Tuning GaussSieve for Speed

  • Robert Fitzpatrick
  • Christian Bischof
  • Johannes Buchmann
  • Özgür DagdelenEmail author
  • Florian Göpfert
  • Artur Mariano
  • Bo-Yin Yang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8895)


The area of lattice-based cryptography is growing ever-more prominent as a paradigm for quantum-resistant cryptography. One of the most important hard problem underpinning the security of lattice-based cryptosystems is the shortest vector problem (SVP). At present, two approaches dominate methods for solving instances of this problem in practice: enumeration and sieving. In 2010, Micciancio and Voulgaris presented a heuristic member of the sieving family, known as GaussSieve, demonstrating it to be comparable to enumeration methods in practice. With contemporary lattice-based cryptographic proposals relying largely on the hardness of solving the shortest and closest vector problems in ideal lattices, examining possible improvements to sieving algorithms becomes highly pertinent since, at present, only sieving algorithms have been successfully adapted to solve such instances more efficiently than in the random lattice case. In this paper, we propose a number of heuristic improvements to GaussSieve, which can also be applied to other sieving algorithms for SVP.


Ideal Lattice Population Count Lattice Basis Reference Implementation Original Implementation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank the anonymous reviewers of Latincrypt 2014 for their helpful comments and suggestions which substantially improved this paper. Özgür Dagdelen is supported by the German Federal Ministry of Education and Research (BMBF) within EC-SPRIDE.

Supplementary material


  1. 1.
    Voulgaris, P.: GaussSieve Implementation. (
  2. 2.
    TU Darmstadt Lattice Challenge. (
  3. 3.
    Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (Extended Abstract). In: STOC 1998, pp. 10–19. ACM, New York (1998)Google Scholar
  4. 4.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Vitter, J.S., Spirakis, P.G., Yannakakis, M. (eds.) STOC, pp. 601–610. ACM (2001)Google Scholar
  5. 5.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: Better lattice security estimates. In: ASIACRYPT, pp. 1–20 (2011)Google Scholar
  6. 6.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: EUROCRYPT, pp. 31–51 (2008)Google Scholar
  7. 7.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: EUROCRYPT, pp. 257–278 (2010)Google Scholar
  8. 8.
    Gama, N., Schneider, M.: SVP Challenge (2010). (
  9. 9.
    Goldstein, D., Mayer, A.: On the equidistribution of hecke points. Forum Mathematicum 15, 165–190 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: Solving the SVP challenge over a 128-Dimensional ideal lattice. In: Public Key Cryptography, pp. 411–428 (2014)Google Scholar
  11. 11.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A., Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.) STOC, pp. 193–206. ACM (1983)Google Scholar
  12. 12.
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)Google Scholar
  13. 13.
    Kuo, P.-C., Schneider, M., Dagdelen, Ö., Reichelt, J., Buchmann, J., Cheng, C.-M., Yang, B.-Y.: Extreme enumeration on GPU and in clouds - How many dollars you need to break SVP challenges. In: CHES, pp. 176–191 (2011)Google Scholar
  14. 14.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Mardia, K.V. (ed.): Tests of Univariate and Multivariate Normality. Handbook of Statistics. North-Holland, Amsterdam (1980)Google Scholar
  16. 16.
    Mariano, A., Timnat, S., Bischof, C.: Lock-free GaussSieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD (2014)Google Scholar
  17. 17.
    Mariano, A., Dagdelen, O., Bischof, C.: A comprehensive empirical comparison of parallel ListSieve and GaussSieve. APCI&E (2014)Google Scholar
  18. 18.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. Milken Institute Series on Financial Innovation and Economic Growth. Springer, US (2002)CrossRefGoogle Scholar
  19. 19.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the Twenty-first Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pp. 1468–1480. Society for Industrial and Applied Mathematics (2010)Google Scholar
  20. 20.
    Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  21. 21.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Schneider, M.: Sieving for shortest vectors in ideal lattices. IACR Cryptology ePrint Archive 2011, 458 (2011)Google Scholar
  23. 23.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Schnorr, C.-P.: Lattice reduction by random sampling and birthday methods. In: STACS, pp. 145–156 (2003)Google Scholar
  25. 25.
    Siegel, C.L.: A mean value theorem in geometry of numbers. Ann. Math. 46(2), 340–347 (1945)CrossRefzbMATHGoogle Scholar
  26. 26.
    Vallée, B., Vera, A.: Probabilistic analyses of lattice reduction algorithms. In: Nguyen, P.Q., Vallée, B. (eds.) The LLL Algorithm, Information Security and Cryptography, pp. 71–143. Springer, Heidelberg (2010)Google Scholar
  27. 27.
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)Google Scholar
  28. 28.
    Zhang, F., Pan, Y., Hu, G.: A Three-level sieve algorithm for the shortest vector problem. In: Selected Areas in Cryptography, pp. 29–47 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Robert Fitzpatrick
    • 1
  • Christian Bischof
    • 2
  • Johannes Buchmann
    • 3
  • Özgür Dagdelen
    • 3
    Email author
  • Florian Göpfert
    • 3
  • Artur Mariano
    • 2
  • Bo-Yin Yang
    • 1
  1. 1.Institute of Information ScienceAcademia SinicaTaipeiTaiwan
  2. 2.Institute for Scientific Computing, TU DarmstadtDarmstadtGermany
  3. 3.Cryptography and Computer AlgebraTU DarmstadtDarmstadtGermany

Personalised recommendations