Advertisement

Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice

  • Tsukasa Ishiguro
  • Shinsaku Kiyomoto
  • Yutaka Miyake
  • Tsuyoshi Takagi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8383)

Abstract

In this paper, we report that we have solved the SVP Challenge over a 128-dimensional lattice in Ideal Lattice Challenge from TU Darmstadt, which is currently the highest dimension in the challenge that has ever been solved. The security of lattice-based cryptography is based on the hardness of solving the shortest vector problem (SVP) in lattices. In 2010, Micciancio and Voulgaris proposed a Gauss Sieve algorithm for heuristically solving the SVP using a list L of Gauss-reduced vectors. Milde and Schneider proposed a parallel implementation method for the Gauss Sieve algorithm. However, the efficiency of the more than 10 threads in their implementation decreased due to the large number of non-Gauss-reduced vectors appearing in the distributed list of each thread. In this paper, we propose a more practical parallelized Gauss Sieve algorithm. Our algorithm deploys an additional Gauss-reduced list V of sample vectors assigned to each thread, and all vectors in list L remain Gauss-reduced by mutually reducing them using all sample vectors in V. Therefore, our algorithm allows the Gauss Sieve algorithm to run for large dimensions with a small communication overhead. Finally, we succeeded in solving the SVP Challenge over a 128-dimensional ideal lattice generated by the cyclotomic polynomial x128 + 1 using about 30,000 CPU hours.

Keywords

shortest vector problem lattice-based cryptography ideal lattice Gauss Sieve algorithm parallel algorithm 

References

  1. 1.
    Ajtai, M.: The Shortest Vector Problem in L2 is NP-hard for Randomized Reductions (Extended Abstract). In: Proceedings of the 30th Annual ACM Symposium on Theory of Computing, STOC 1998, pp. 10–19. ACM (1998)Google Scholar
  2. 2.
    Ajtai, M., Dwork, C.: A Public-key Cryptosystem with Worst-case/average-case Equivalence. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, STOC 1997, pp. 284–293. ACM (1997)Google Scholar
  3. 3.
    Ajtai, M., Kumar, R., Sivakumar, D.: A Sieve Algorithm for the Shortest Lattice Vector Problem. In: Proceedings of the 33th Annual ACM Symposium on Theory of Computing, STOC 2001, pp. 601–610. ACM (2001)Google Scholar
  4. 4.
    Amazon. Amazon Elastic Compute Cloud, http://aws.amazon.com/jp/ec2/
  5. 5.
    Arvind, V., Joglekar, P.S.: Some Sieving Algorithms for Lattice Problems. In: Proceedings of the IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2008. LIPIcs, vol. 2, pp. 25–36. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik (2008)Google Scholar
  6. 6.
    Gama, N., Nguyen, P., Regev, O.: Lattice Enumeration Using Extreme Pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Garg, S., Gentry, C., Halevi, S.: Candidate Multilinear Maps from Ideal Lattices. Cryptology ePrint Archive. Report 2012/610 (2012)Google Scholar
  8. 8.
    Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)Google Scholar
  9. 9.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for Hard Lattices and New Cryptographic Constructions. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 197–206. ACM (2008)Google Scholar
  10. 10.
    Hoffstein, J., Pipher, J., Silverman, J.: NTRU: A Ring-based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Hanrot, G., Stehlé, D.: Improved Analysis of Kannan’s Shortest Lattice Vector Algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the Shortest and Closest Lattice Vector Problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice. Cryptology ePrint Archive. Report 2013/388 (2013)Google Scholar
  14. 14.
    Kannan, R.: Improved Algorithms for Integer Programming and Related Lattice Problems. In: Proceedings of the 15th ACM Symposium on Theory of Computing, STOC 1983, pp. 193–206. ACM (1983)Google Scholar
  15. 15.
    Klein, P.: Finding the Closest Lattice Vector When it’s Unusually Close. In: Proceedings of the 11th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2000, pp. 937–941. ACM (2000)Google Scholar
  16. 16.
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring Polynomials with Rational Coefficients. Journal of Mathematische Annalen 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Micciancio, D.: The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant. In: Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS 1998, pp. 92–98. IEEE Computer Society (1998)Google Scholar
  18. 18.
    Micciancio, D., Voulgaris, P.: A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations. In: Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, pp. 351–358. ACM (2010)Google Scholar
  19. 19.
    Micciancio, D., Voulgaris, P.: Faster Exponential Time Algorithms for the Shortest Vector Problem. In: Proceedings of the 21st Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, vol. 65, pp. 1468–1480. SIAM (2010)Google Scholar
  20. 20.
    Milde, B., Schneider, M.: A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Nguyen, P.Q., Vidick, T.: Sieve Algorithms for the Shortest Vector Problem Are Practical. Journal of Mathematical Cryptology 2, 181–207 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Plantard, T., Schneider, M.: Ideal Lattice Challenge, http://www.latticechallenge.org/ideallattice-challenge/
  23. 23.
    Plantard, T., Schneider, M.: Creating a Challenge for Ideal Lattices. Cryptology ePrint Archive. Report 2013/039 (2013)Google Scholar
  24. 24.
    Pujol, X., Stehle, D.: Solving the Shortest Lattice Vector Problem in Time 22.465n. Cryptology ePrint Archive. Report 2009/605 (2009)Google Scholar
  25. 25.
    Schneider, M.: Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Schneider, M.: Computing Shortest Lattice Vectors on Special Hardware. PhD thesis, Technische Universität Darmstadt (2011)Google Scholar
  27. 27.
    Schneider, M., Gama, N.: SVP Challenge, http://www.latticechallenge.org/svp-challenge/
  28. 28.
    Schnorr, C.-P.: A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Journal of Theoretical Computer Science 53(2-3), 201–224 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Schnorr, C.-P.: Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems. Journal of Mathematical Programming, 181–191 (1993)Google Scholar
  30. 30.
    Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  31. 31.
    Shoup, V.: Number Theory Library (NTL) for C++. Available at Shoup’s homepage, http://shoup.net/ntl
  32. 32.
    Voulgaris, P.: Gauss Sieve beta 0.1 (2010) Available at Voulgaris’ homepage at the University of California, San Diego http://cseweb.ucsd.edu/~pvoulgar/impl.html

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Tsukasa Ishiguro
    • 1
  • Shinsaku Kiyomoto
    • 1
  • Yutaka Miyake
    • 1
  • Tsuyoshi Takagi
    • 2
  1. 1.KDDI R&D Laboratories Inc.FujiminoJapan
  2. 2.Institute of Mathematics for IndustryKyushu UniversityNishi-kuJapan

Personalised recommendations