Progressive Lattice Sieving

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)

Abstract

Most algorithms for hard lattice problems are based on the principle of rank reduction: to solve a problem in a d-dimensional lattice, one first solves one or more problem instances in a sublattice of rank \(d - 1\), and then uses this information to find a solution to the original problem. Existing lattice sieving methods, however, tackle lattice problems such as the shortest vector problem (SVP) directly, and work with the full-rank lattice from the start. Lattice sieving further seems to benefit less from starting with reduced bases than other methods, and finding an approximate solution almost takes as long as finding an exact solution. These properties currently set sieving apart from other methods.

In this work we consider a progressive approach to lattice sieving, where we gradually introduce new basis vectors only when the sieve has stabilized on the previous basis vectors. This leads to improved (heuristic) guarantees on finding approximate shortest vectors, a bigger practical impact of the quality of the basis on the run-time, better memory management, a smoother and more predictable behavior of the algorithm, and significantly faster convergence – compared to traditional approaches, we save between a factor 20 to 40 in the time complexity for SVP.

Keywords

Lattice-based cryptography Lattice sieving Shortest vector problem (SVP) Nearest neighbor searching 

Notes

Acknowledgments

The authors thank Léo Ducas for discussions and comments on this topic, and for sharing an early draft of [Duc18]. The first author is supported by the ERC consolidator grant 617951. The second author was partially supported by Fundação para a Ciência e a Tecnologia (FCT) and Instituto de Telecomunicações under grant UID/EEA/50008/2013.

References

  1. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)Google Scholar
  2. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  3. [AN17]
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_3CrossRefGoogle Scholar
  4. [BDGL16]
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24 (2016)Google Scholar
  5. [BDK+18]
    Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: EuroS&P (2018)Google Scholar
  6. [BGJ14]
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)Google Scholar
  7. [BGJ15]
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522, pp. 1–14 (2015)Google Scholar
  8. [BL16]
    Becker, A., Laarhoven, T.: Efficient (Ideal) lattice sieving using cross-polytope LSH. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 3–23. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31517-1_1CrossRefGoogle Scholar
  9. [BLS16]
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. In: ANTS, pp. 146–162 (2016)Google Scholar
  10. [BNvdP16]
    Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Int. J. Appl. Cryptogr. 3, 1–23 (2016)Google Scholar
  11. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  12. [DLL+18]
    Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - dilithium: digital signatures from module lattices. In: CHES (2018)Google Scholar
  13. [Duc18]
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: EUROCRYPT (2018)Google Scholar
  14. [FBB+14]
    Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning GaussSieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16295-9_16Google Scholar
  15. [FP85]
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)CrossRefMATHGoogle Scholar
  16. [fplll18]
    The FPLLL Development Team. FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
  17. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  18. [HK17]
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_2CrossRefGoogle Scholar
  19. [HKL18]
    Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time-memory trade-offs for tuple lattice sieving. In: PKC (2018)Google Scholar
  20. [HPS11]
    Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20901-7_10CrossRefGoogle Scholar
  21. [IKMT14]
    Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a 128-dimensional ideal lattice. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 411–428. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_24CrossRefGoogle Scholar
  22. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)Google Scholar
  23. [Kle00]
    Klein, P.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)Google Scholar
  24. [Laa15]
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1CrossRefGoogle Scholar
  25. [Laa16]
    Laarhoven, T.: Finding closest lattice vectors using approximate Voronoi cells. Cryptology ePrint Archive, Report 2016/888 (2016)Google Scholar
  26. [LdW15]
    Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_6CrossRefGoogle Scholar
  27. [MB16]
    Mariano, A., Bischof, C.: Enhancing the scalability and memory usage of HashSieve on multi-core CPUs. In: PDP, pp. 545–552 (2016)Google Scholar
  28. [MLB15]
    Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free HashSieve: a practical sieving algorithm for the SVP. In: ICPP, pp. 590–599 (2015)Google Scholar
  29. [MLB17]
    Mariano, A., Laarhoven, T., Bischof, C.: A parallel variant of LDSieve for the SVP on lattices. In: PDP (2017)Google Scholar
  30. [MLC+17]
    Mariano, A., Laarhoven, T., Correia, F., Rodrigues, M., Falcao, G.: A practical view of the state-of-the-art of lattice-based cryptanalysis. IEEE Access 5, 24184–24202 (2017)CrossRefGoogle Scholar
  31. [MODB14]
    Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel ListSieve and GaussSieve. In: Lopes, L., et al. (eds.) Euro-Par 2014. LNCS, vol. 8805, pp. 48–59. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-14325-5_5Google Scholar
  32. [MS11]
    Milde, B., Schneider, M.: A parallel implementation of GaussSieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23178-0_40CrossRefGoogle Scholar
  33. [MTB14]
    Mariano, A., Timnat, S., Bischof, C.: Lock-free Gauss-Sieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)Google Scholar
  34. [MV10a]
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)Google Scholar
  35. [MV10b]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)Google Scholar
  36. [NV08]
    Nguyên, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefMATHGoogle Scholar
  37. [Sch87]
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar
  38. [Sch11]
    Schneider, M.: Analysis of Gauss-Sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19094-0_11CrossRefGoogle Scholar
  39. [Sch13]
    Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38553-7_22CrossRefGoogle Scholar
  40. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2–3), 181–199 (1994)MathSciNetCrossRefMATHGoogle Scholar
  41. [SFS09]
    Sommer, N., Feder, M., Shalvi, O.: Finding the closest lattice point by iterative slicing. SIAM J. Discret. Math. 23(2), 715–731 (2009)MathSciNetCrossRefMATHGoogle Scholar
  42. [SVP18]
  43. [WLTB11]
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)Google Scholar
  44. [YKYC17]
    Yang, S.-Y., Kuo, P.-C., Yang, B.-Y., Cheng, C.-M.: Gauss sieve algorithm on GPUs. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 39–57. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_3CrossRefGoogle Scholar
  45. [ZPH13]
    Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_2CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Eindhoven University of TechnologyEindhovenThe Netherlands
  2. 2.University of CoimbraCoimbraPortugal

Personalised recommendations