Advertisement

Development of a Dual Version of DeepBKZ and Its Application to Solving the LWE Challenge

  • Masaya Yasuda
  • Junpei Yamaguchi
  • Michiko Ooka
  • Satoshi Nakamura
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10831)

Abstract

Lattice basis reduction is a strong tool in cryptanalysis. In 2017, DeepBKZ was proposed as a new variant of BKZ, and it calls LLL with deep insertions (DeepLLL) as a subroutine alternative to LLL. In this paper, we develop a dual version of DeepBKZ (which we call “Dual-DeepBKZ”), to reduce the dual basis of an input basis. For Dual-DeepBKZ, we develop a dual version of DeepLLL, and then combine it with the dual enumeration by Micciancio and Walter. It never computes the dual basis of an input basis, and it is as efficient as the primal DeepBKZ. We also demonstrate that Dual-DeepBKZ solves several instances in the TU Darmstadt LWE challenge. We use Dual-DeepBKZ in the bounded distance decoding (BDD) approach for solving an LWE instance. Our experiments show that Dual-DeepBKZ reduces the cost of Liu-Nguyen’s BDD enumeration more effectively than BKZ. For the LWE instance of \((n, \alpha ) = (40, 0.015)\) (resp., \((n, \alpha ) = (60, 0.005)\)), our results are about 2.2 times (resp., 4.0 times) faster than Xu et al.’s results, for which they used BKZ in the fplll library and the BDD enumeration with extreme pruning while we used linear pruning in our experiments.

Keywords

Lattice basis reduction Dual lattices LLL with deep insertions BKZ LWE (Learning with Errors) 

Notes

Acknowledgments

This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. This work was also supported by JSPS KAKENHI Grant Number 16H02830.

References

  1. 1.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_30. http://www2.nict.go.jp/security/pbkzcode/CrossRefGoogle Scholar
  3. 3.
    Bindel, N., Buchmann, J., Göpfert, F., Schmidt, M.: Estimation of the hardness of the learning with errors problem with a restricted number of samples, IACR ePrint 2017/140 https://eprint.iacr.org/2017/140 (2017)
  4. 4.
    Blömer, J.: Closest vectors, successive minima, and dual HKZ-bases of lattices. In: Montanari, U., Rolim, J.D.P., Welzl, E. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 248–259. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45022-X_22CrossRefGoogle Scholar
  5. 5.
    Bremner, M.R.: Lattice Basis Reduction: An Introduction to the LLL Algorithm and Its Applications. CRC Press, Boca Raton (2011)Google Scholar
  6. 6.
    Buchmann, J., Büscher, N., Göpfert, F., Katzenbeisser, S., Krämer, J., Micciancio, D., Siim, S., van Vredendaal, C., Walter, M.: Creating cryptographic challenges using multi-party computation: the LWE challenge. In: International Workshop on ASIA Public-Key Cryptography-ASIAPKC 2016, pp. 11–20. ACM (2016)Google Scholar
  7. 7.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_1CrossRefGoogle Scholar
  8. 8.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics, vol. 138. Springer, Heidelberg (1993).  https://doi.org/10.1007/978-3-662-02945-9
  9. 9.
    T. U. Darmstadt, Lattice Challenge. http://www.latticechallenge.org/svp-challenge/
  10. 10.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Symposium on the Theory of Computing, STOC 2008, pp. 207–216. ACM (2008)Google Scholar
  11. 11.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  12. 12.
    Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_25CrossRefGoogle Scholar
  13. 13.
    Koy, H.: Primal/duale segment-reduktion von Gitterbasen, Lecture Universität Frankfurt (2000)Google Scholar
  14. 14.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_19CrossRefGoogle Scholar
  16. 16.
    Micciancio D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. Springer Science & Business Media, Heidelberg (2012).  https://doi.org/10.1007/978-1-4615-0897-7
  17. 17.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-540-88702-7_5
  18. 18.
    Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_31CrossRefGoogle Scholar
  19. 19.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Symposium on the Theory of Computing, STOC 2005, pp. 84–93. ACM (2005)Google Scholar
  20. 20.
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36494-3_14CrossRefGoogle Scholar
  21. 21.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Shoup, V.: NTL: A Library for doing Number Theory. http://www.shoup.net/ntl/
  23. 23.
    The FPLLL development team, fplll, a lattice reduction library (2016). https://github.com/fplll/fplll
  24. 24.
    Wang, Y., Aono, Y., Takagi, T.: An experimental study of Kannan’s embedding technique for the search LWE problem. In: International Conference on Information and Communication Security, ICICS 2017 (2017, to appear)Google Scholar
  25. 25.
    Xu, R., Yeo, S.L., Fukushima, K., Takagi, T., Seo, H., Kiyomoto, S., Henricksen, M.: An experimental study of the BDD approach for the search LWE problem. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 253–272. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-61204-1_13CrossRefGoogle Scholar
  26. 26.
    Yamaguchi, J., Yasuda, M.: Explicit formula for Gram-Schmidt vectors in LLL with deep insertions and its applications. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 142–160. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-319-76620-1_9

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Masaya Yasuda
    • 1
  • Junpei Yamaguchi
    • 2
  • Michiko Ooka
    • 3
  • Satoshi Nakamura
    • 3
  1. 1.Institute of Mathematics for IndustryKyushu UniversityFukuokaJapan
  2. 2.Graduate School of MathematicsKyushu UniversityFukuokaJapan
  3. 3.Faculty of MathematicsKyushu UniversityFukuokaJapan

Personalised recommendations