Advertisement

Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices

  • Michael Schneider
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6552)

Abstract

Lattice based cryptography is gaining more and more importance in the cryptographic community. The security of lattice based cryptosystems can be proven to be as hard as worst case lattice problems. The most important underlying hard problem is the shortest vector problem. There are two concurrent approaches for the search for shortest vectors in lattices: enumeration and probabilistic sieving algorithms.

Enumeration algorithms were the best choice, until in 2010, Micciancio and Voulgaris present a new heuristic sieving algorithm called Gauss Sieve, which was the first sieving algorithm considered to be competitive to exhaustive search algorithms. Later in 2010, Gama, Nguyen, and Regev published their extreme pruning variant of the enumeration, which again ruled out sieving.

In this paper, we present the practical results using Gauss Sieve that we gained in our experiments throughout the last year. We analyze the behaviour of Gauss Sieve that helps understanding the strengths and weaknesses of the algorithm.

Keywords

lattice reduction shortest vector problem sieving algorithms 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC 2001, pp. 601–610. ACM, New York (2001)Google Scholar
  2. [BLRS08]
    Buchmann, J., Lindner, R., Rückert, M., Schneider, M.: Explicit hard instances of the shortest vector problem (extended version). Cryptology ePrint Archive, Report 2008/333 (2008), http://eprint.iacr.org/
  3. [BN09]
    Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. Theor. Comput. Sci. 410(18), 1648–1665 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [CPS]
    Cadé, D., Pujol, X., Stehlé, D.: fpLLL - a floating point LLL implementation. Available at Damien Stehlé’s homepage at école normale supérieure de Lyon, http://perso.ens-lyon.fr/damien.stehle/english.html
  5. [DHPS10]
    Detrey, J., Hanrot, G., Pujol, X., Stehlé, D.: Accelerating lattice reduction with FPGAs. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 124–143. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. [GM03]
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. In: Forum Mathematicum 2003, vol. 15(2), pp. 165–189 (2003)Google Scholar
  7. [GN08]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. [GS10]
    Gama, N., Schneider, M.: SVP Challenge (2010), http://www.latticechallenge.org/svp-challenge
  10. [HS07]
    Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. [HSB+10]
    Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel shortest lattice vector enumeration on graphics cards. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 52–68. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. [LLL82]
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 4, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  13. [MV10a]
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358. ACM, New York (2010)Google Scholar
  14. [MV10b]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480. ACM/SIAM (2010)Google Scholar
  15. [NS06]
    Nguyên, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2) (2008)Google Scholar
  17. [PS09]
    Pujol, X., Stehle, D.: Solving the shortest lattice vector problem in time 22.465n. Cryptology ePrint Archive, Report 2009/605 (2009), http://eprint.iacr.org/
  18. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  19. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming 66, 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  20. [Vou10]
    Voulgaris, P.: Gauss Sieve beta 0.1, Available at Panagiotis Voulgaris’ homepage at the University of California, San Diego (2010), http://cseweb.ucsd.edu/~pvoulgar/impl.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michael Schneider
    • 1
  1. 1.Technische Universität DarmstadtGermany

Personalised recommendations