Accelerating Lattice Reduction with FPGAs

  • Jérémie Detrey
  • Guillaume Hanrot
  • Xavier Pujol
  • Damien Stehlé
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6212)


We describe an FPGA accelerator for the Kannan–Fincke–Pohst enumeration algorithm (KFP) solving the Shortest Lattice Vector Problem (SVP). This is the first FPGA implementation of KFP specifically targeting cryptographically relevant dimensions. In order to optimize this implementation, we theoretically and experimentally study several facets of KFP, including its efficient parallelization and its underlying arithmetic. Our FPGA accelerator can be used for both solving stand-alone instances of SVP (within a hybrid CPU–FPGA compound) or myriads of smaller dimensional SVP instances arising in a BKZ-type algorithm. For devices of comparable costs, our FPGA implementation is faster than a multi-core CPU implementation by a factor around 2.12.


FPGA Euclidean Lattices Shortest Vector Problem 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Ajtai, M.: The shortest vector problem in L 2 is NP-hard for randomized reductions (extended abstract). In: Proc. of STOC, pp. 284–293. ACM, New York (1998)Google Scholar
  3. 3.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proc. of STOC, pp. 284–293. ACM, New York (1997)Google Scholar
  4. 4.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. of STOC, pp. 601–610. ACM, New York (2001)Google Scholar
  5. 5.
    Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: a proposal for the SHA-3 standard. Submission to NIST (2008),
  6. 6.
    Cadé, D., Pujol, X., Stehlé, D.: fplll - a floating-point LLL implementation,
  7. 7.
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Springer, Heidelberg (1988)zbMATHGoogle Scholar
  9. 9.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    van Dijk, Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) Advances in Cryptology – EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Fincke, U., Pohst, M.: A procedure for determining algebraic integers of given norm. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 194–202. Springer, Heidelberg (1983)Google Scholar
  12. 12.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proc. of STOC, pp. 207–216. ACM, New York (2008)Google Scholar
  13. 13.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proc. of STOC, pp. 169–178. ACM, New York (2009)Google Scholar
  15. 15.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proc. of STOC, pp. 197–206. ACM, New York (2008)Google Scholar
  16. 16.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)Google Scholar
  17. 17.
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Mathematicum 15, 165–189 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Guo, Z., Nilsson, P.: VLSI architecture of the soft-output sphere decoder for MIMO systems. In: Proc. of MWSCAS, vol. 2, pp. 1195–1198. IEEE, Los Alamitos (2005)Google Scholar
  19. 19.
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel shortest lattice vector enumeration on graphics cards. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 52–68. Springer, Heidelberg (2010)Google Scholar
  21. 21.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 150–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proc. of STOC, pp. 99–108. ACM, New York (1983)Google Scholar
  24. 24.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Lovász, L.: An Algorithmic Theory of Numbers, Graphs and Convexity. SIAM, cBMS-NSF Regional Conference Series in Applied Mathematics (1986)Google Scholar
  26. 26.
    Magma: The Magma computational algebra system,
  27. 27.
    May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [32] (2009)Google Scholar
  28. 28.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. 29.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. To appear in the proceedings of STOC 2010 (2010)Google Scholar
  30. 30.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proc. of SODA, pp. 1468–1480. SIAM, Philadelphia (2010)Google Scholar
  31. 31.
    Mow, W.H.: Maximum likelihood sequence estimation from the lattice viewpoint. IEEE TIT 40, 1591–1600 (1994)zbMATHGoogle Scholar
  32. 32.
    Nguyen, P.Q., Vallée, B.: The LLL algorithm, survey and applications. Information Security and Cryptography. Springer, Heidelberg (2010)Google Scholar
  33. 33.
    Nguyen, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)Google Scholar
  34. 34.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  35. 35.
    Nguyen, P.Q., Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 223–242. Springer, Heidelberg (1998)Google Scholar
  36. 36.
    Nguyen, P.Q., Stern, J.: The two faces of lattices in cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  37. 37.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Mathematical Cryptology 2(2) (2008)Google Scholar
  38. 38.
    Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. In: Proceedings of Cryptology and Computational Number Theory. Proceedings of Symposia in Applied Mathematics, vol. 42, pp. 75–88. AMS (1989)Google Scholar
  39. 39.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proc. of STOC, pp. 333–342. ACM, New York (2009)Google Scholar
  40. 40.
    Pujol, X., Stehlé, D.: Rigorous and efficient short lattice vectors enumeration. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 390–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  41. 41.
    Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time 22.465n. Cryptology ePrint Archive, Report 2009/605 (2009),
  42. 42.
    Regev, O.: Lattices in computer science (2004). lecture notes of a course given at the Tel. Aviv. University,
  43. 43.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proc. of STOC, pp. 84–93. ACM, New York (2005)Google Scholar
  44. 44.
    Schnorr, C.P.: A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  45. 45.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)CrossRefMathSciNetGoogle Scholar
  46. 46.
    Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  47. 47.
    Shoup, V.: NTL, Number Theory C++ Library,
  48. 48.
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  49. 49.
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009)Google Scholar
  50. 50.
    Studer, C., Burg, A., Bölcskei, H.: Soft-output sphere decoding: Algorithms and VLSI implementation. IEEE Journal on Selected Areas in Communications 26(2), 290–300 (2008)CrossRefGoogle Scholar
  51. 51.
    Viterbo, E., Boutros, J.: A universal lattice code decoder for fading channels. IEEE TIT 45, 1639–1642 (1999)zbMATHMathSciNetGoogle Scholar
  52. 52.

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Jérémie Detrey
    • 1
  • Guillaume Hanrot
    • 2
  • Xavier Pujol
    • 2
  • Damien Stehlé
    • 3
  1. 1.CARAMEL project-teamLORIA, INRIA / CNRS / Nancy Université, Campus ScientifiqueVandœuvre-lès-Nancy CedexFrance
  2. 2.Laboratoire LIP, CNRS-ENSL-INRIA-UCBLÉNS Lyon, Université de LyonLyon Cedex 07France
  3. 3.CNRS, Macquarie University and University of Sydney, Dpt. of Mathematics and StatisticsUniversity of SydneyAustralia

Personalised recommendations