Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)

Abstract

Recently, it was shown that angular locality-sensitive hashing (LSH) can be used to significantly speed up lattice sieving, leading to a heuristic time complexity for solving the shortest vector problem (SVP) of \(2^{0.337n + o(n)}\) (and space complexity \(2^{0.208n + o(n)}\). We study the possibility of applying other LSH methods to sieving, and show that with the spherical LSH method of Andoni et al. we can heuristically solve SVP in time \(2^{0.298n + o(n)}\) and space \(2^{0.208n + o(n)}\). We further show that a practical variant of the resulting SphereSieve is very similar to Wang et al.’s two-level sieve, with the key difference that we impose an order on the outer list of centers.

Keywords

Shortest vector problem (svp) Sieving algorithms Nearest neighbor problem Locality-sensitive hashing (lsh) Lattice cryptography 

References

  1. 1.
    Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling. In: STOC (2015)Google Scholar
  2. 2.
    Ajtai, M.: The shortest vector problem in \(L_2\) is NP-hard for randomized reductions (extended abstract). In: STOC, pp. 10–19 (1998)Google Scholar
  3. 3.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  4. 4.
    Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)Google Scholar
  5. 5.
    Andoni, A., Indyk, P., Nguyen, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)Google Scholar
  6. 6.
    Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC (2015)Google Scholar
  7. 7.
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)Google Scholar
  8. 8.
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015)Google Scholar
  9. 9.
    Becker, A., Laarhoven, T.: Efficient sieving on (ideal) lattices using cross-polytopic LSH. (preprint 2015)Google Scholar
  10. 10.
    Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Heidelberg (2009)MATHCrossRefGoogle Scholar
  11. 11.
    Bos, J., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014)Google Scholar
  12. 12.
    Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)Google Scholar
  13. 13.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  14. 14.
    Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on \(p\)-stable distributions. In: SOCG, pp. 253–262 (2004)Google Scholar
  15. 15.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning gausssieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Heidelberg (2015) Google Scholar
  17. 17.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
  19. 19.
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  20. 20.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  21. 21.
    Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)Google Scholar
  22. 22.
    Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a \(128\)-dimensional ideal lattice. In: PKC, pp. 411–428 (2014)Google Scholar
  23. 23.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)Google Scholar
  24. 24.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: CRYPTO (2015)Google Scholar
  25. 25.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des., Codes Crypt. (2015)Google Scholar
  26. 26.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  27. 27.
    Mariano, A., Timnat, S., Bischof, C.: Lock-free gausssieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)Google Scholar
  28. 28.
    Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel listsieve and gausssieve. In: Lopes, L., et al. (eds.) Euro-Par 2014 Workshops. LNCS, pp. 48–59. Springer, Heidelberg (2014)Google Scholar
  29. 29.
    Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free hashsieve: a practical sieving algorithm for the SVP. In: ICPP (2015)Google Scholar
  30. 30.
    Micciancio, D.: The shortest vector in a lattice is hard to approximate to within some constant. In: FOCS, pp. 92–98 (1998)Google Scholar
  31. 31.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358 (2010)Google Scholar
  32. 32.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)Google Scholar
  33. 33.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)Google Scholar
  34. 34.
    Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  35. 35.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MATHMathSciNetCrossRefGoogle Scholar
  36. 36.
    Plantard, T., Schneider, M.: Ideal lattice challenge (2014). http://latticechallenge.org/ideallattice-challenge/
  37. 37.
    Pohst, M.E.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)MATHMathSciNetCrossRefGoogle Scholar
  38. 38.
    van de Pol, J., Smart, N.P.: Estimating key sizes for high dimensional lattice-based systems. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 290–303. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  39. 39.
    Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). Cryptology ePrint Archive, Report 2009/605 (2009)Google Scholar
  40. 40.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)Google Scholar
  41. 41.
    Schneider, M.: Analysis of gauss-sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  42. 42.
    Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  43. 43.
    Schneider, M., Gama, N., Baumann, P., Nobach, L.: SVP challenge (2015). http://latticechallenge.org/svp-challenge
  44. 44.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2), 201–224 (1987)MATHMathSciNetCrossRefGoogle Scholar
  45. 45.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  46. 46.
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved nguyen-vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)Google Scholar
  47. 47.
    Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenThe Netherlands

Personalised recommendations