Lattice Enumeration Using Extreme Pruning

  • Nicolas Gama
  • Phong Q. Nguyen
  • Oded Regev
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6110)

Abstract

Lattice enumeration algorithms are the most basic algorithms for solving hard lattice problems such as the shortest vector problem and the closest vector problem, and are often used in public-key cryptanalysis either as standalone algorithms, or as subroutines in lattice reduction algorithms. Here we revisit these fundamental algorithms and show that surprising exponential speedups can be achieved both in theory and in practice by using a new technique, which we call extreme pruning. We also provide what is arguably the first sound analysis of pruning, which was introduced in the 1990s by Schnorr et al.

References

  1. 1.
    Agrell, E., Eriksson, T., Vardy, A., Zeger, K.: Closest point search in lattices. IEEE Trans. on Info. Theory 48(8), 2201–2214 (2002)MATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Aharonov, D., Regev, O.: Lattice problems in NP intersect coNP. Journal of the ACM 52(5), 749–765 (2005); Preliminary version in FOCS 2004CrossRefMathSciNetGoogle Scholar
  3. 3.
    Ajtai, M.: Generating random lattices according to the invariant distribution (Draft) (March 2006)Google Scholar
  4. 4.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. 33rd ACM Symp. on Theory of Computing (STOC), pp. 601–610 (2001)Google Scholar
  5. 5.
    Ajtai, M., Kumar, R., Sivakumar, D.: Sampling short lattice vectors and the closest lattice vector problem. In: Proc. of 17th IEEE Annual Conference on Computational Complexity (CCC), pp. 53–57 (2002)Google Scholar
  6. 6.
    Cadé, D., Pujol, X., Stehlé, D.: FPLLL library, version 3.0 (September 2008), http://perso.ens-lyon.fr/damien.stehle
  7. 7.
    Coster, M., Joux, A., LaMacchina, B., Odlyzko, A., Schnorr, C., Stern, J.: An improved low-density subset sum algorithm. In: Computational Complexity (1992)Google Scholar
  8. 8.
    Dasgupta, S., Gupta, A.: An elementary proof of the Johnson-Lindenstrauss lemma. Technical report, ICSI, Berkeley, TR-99-006 (1999)Google Scholar
  9. 9.
    Devroye, L.: Non-uniform random variate generation (1986), http://cg.scs.carleton.ca/~luc/rnbookindex.html
  10. 10.
    Dyer, M., Frieze, A., Kannan, R.: A random polynomial-time algorithm for approximating the volume of convex bodies. J. ACM 38(1), 1–17 (1991)MATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Mathematics of Computation 44(170), 463–471 (1985)MATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proc. 40th ACM Symp. on Theory of Computing, STOC (2008)Google Scholar
  13. 13.
    Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm (extended abstract). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Håstad, J., Just, B., Lagarias, J.C., Schnorr, C.-P.: Polynomial time algorithms for finding integer relations among real numbers. SIAM J. Comput. 18(5) (1989)Google Scholar
  16. 16.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proc. 15th ACM Symp. on Theory of Computing, STOC (1983)Google Scholar
  17. 17.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)Google Scholar
  18. 18.
    Lovász, L., Vempala, S.: Simulated annealing in convex bodies and an O *(n 4) volume algorithm. J. Comput. Syst. Sci. 72(2), 392–417 (2006)MATHCrossRefGoogle Scholar
  19. 19.
    Mazo, J.E., Odlyzko, A.M.: Lattice points in high dimensional spheres. Monatsheft Mathematik 17, 47–61 (1990)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: Proc. 42nd ACM Symp. on Theory of Computing, STOC (2010)Google Scholar
  21. 21.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proc. ACM-SIAM Symp. on Discrete Algorithms (SODA), pp. 1468–1480 (2010)Google Scholar
  22. 22.
    Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)Google Scholar
  23. 23.
    Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)Google Scholar
  24. 24.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2009)Google Scholar
  26. 26.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2), 181–207 (2008)MATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15(1), 37–44 (1981)MATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Pujol, X., Stehlé, D.: Rigorous and efficient short lattice vectors enumeration. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 390–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time 22.465n, IACR eprint report number 2009/605 (2009)Google Scholar
  30. 30.
    Schnorr, C.-P.: Average time fast SVP and CVP algorithms for low density lattices. TR Goethe Universität Frankfurt (January 4, 2010)Google Scholar
  31. 31.
    Schnorr, C.-P.: A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science 53(2-3), 201–224 (1987)MATHCrossRefMathSciNetGoogle Scholar
  32. 32.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)CrossRefMathSciNetGoogle Scholar
  33. 33.
    Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  34. 34.
    Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1, http://www.shoup.net/ntl/
  35. 35.
    Stehlé, D., Watkins, M.: On the extremality of an 80-dimensional lattice (2010) (manuscript)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nicolas Gama
    • 1
  • Phong Q. Nguyen
    • 2
  • Oded Regev
    • 3
  1. 1.GREYC and ENSICAENFrance
  2. 2.INRIA and ENSFrance
  3. 3.Blavatnik School of Computer ScienceTel Aviv UniversityIsrael

Personalised recommendations