Extreme Enumeration on GPU and in Clouds

- How Many Dollars You Need to Break SVP Challenges -
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6917)


The complexity of the Shortest Vector Problem (SVP) in lattices is directly related to the security of NTRU and the provable level of security of many recently proposed lattice-based cryptosystems. We integrate several recent algorithmic improvements for solving SVP and take first place at dimension 120 in the SVP Challenge Hall of Fame. Our implementation allows us to find a short vector at dimension 114 using 8 NVIDIA video cards in less than two days.

Specifically, our improvements to the recent Extreme Pruning in enumeration approach, proposed by Gama et al. in Eurocrypt 2010, include: (1) a more flexible bounding function in polynomial form; (2) code to take advantage of Clouds of commodity PCs (via the MapReduce framework); and (3) the use of NVIDIA’s Graphics Processing Units (GPUs). We may now reasonably estimate the cost of a wide range of SVP instances in U.S. dollars, as rent paid to cloud-computing service providers, which is arguably a simpler and more practical measure of complexity.


Shortest Vector Problem GPU Cloud Computing Enumeration Extreme Pruning 


  1. [AKS01]
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC 2001, pp. 601–610. ACM, New York (2001)CrossRefGoogle Scholar
  2. [DG04]
    Dean, J., Ghemawat, S.: MapReduce: Simplified data processing on large clusters. In: OSDI 2004: Sixth Symposium on Operating System Design and Implementation, San Francisco, CA, USA (December 2004)Google Scholar
  3. [DHPS10]
    Detrey, J., Hanrot, G., Pujol, X., Stehlé, D.: Accelerating Lattice Reduction with FPGAs. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 124–143. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. [DS10]
    Dagdelen, Ö., Schneider, M.: Parallel Enumeration of Shortest Lattice Vectors. In: D’Ambra, P., Guarracino, M., Talia, D. (eds.) Euro-Par 2010. LNCS, vol. 6272, pp. 211–222. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. [FP83]
    Fincke, U., Pohst, M.: Michael Pohst. A procedure for determining algebraic integers of given norm. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. LNCS, vol. 162, pp. 194–202. Springer, Heidelberg (1983)Google Scholar
  6. [GM03]
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Mathematicum 15(2), 165–189 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  7. [GN08]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. [GNR10]
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice Enumeration Using Extreme Pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. [GS10]
    Gama, N., Schneider, M.: SVP Challenge (2010),
  10. [HSB+10]
    Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel Shortest Lattice Vector Enumeration on Graphics Cards. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 52–68. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. [Kan83]
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC 1983, pp. 193–206. ACM, New York (1983)CrossRefGoogle Scholar
  12. [KH10]
    Kirk, D.B., Hwu, W.-m.: Programming Massively Parallel Processors: A Hands-on Approach, 1st edn. Morgan Kaufmann, San Francisco (2010)Google Scholar
  13. [KLPS11]
    Kleinjung, T., Lenstra, A.K., Page, D., Smart, N.P.: Using the cloud to determine key strengths. Cryptology ePrint Archive, Report 2011/254 (2011),
  14. [Len05]
    Lenstra, A.: Key lengths. In: Bidgoli, H. (ed.) Handbook of Information Security. Wiley, Chichester (2005)Google Scholar
  15. [LLL82]
    Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 4, 515–534 (1982)CrossRefGoogle Scholar
  16. [MV10a]
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358. ACM, New York (2010)Google Scholar
  17. [MV10b]
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA 2010, pp. 1468–1480. ACM/SIAM (2010)Google Scholar
  18. [NV08]
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2) (2008)Google Scholar
  19. [PS08]
    Pujol, X., Stehlé, D.: Rigorous and Efficient Short Lattice Vectors Enumeration. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 390–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. [SE94]
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical Programming 66, 181–199 (1994)MathSciNetzbMATHCrossRefGoogle Scholar
  21. [SH95]
    Schnorr, C.-P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)Google Scholar
  22. [Sho]
    Shoup, V.: Number theory library (NTL) for C++, version 5.5.2,

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  1. 1.National Taiwan UniversityTaipeiTaiwan
  2. 2.Technische Universität DarmstadtGermany
  3. 3.Center for Advanced Security Research Darmstadt (CASED)Germany
  4. 4.Academia SinicaTaipeiTaiwan

Personalised recommendations