Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices
Lattice based cryptography is gaining more and more importance in the cryptographic community. The security of lattice based cryptosystems can be proven to be as hard as worst case lattice problems. The most important underlying hard problem is the shortest vector problem. There are two concurrent approaches for the search for shortest vectors in lattices: enumeration and probabilistic sieving algorithms.
Enumeration algorithms were the best choice, until in 2010, Micciancio and Voulgaris present a new heuristic sieving algorithm called Gauss Sieve, which was the first sieving algorithm considered to be competitive to exhaustive search algorithms. Later in 2010, Gama, Nguyen, and Regev published their extreme pruning variant of the enumeration, which again ruled out sieving.
In this paper, we present the practical results using Gauss Sieve that we gained in our experiments throughout the last year. We analyze the behaviour of Gauss Sieve that helps understanding the strengths and weaknesses of the algorithm.
Keywordslattice reduction shortest vector problem sieving algorithms
Unable to display preview. Download preview PDF.
- [AKS01]Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC 2001, pp. 601–610. ACM, New York (2001)Google Scholar
- [BLRS08]Buchmann, J., Lindner, R., Rückert, M., Schneider, M.: Explicit hard instances of the shortest vector problem (extended version). Cryptology ePrint Archive, Report 2008/333 (2008), http://eprint.iacr.org/
- [CPS]Cadé, D., Pujol, X., Stehlé, D.: fpLLL - a floating point LLL implementation. Available at Damien Stehlé’s homepage at école normale supérieure de Lyon, http://perso.ens-lyon.fr/damien.stehle/english.html
- [GM03]Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. In: Forum Mathematicum 2003, vol. 15(2), pp. 165–189 (2003)Google Scholar
- [GS10]Gama, N., Schneider, M.: SVP Challenge (2010), http://www.latticechallenge.org/svp-challenge
- [MV10a]Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358. ACM, New York (2010)Google Scholar
- [MV10b]Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480. ACM/SIAM (2010)Google Scholar
- [NV08]Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2) (2008)Google Scholar
- [PS09]Pujol, X., Stehle, D.: Solving the shortest lattice vector problem in time 22.465n. Cryptology ePrint Archive, Report 2009/605 (2009), http://eprint.iacr.org/
- [Vou10]Voulgaris, P.: Gauss Sieve beta 0.1, Available at Panagiotis Voulgaris’ homepage at the University of California, San Diego (2010), http://cseweb.ucsd.edu/~pvoulgar/impl.html