Skip to main content
Book cover

Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2019: Advances in Cryptology – EUROCRYPT 2019 pp 717–746Cite as

The General Sieve Kernel and New Records in Lattice Reduction

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11477)

Abstract

We propose the General Sieve Kernel (G6K, pronounced / e.si.ka/), an abstract stateful machine supporting a wide variety of lattice reduction strategies based on sieving algorithms. Using the basic instruction set of this abstract stateful machine, we first give concise formulations of previous sieving strategies from the literature and then propose new ones. We then also give a light variant of BKZ exploiting the features of our abstract stateful machine. This encapsulates several recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP oracle and to utilise strong lattice reduction as preprocessing for sieving. Furthermore, we propose new tricks to minimise the sieving computation required for a given reduction quality with mechanisms such as recycling vectors between sieves, on-the-fly lifting and flexible insertions akin to Deep LLL and recent variants of Random Sampling Reduction.

Moreover, we provide a highly optimised, multi-threaded and tweakable implementation of this machine which we make open-source. We then illustrate the performance of this implementation of our sieving strategies by applying G6K to various lattice challenges. In particular, our approach allows us to solve previously unsolved instances of the Darmstadt SVP (151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the SVP-151 challenge was found 400 times faster than the time reported for the SVP-150 challenge, the previous record. For exact-SVP, we observe a performance crossover between G6K and FPLLL’s state of the art implementation of enumeration at dimension 70.

The research of MA was supported by EPSRC grants EP/P009417/1, EP/S02087X/1 and by the European Union Horizon 2020 Research and Innovation Program Grant 780701; the research of LD was supported by a Veni Innovational Research Grant from NWO under project number 639.021.645 and by the European Union Horizon 2020 Research and Innovation Program Grant 780701; the research of EP was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1); the research of GH and EK was supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-17656-3_25
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-17656-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

Notes

  1. 1.

    For example, the Gauss sieve implemented in FPLLL (latsieve) beats its unpruned SVP oracle (fplll -a svp) in dimension 50.

  2. 2.

    Our implementation is available at https://github.com/fplll/g6k/.

  3. 3.

    Note that, in addition, this already follows in the enumeration regime from [LN13] which we adapt to the sieving regime in Sect. 6.

  4. 4.

    Lifting is somewhat more expensive than considering a pair of vectors. We are therefore careful to only lift a fraction of all considered vectors, namely only the considered vectors below a certain length of, say, \(\sqrt{1.8} \cdot {{\,\mathrm{gh}\,}}(\mathcal {L}_{[\ell :r]})\).

  5. 5.

    The alternative being to only consider the vectors of the final database for lifting.

  6. 6.

    Note that \({{\,\mathrm{sl}\,}}\) can be viewed as the trivial insertion of the vector \(v_{\kappa } = (1, 0, \dots ,0)\).

  7. 7.

    When possible we prefer to sample by summing random pairs of vectors from the database.

  8. 8.

    This sequence refers to SubSieve \(^{+}(\mathcal {L}, f)\) with Sieve being progressive [Duc18a].

  9. 9.

    A collision is when a new vector \(\mathbf v \) to be inserted in the database equals \(\pm \mathbf v _2\) for some \(\mathbf v _2\) already present in the database.

  10. 10.

    For Fig. 4 we choose yet more opportunism and do not increase \(\beta \) to \(\beta '\).

  11. 11.

    This relies on the fact that we do not use recursive filtering in bgj1: the asymptotically optimal choice from [BGJ15] mandates choosing the buckets centres in a structured way, which is not compatible with choosing them as db elements.

  12. 12.

    This unorderedset is in fact split into many parts to eliminate most blocking locks during a multi-threaded sieve.

  13. 13.

    This mismatch with theory can be explained by various kinds of overheads, but mostly by the dimensions for free trick: as \(f=\varTheta (d/\log d)\) is quasilinear, the slope will only very slowly converge to the asymptotic prediction.

  14. 14.

    The number \(f=16+d/12\) of dimensions for free is only meant to be a local approximation, as we asymptotically expect \(f=\varTheta (d/\log d)\) even for O(1)-approx-SVP [Duc18a].

  15. 15.

    One could choose \(\kappa =0\) to be entirely sure not to miss the solution during the lifting phase, but this increases the cost of lifting. Instead, we can choose \(\kappa \) such that \(\sqrt{\kappa } \sigma < {{\,\mathrm{gh}\,}}(\mathcal {L}_{[d-\kappa :d]})\), with a small margin of, say, five dimensions.

References

  1. Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19

  2. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX. USENIX Association, pp. 327–343 (2016)

    Google Scholar 

  3. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    CrossRef  Google Scholar 

  4. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd ACM STOC. ACM Press, pp. 601–610, July 2001

    Google Scholar 

  5. Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30

    CrossRef  Google Scholar 

  6. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA. ACM-SIAM, pp. 10–24, January 2016

    Google Scholar 

  7. Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21

    CrossRef  Google Scholar 

  8. Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015). http://eprint.iacr.org/2015/522

  9. Bai, S., Laarhoven, T., Stehle, D.: Tuple lattice sieving. Cryptology ePrint Archive, Report 2016/713 (2016). http://eprint.iacr.org/2016/713

  10. Bai, S., Stehlé, D., Wen, W.: Measuring, simulating and exploiting the head concavity phenomenon in BKZ. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 369–404. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_13

    CrossRef  Google Scholar 

  11. Charikar, M.: Similarity estimation techniques from rounding algorithms. In: 34th ACM STOC. ACM Press, pp. 380–388, May 2002

    Google Scholar 

  12. Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Thèse de doctorat dirigée par Nguyen, Phong-Quang Informatique Paris 7, p. 1, vol. 133 (2013)

    Google Scholar 

  13. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    CrossRef  Google Scholar 

  14. The FPLLL Development Team: FPLLL, a lattice reduction library (2018). https://github.com/fplll/fplll

  15. The FPyLLL Development Team: FPyLLL, a lattice reduction library (2018). https://github.com/fplll/fpylll

  16. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    CrossRef  Google Scholar 

  17. Ducas, L.: Shortest Vector from Lattice Sieving: a Few Dimensions for Free (talk), April 2018. https://eurocrypt.iacr.org/2018/Slides/Monday/TrackB/01-01.pdf

  18. Fitzpatrick, R., et al.: Tuning GaussSieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_16

    CrossRef  Google Scholar 

  19. Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving SVP based on statistical analysis. JIP 23(1), 67–80 (2015)

    Google Scholar 

  20. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–463 (1985)

    MathSciNet  CrossRef  Google Scholar 

  21. Göpfert, F., Yakkundimath, A.: Darmstadt LWE challenges (2015). https://www.latticechallenge.org/lwe_challenge/challenge.php. Accessed 15 Aug 2018

  22. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC. ACM Press, pp. 207–216, May 2008

    Google Scholar 

  23. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3

    CrossRef  Google Scholar 

  24. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    CrossRef  Google Scholar 

  25. Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017, Part I. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_2

    CrossRef  Google Scholar 

  26. Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_14

    CrossRef  Google Scholar 

  27. Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25

    CrossRef  Google Scholar 

  28. Hanrot, G., Damien, S.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_10

    CrossRef  Google Scholar 

  29. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC. ACM Press, pp. 193–206, April 1983

    Google Scholar 

  30. Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)

    MathSciNet  CrossRef  Google Scholar 

  31. Kirchner, P.: Re: sieving vs. enumeration, May 2016. https://groups.google.com/forum/#!msg/cryptanalytic-algorithms/BoSRL0uHIjM/wAkZQlwRAgAJ

  32. Lenstra, A.K., Lenstra, H.W., Ĺovasz, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261(4), 515–534 (1982)

    MathSciNet  CrossRef  Google Scholar 

  33. Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 292–311. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_14

    CrossRef  Google Scholar 

  34. Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_19

    CrossRef  Google Scholar 

  35. Madritsch, M., Vallée, B.: Modelling the LLL algorithm by sandpiles. In: López-Ortiz, A. (ed.) LATIN 2010. LNCS, vol. 6034, pp. 267–281. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12200-2_25

    CrossRef  Google Scholar 

  36. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Charika, M. (ed.) 21st SODA. ACM-SIAM, pp. 1468–1480, January 2010

    Google Scholar 

  37. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th SODA. ACM-SIAM, pp. 276–294, January 2015

    Google Scholar 

  38. Nguyen, P.Q.: Hermités constant and lattice algorithms. In: Nguyen, P., Valle, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 19–69. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_2

    CrossRef  Google Scholar 

  39. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)

    MathSciNet  CrossRef  Google Scholar 

  40. Poppelmann, T., et al.: Newhope, Technical report, National Institute of Standards and Technology (2017). https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

  41. Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)

    MathSciNet  CrossRef  Google Scholar 

  42. Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14

    CrossRef  Google Scholar 

  43. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994)

    MathSciNet  CrossRef  Google Scholar 

  44. Schneider, M., Gama, N.: Darmstadt SVP Challenges (2010). https://www.latticechallenge.org/svp-challenge/index.php. Accessed 17 Aug 2018

  45. Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 437–460. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_15

    CrossRef  Google Scholar 

  46. Walter, M.: Sage implementation of Chen and Nguyen’s BKZ simulator (2016). http://pub.ist.ac.at/~mwalter/src/sim_bkz.sage

  47. Yu, Y., Ducas, L.: Second order statistical behavior of LLL and BKZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 3–22. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_1

    CrossRef  Google Scholar 

Download references

Acknowledgements

We thank Kenny Paterson for discussing a previous version of this draft. We also thank Pierre Karpman for running some of our experiments.

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, Egham, UK

    Martin R. Albrecht & Eamonn W. Postlethwaite

  2. Cryptology Group, CWI, Amsterdam, The Netherlands

    Léo Ducas & Marc Stevens

  3. ENS Lyon, Laboratoire LIP, Lyon, France

    Gottfried Herold & Elena Kirshanova

Authors
  1. Martin R. Albrecht
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Léo Ducas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gottfried Herold
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elena Kirshanova
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Eamonn W. Postlethwaite
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Marc Stevens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eamonn W. Postlethwaite .

Editor information

Editors and Affiliations

  1. Technion, Haifa, Israel

    Yuval Ishai

  2. COSIC Group, KU Leuven, Heverlee, Belgium

    Prof. Vincent Rijmen

1 Electronic supplementary material

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M. (2019). The General Sieve Kernel and New Records in Lattice Reduction. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17656-3_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17655-6

  • Online ISBN: 978-3-030-17656-3

  • eBook Packages: Computer ScienceComputer Science (R0)