Shortest Vector from Lattice Sieving: A Few Dimensions for Free

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)

Abstract

Asymptotically, the best known algorithms for solving the Shortest Vector Problem (SVP) in a lattice of dimension n are sieve algorithms, which have heuristic complexity estimates ranging from \((4/3)^{n+o(n)}\) down to \((3/2)^{n/2 +o(n)}\) when Locality Sensitive Hashing techniques are used. Sieve algorithms are however outperformed by pruned enumeration algorithms in practice by several orders of magnitude, despite the larger super-exponential asymptotical complexity \(2^{\varTheta (n \log n)}\) of the latter.

In this work, we show a concrete improvement of sieve-type algorithms. Precisely, we show that a few calls to the sieve algorithm in lattices of dimension less than \(n-d\) solves SVP in dimension n, where \(d = \varTheta (n/\log n)\).

Although our improvement is only sub-exponential, its practical effect in relevant dimensions is quite significant. We implemented it over a simple sieve algorithm with \((4/3)^{n+o(n)}\) complexity, and it outperforms the best sieve algorithms from the literature by a factor of 10 in dimensions 70–80. It performs less than an order of magnitude slower than pruned enumeration in the same range.

By design, this improvement can also be applied to most other variants of sieve algorithms, including LSH sieve algorithms and tuple-sieve algorithms. In this light, we may expect sieve-techniques to outperform pruned enumeration in practice in the near future.

Keywords

Cryptanalysis Lattice Sieving Nearest-Plane 

Notes

Acknowledgments

The author wishes to thank Koen de Boer, Gottfried Herold, Pierre Karman, Elena Kirshanova, Thijs Laarhoven, Marc Stevens and Eamonn Postlethwaite for enlightening conversations on this topic. The author is also extremely grateful to Martin Albrecht and the FPLLL development team for their thorough work on the fplll and fpylll libraries. This work was supported by a Veni Innovational Research Grant from NWO under project number 639.021.645.

References

  1. [Ajt99]
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48523-6_1CrossRefGoogle Scholar
  2. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: 33rd Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM Press, July 2001Google Scholar
  3. [AN17]
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_3CrossRefGoogle Scholar
  4. [Bab86]
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefMATHGoogle Scholar
  5. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 10–24. ACM-SIAM, January 2016Google Scholar
  6. [BGJ13]
    Becker, A., Gama, N., Joux, A.: Solving shortest and closest vector problems: The decomposition approach. Cryptology ePrint Archive, Report 2013/685 (2013). http://eprint.iacr.org/2013/685
  7. [BGJ15]
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015). http://eprint.iacr.org/2015/522
  8. [BLS16]
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19(A), 146–162 (2016)MathSciNetCrossRefMATHGoogle Scholar
  9. [BNvdP14]
    Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014). http://eprint.iacr.org/2014/880
  10. [Cha02]
    Charikar, M.: Similarity estimation techniques from rounding algorithms. In: 34th Annual ACM Symposium on Theory of Computing, pp. 380–388. ACM Press, May 2002Google Scholar
  11. [Che13]
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph. D. thesis (2013)Google Scholar
  12. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  13. [FBB+15]
    Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning GaussSieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16295-9_16Google Scholar
  14. [FK15]
    Fukase, M., Kashiwabara, K.: An accelerated algorithm for solving svp based on statistical analysis. J. Inf. Process. 23(1), 67–80 (2015)Google Scholar
  15. [FPL16a]
    FPLLL development team. Strategizer, an optimizer for pruned enumeration (2016). https://github.com/fplll/fpylll
  16. [FPL16b]
    FPLLL development team. fplll, a lattice reduction library (2016). https://github.com/fplll/fplll
  17. [FPL16c]
    FPLLL development team. fpylll, a python interface for fplll (2016). https://github.com/fplll/fpylll
  18. [GN08]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_3CrossRefGoogle Scholar
  19. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  20. [HK17]
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_2CrossRefGoogle Scholar
  21. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
  22. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_25CrossRefGoogle Scholar
  23. [HS07]
    Hanrot, G., Stehlé, D.: Improved analysis of kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_10CrossRefGoogle Scholar
  24. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th Annual ACM Symposium on Theory of Computing, pp. 193–206. ACM Press, April 1983Google Scholar
  25. [Kle00]
    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: Shmoys, D.B. (eds.) 11th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 937–941. ACM-SIAM, January 2000Google Scholar
  26. [Laa15a]
    Laarhoven, T.: Search problems in cryptography (2015). http://thijs.com/docs/phd-final.pdf
  27. [Laa15b]
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1CrossRefGoogle Scholar
  28. [Laa16]
    Laarhoven, T.: Randomized lattice sieving for the closest vector problem (with preprocessing). Cryptology ePrint Archive, Report 2016/888 (2016). http://eprint.iacr.org/2016/888
  29. [LLL82]
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  30. [LM18]
    Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: PQcrypto 2018, Cryptology ePrint Archive, Report 2018/079 (2018, to appear). https://eprint.iacr.org/2018/079
  31. [MLB17]
    Mariano, A., Laarhoven, T., Bischof, C.: A parallel variant of LDSIEVE for the SVP on lattices. In: 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP), pp. 23–30. IEEE (2017)Google Scholar
  32. [MV10]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Charika, M. (ed.) 21st Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1468–1480. ACM-SIAM, January 2010Google Scholar
  33. [MW15]
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 276–294. ACM-SIAM, January 2015Google Scholar
  34. [MW16]
    Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_31CrossRefGoogle Scholar
  35. [Ngu09]
    Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02295-1_2Google Scholar
  36. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefMATHGoogle Scholar
  37. [Poh81]
    Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)CrossRefMATHGoogle Scholar
  38. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005Google Scholar
  39. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)MathSciNetCrossRefMATHGoogle Scholar
  40. [SG10]
    Schneider, M., Gama, N.: SVP Challenge (2010). https://latticechallenge.org/svp-challenge
  41. [SH95]
    Schnorr, C.P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-49264-X_1Google Scholar
  42. [Ste10]
    Stehlé, D.: Floating-point LLL: theoretical and practical aspects. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 179–213. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-02295-1_5Google Scholar
  43. [TKH18]
    Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. Cryptology ePrint Archive, Report 2018/044 (2018, to appear). https://eprint.iacr.org/2018/044
  44. [YD16]
    Yu, Y., Ducas, L.: Second order statistical behavior of LLL and BKZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 3–22. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_1CrossRefGoogle Scholar
  45. [YKYC17]
    Yang, S.-Y., Kuo, P.-C., Yang, B.-Y., Cheng, C.-M.: Gauss Sieve Algorithm on GPUs. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 39–57. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_3CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Cryptology GroupCWIAmsterdamThe Netherlands

Personalised recommendations