This work addresses the computational bottleneck of lattice Gaussian sampling in dual attacks on lattice-based cryptography and GPV trapdoor sampling by introducing quantum rejection sampling (QRS) for the first time into this context. Building upon Wang and Ling’s lower-bound analysis of Klein’s algorithm, the proposed method enables efficient quantum sampling from truncated dual q-ary lattice Gaussian distributions while maintaining a negligible total variation distance. The approach achieves a quadratic speedup, substantially reducing attack costs: it lowers the estimated security levels of Kyber-512, Kyber-768, and Kyber-1024 by 9, 4, and 13 bits, respectively, and yields comparable acceleration in GPV signature schemes. Key technical components include QRS, Klein’s algorithm, truncated lattice Gaussian distributions, phase oracle access, and modulus switching.

In this work, we revisit the dual attack and GPV trapdoor sampling, focusing on the lattice Gaussian sampling term, which can be a significant bottleneck in the overall complexity. We show that this sampling step can be quantumly accelerated by combining the lower bound underlying Wang and Ling's analysis of Klein's algorithm with the quantum rejection sampling (QRS) framework proposed by Ozols et al. Specifically, this lower bound gives precisely the pointwise domination condition required for quantum rejection sampling when given coherent oracle access to a truncated Klein proposal distribution, which yields a quantum procedure for preparing the truncated dual $q$-ary lattice Gaussian with a quadratic reduction in the sampling complexity. The truncation radius is chosen so that the truncated distribution is negligibly close to the full lattice Gaussian in total variation distance. Substituting this sampler into the dual attack framework results in reduced overall attack-cost estimates. Compared with Pouly and Shen's modern dual attack under the same parameter choices, our estimates reduce the attack cost by \(9\), \(4\), and \(13\) bits for Kyber-512, Kyber-768, and Kyber-1024, respectively. We also report the corresponding estimates with modulus switching. Finally, by replacing the Markov chain Monte Carlo (MCMC) sampler with the QRS algorithm, we achieve a similar quadratic speedup in the GPV signing process.