Advertisement

The General Sieve Kernel and New Records in Lattice Reduction

  • Martin R. Albrecht
  • Léo Ducas
  • Gottfried Herold
  • Elena Kirshanova
  • Eamonn W. PostlethwaiteEmail author
  • Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11477)

Abstract

We propose the General Sieve Kernel (G6K, pronounced / Open image in new window e.si.ka/), an abstract stateful machine supporting a wide variety of lattice reduction strategies based on sieving algorithms. Using the basic instruction set of this abstract stateful machine, we first give concise formulations of previous sieving strategies from the literature and then propose new ones. We then also give a light variant of BKZ exploiting the features of our abstract stateful machine. This encapsulates several recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP oracle and to utilise strong lattice reduction as preprocessing for sieving. Furthermore, we propose new tricks to minimise the sieving computation required for a given reduction quality with mechanisms such as recycling vectors between sieves, on-the-fly lifting and flexible insertions akin to Deep LLL and recent variants of Random Sampling Reduction.

Moreover, we provide a highly optimised, multi-threaded and tweakable implementation of this machine which we make open-source. We then illustrate the performance of this implementation of our sieving strategies by applying G6K to various lattice challenges. In particular, our approach allows us to solve previously unsolved instances of the Darmstadt SVP (151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the SVP-151 challenge was found 400 times faster than the time reported for the SVP-150 challenge, the previous record. For exact-SVP, we observe a performance crossover between G6K and FPLLL’s state of the art implementation of enumeration at dimension 70.

Notes

Acknowledgements

We thank Kenny Paterson for discussing a previous version of this draft. We also thank Pierre Karpman for running some of our experiments.

Supplementary material

483212_1_En_25_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 2 kb)
483212_1_En_25_MOESM2_ESM.txt (0 kb)
Supplementary material 2 (txt 1 kb)
483212_1_En_25_MOESM3_ESM.txt (1 kb)
Supplementary material 3 (txt 1 kb)
483212_1_En_25_MOESM4_ESM.txt (3 kb)
Supplementary material 4 (txt 4 kb)

References

  1. [ACD+18]
    Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-98113-0_19
  2. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX. USENIX Association, pp. 327–343 (2016)Google Scholar
  3. [AGVW17]
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_11CrossRefGoogle Scholar
  4. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC. ACM Press, pp. 601–610, July 2001Google Scholar
  5. [AWHT16]
    Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_30CrossRefGoogle Scholar
  6. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA. ACM-SIAM, pp. 10–24, January 2016Google Scholar
  7. [BG14]
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08344-5_21CrossRefGoogle Scholar
  8. [BGJ15]
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015). http://eprint.iacr.org/2015/522
  9. [BLS16]
    Bai, S., Laarhoven, T., Stehle, D.: Tuple lattice sieving. Cryptology ePrint Archive, Report 2016/713 (2016). http://eprint.iacr.org/2016/713
  10. [BSW18]
    Bai, S., Stehlé, D., Wen, W.: Measuring, simulating and exploiting the head concavity phenomenon in BKZ. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 369–404. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_13CrossRefGoogle Scholar
  11. [Cha02]
    Charikar, M.: Similarity estimation techniques from rounding algorithms. In: 34th ACM STOC. ACM Press, pp. 380–388, May 2002Google Scholar
  12. [Che13]
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Thèse de doctorat dirigée par Nguyen, Phong-Quang Informatique Paris 7, p. 1, vol. 133 (2013)Google Scholar
  13. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  14. [dt18a]
    The FPLLL Development Team: FPLLL, a lattice reduction library (2018). https://github.com/fplll/fplll
  15. [dt18b]
    The FPyLLL Development Team: FPyLLL, a lattice reduction library (2018). https://github.com/fplll/fpylll
  16. [Duc18a]
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
  17. [Duc18b]
    Ducas, L.: Shortest Vector from Lattice Sieving: a Few Dimensions for Free (talk), April 2018. https://eurocrypt.iacr.org/2018/Slides/Monday/TrackB/01-01.pdf
  18. [FBB+15]
    Fitzpatrick, R., et al.: Tuning GaussSieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16295-9_16CrossRefGoogle Scholar
  19. [FK15]
    Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving SVP based on statistical analysis. JIP 23(1), 67–80 (2015)Google Scholar
  20. [FP85]
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)MathSciNetCrossRefGoogle Scholar
  21. [FY15]
    Göpfert, F., Yakkundimath, A.: Darmstadt LWE challenges (2015). https://www.latticechallenge.org/lwe_challenge/challenge.php. Accessed 15 Aug 2018
  22. [GN08a]
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC. ACM Press, pp. 207–216, May 2008Google Scholar
  23. [GN08b]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  24. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  25. [HK17]
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_2CrossRefGoogle Scholar
  26. [HKL18]
    Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_14CrossRefGoogle Scholar
  27. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_25CrossRefGoogle Scholar
  28. [HS07]
    Hanrot, G., Damien, S.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_10CrossRefGoogle Scholar
  29. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC. ACM Press, pp. 193–206, April 1983Google Scholar
  30. [Kan87]
    Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)MathSciNetCrossRefGoogle Scholar
  31. [Kir16]
  32. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Ĺovasz, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  33. [LM18]
    Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 292–311. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-79063-3_14CrossRefGoogle Scholar
  34. [LN13]
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_19CrossRefGoogle Scholar
  35. [MV10a]
    Madritsch, M., Vallée, B.: Modelling the LLL algorithm by sandpiles. In: López-Ortiz, A. (ed.) LATIN 2010. LNCS, vol. 6034, pp. 267–281. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12200-2_25CrossRefGoogle Scholar
  36. [MV10b]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Charika, M. (ed.) 21st SODA. ACM-SIAM, pp. 1468–1480, January 2010Google Scholar
  37. [MW15]
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th SODA. ACM-SIAM, pp. 276–294, January 2015Google Scholar
  38. [Ngu10]
    Nguyen, P.Q.: Hermités constant and lattice algorithms. In: Nguyen, P., Valle, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 19–69. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-02295-1_2CrossRefGoogle Scholar
  39. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefGoogle Scholar
  40. [PAA+17]
    Poppelmann, T., et al.: Newhope, Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions
  41. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefGoogle Scholar
  42. [Sch03]
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36494-3_14CrossRefGoogle Scholar
  43. [SE94]
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  44. [SG10]
    Schneider, M., Gama, N.: Darmstadt SVP Challenges (2010). https://www.latticechallenge.org/svp-challenge/index.php. Accessed 17 Aug 2018
  45. [TKH18]
    Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 437–460. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_15CrossRefGoogle Scholar
  46. [Wal16]
    Walter, M.: Sage implementation of Chen and Nguyen’s BKZ simulator (2016). http://pub.ist.ac.at/~mwalter/src/sim_bkz.sage
  47. [YD17]
    Yu, Y., Ducas, L.: Second order statistical behavior of LLL and BKZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 3–22. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_1CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Léo Ducas
    • 2
  • Gottfried Herold
    • 3
  • Elena Kirshanova
    • 3
  • Eamonn W. Postlethwaite
    • 1
    Email author
  • Marc Stevens
    • 2
  1. 1.Information Security GroupRoyal Holloway, University of LondonEghamUK
  2. 2.Cryptology GroupCWIAmsterdamThe Netherlands
  3. 3.ENS Lyon, Laboratoire LIPLyonFrance

Personalised recommendations