakthroughs, but even these cannot fully be ruled out.
In retrospect I’m really happy I did the right thing. It can be nerve wracking to publish something that ends up being wrong, but being transparent and not taking things personally, and understanding that whatever happened is still providing value to a lot of people, is the right path.
Not only that Yilei annotated with the bug his paper(p37):
"Yilei (April 18) Here is the bug: the amplitude of |φ8.f ⟩ does not satisfy M/2 -periodicity. Another way of explaining the bug is: the support of |φ8.f ⟩ contains p1...pκ vectors. After domain extension, we should have got p1p2...pκ · p2...pκ vectors, but as the way |φ8.g⟩ is written, it only contains p1...pκ vectors. So the expression of |φ8.g⟩ is wrong."
https://eprint.iacr.org/2024/555.pdf
Quantum Algorithms for Lattice Problems,123 comments
https://news.ycombinator.com/item?id=39998396
and
A quick post on Chen's algorithm, 95 comments
https://news.ycombinator.com/item?id=40056640
https://eurocrypt.iacr.org/2017/slides/A04-constraint-hiding...
https://en.wikipedia.org/wiki/%C3%89cole_normale_sup%C3%A9ri...
Someone more familiar can correct me if I am wrong.
As far as I know, the problems underpinning post-quantum cryptography have not yet enjoyed such extensive scrutiny / search for efficient (regular or quantum) algorithms.
In other words: stuff that is hoped to be post-quantum might turn out to be quantum -- or even in a feasible non-quantum class. The latter seems unlikely barring p=np-alike breakthroughs, but even these cannot fully be ruled out.
"See the updated version of eprint/2024/555 - Section 3.5.9 (Page 37) for details"