Sieving for Shortest Vectors in Ideal Lattices
Lattice based cryptography is gaining more and more importance in the cryptographic community. It is a common approach to use a special class of lattices, so-called ideal lattices, as the basis of lattice based crypto systems. This speeds up computations and saves storage space for cryptographic keys. The most important underlying hard problem is the shortest vector problem. So far there is no algorithm known that solves the shortest vector problem in ideal lattices faster than in regular lattices. Therefore, crypto systems using ideal lattices are considered to be as secure as their regular counterparts.
In this paper we present IdealListSieve, a variant of the ListSieve algorithm, that is a randomized, exponential time sieving algorithm solving the shortest vector problem in lattices. Our variant makes use of the special structure of ideal lattices. We show that it is indeed possible to find a shortest vector in ideal lattices faster than in regular lattices without special structure. The practical speedup of our algorithm is linear in the degree of the field polynomial. We also propose an ideal lattice variant of the heuristic GaussSieve algorithm that allows for the same speedup.
KeywordsIdeal Lattices Shortest Vector Problem Sieving Algorithms
Unable to display preview. Download preview PDF.
- [ADL+08]Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: A proposal for the SHA-3 standard. In: The First SHA-3 Candidate Conference (2008)Google Scholar
- [AKS01]Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610. ACM (2001)Google Scholar
- [Gen09]Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178. ACM (2009)Google Scholar
- [GS10]Gama, N., Schneider, M.: SVP Challenge (2010), http://www.latticechallenge.org/svp-challenge
- [Kle00]Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA 2000, pp. 937–941. ACM (2000)Google Scholar
- [Lyu08]Lyubashevsky, V.: Towards practical lattice-based cryptography. Phd thesis, University of California, San Diego (2008)Google Scholar
- [MR08]Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J.A., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer (2008)Google Scholar
- [MV10a]Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358. ACM (2010)Google Scholar
- [MV10b]Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480. ACM/SIAM (2010)Google Scholar
- [NV08]Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2) (2008)Google Scholar
- [PS09]Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time 22.465n. Cryptology ePrint Archive, Report 2009/605 (2009)Google Scholar
- [S+10]Stein, W.A., et al.: Sage Mathematics Software (Version 4.5.2). The Sage Development Team (2010), http://www.sagemath.org
- [Sho11]Victor Shoup. Number theory library (NTL) for C++ (2011), http://www.shoup.net/ntl/
- [Vou10]Voulgaris, P.: Gauss Sieve alpha V. 0.1 (2010), http://cseweb.ucsd.edu/~pvoulgar/impl.html
- [WLTB10]Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. Cryptology ePrint Archive, Report 2010/647 (2010), http://eprint.iacr.org/