Abstract
The area of lattice-based cryptography is growing ever-more prominent as a paradigm for quantum-resistant cryptography. One of the most important hard problem underpinning the security of lattice-based cryptosystems is the shortest vector problem (SVP). At present, two approaches dominate methods for solving instances of this problem in practice: enumeration and sieving. In 2010, Micciancio and Voulgaris presented a heuristic member of the sieving family, known as GaussSieve, demonstrating it to be comparable to enumeration methods in practice. With contemporary lattice-based cryptographic proposals relying largely on the hardness of solving the shortest and closest vector problems in ideal lattices, examining possible improvements to sieving algorithms becomes highly pertinent since, at present, only sieving algorithms have been successfully adapted to solve such instances more efficiently than in the random lattice case. In this paper, we propose a number of heuristic improvements to GaussSieve, which can also be applied to other sieving algorithms for SVP.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that the speedups gained from dynamic choice of the Gaussian parameter are independent of the bug in the reference implementation, said bug leading to only a minor slowdown in most cases. See Table 1 further for details.
- 2.
In the implementation of Voulgaris, no lookup table is employed for Gaussian carrying out rejection sampling over a subset of the integers. Hence, the sampled integers are much closer to uniform than to the intended truncated Gaussian. In our corrected comparative implementation we employ the same Gaussian parameter from the Voulgaris implementation but ensure that the sampled vectors adhere to the prescribed Gaussian.
References
Voulgaris, P.: GaussSieve Implementation. (http://cseweb.ucsd.edu/pvoulgar/impl.html)
TU Darmstadt Lattice Challenge. (http://www.latticechallenge.org)
Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (Extended Abstract). In: STOC 1998, pp. 10–19. ACM, New York (1998)
Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Vitter, J.S., Spirakis, P.G., Yannakakis, M. (eds.) STOC, pp. 601–610. ACM (2001)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: ASIACRYPT, pp. 1–20 (2011)
Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: EUROCRYPT, pp. 31–51 (2008)
Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: EUROCRYPT, pp. 257–278 (2010)
Gama, N., Schneider, M.: SVP Challenge (2010). (http://www.latticechallenge.org/svp-challenge)
Goldstein, D., Mayer, A.: On the equidistribution of hecke points. Forum Mathematicum 15, 165–190 (2003)
Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: Solving the SVP challenge over a 128-Dimensional ideal lattice. In: Public Key Cryptography, pp. 411–428 (2014)
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A., Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.) STOC, pp. 193–206. ACM (1983)
Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)
Kuo, P.-C., Schneider, M., Dagdelen, Ö., Reichelt, J., Buchmann, J., Cheng, C.-M., Yang, B.-Y.: Extreme enumeration on GPU and in clouds - How many dollars you need to break SVP challenges. In: CHES, pp. 176–191 (2011)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)
Mardia, K.V. (ed.): Tests of Univariate and Multivariate Normality. Handbook of Statistics. North-Holland, Amsterdam (1980)
Mariano, A., Timnat, S., Bischof, C.: Lock-free GaussSieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD (2014)
Mariano, A., Dagdelen, O., Bischof, C.: A comprehensive empirical comparison of parallel ListSieve and GaussSieve. APCI&E (2014)
Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. Milken Institute Series on Financial Innovation and Economic Growth. Springer, US (2002)
Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the Twenty-first Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 1468–1480. Society for Industrial and Applied Mathematics (2010)
Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011)
Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)
Schneider, M.: Sieving for shortest vectors in ideal lattices. IACR Cryptology ePrint Archive 2011, 458 (2011)
Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)
Schnorr, C.-P.: Lattice reduction by random sampling and birthday methods. In: STACS, pp. 145–156 (2003)
Siegel, C.L.: A mean value theorem in geometry of numbers. Ann. Math. 46(2), 340–347 (1945)
Vallée, B., Vera, A.: Probabilistic analyses of lattice reduction algorithms. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, Information Security and Cryptography, pp. 71–143. Springer, Heidelberg (2010)
Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)
Zhang, F., Pan, Y., Hu, G.: A Three-level sieve algorithm for the shortest vector problem. In: Selected Areas in Cryptography, pp. 29–47 (2013)
Acknowledgments
The authors would like to thank the anonymous reviewers of Latincrypt 2014 for their helpful comments and suggestions which substantially improved this paper. Özgür Dagdelen is supported by the German Federal Ministry of Education and Research (BMBF) within EC-SPRIDE.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Pseudocode of our Optimized GaussSieve
A Pseudocode of our Optimized GaussSieve
The below pseudocode displays our proposed modifications to GaussSieve. In lines (3)–(9) we incorporate our multiple-randomized-bases optimization, and in the function GaussReduce(p,\(\mathsf {L},\mathsf {S},k\)) we embed the cheap test SIP implementing our XOR + population count computation for the approximation of the angle between two vectors. The optimized Gaussian sampler modifies the function SampleKlein.
In the pseudocode, the parameter \(k\in \mathbb {Z}^{+}\) defines the bounds on the XOR + population count, within which we assume that a pair of vectors is Gauss-reduced, i.e. if \(n/2 - k \le \langle \tilde{\mathbf {a}}, \tilde{\mathbf {b}}\rangle \le n/2+k\), we assume the pair \(\mathbf {a},\mathbf {b} \) are Gauss-reduced.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Fitzpatrick, R. et al. (2015). Tuning GaussSieve for Speed. In: Aranha, D., Menezes, A. (eds) Progress in Cryptology - LATINCRYPT 2014. LATINCRYPT 2014. Lecture Notes in Computer Science(), vol 8895. Springer, Cham. https://doi.org/10.1007/978-3-319-16295-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-16295-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16294-2
Online ISBN: 978-3-319-16295-9
eBook Packages: Computer ScienceComputer Science (R0)