Skip to main content

BKZ 2.0: Better Lattice Security Estimates

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7073)

Abstract

The best lattice reduction algorithm known in practice for high dimension is Schnorr-Euchner’s BKZ: all security estimates of lattice cryptosystems are based on NTL’s old implementation of BKZ. However, recent progress on lattice enumeration suggests that BKZ and its NTL implementation are no longer optimal, but the precise impact on security estimates was unclear. We assess this impact thanks to extensive experiments with BKZ 2.0, the first state-of-the-art implementation of BKZ incorporating recent improvements, such as Gama-Nguyen-Regev pruning. We propose an efficient simulation algorithm to model the behaviour of BKZ in high dimension with high blocksize ≥ 50, which can predict approximately both the output quality and the running time, thereby revising lattice security estimates. For instance, our simulation suggests that the smallest NTRUSign parameter set, which was claimed to provide at least 93-bit security against key-recovery lattice attacks, actually offers at most 65-bit security.

Keywords

  • Clock Cycle
  • Simulation Algorithm
  • Lattice Reduction
  • Local Block
  • Random Lattice

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. Ajtai, M.: Generating random lattices according to the invariant distribution (draft of March 2006)

    Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems. In: Proc. STOC 1996, pp. 99–108. ACM (1996)

    Google Scholar 

  3. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. 33rd STOC 2001, pp. 601–610. ACM (2001)

    Google Scholar 

  4. Cadé, D., Pujol, X., Stehlé, D.: FPLLL library, version 3.0 (September 2008)

    Google Scholar 

  5. Devroye, L.: Non-uniform random variate generation (1986), http://cg.scs.carleton.ca/~luc/rnbookindex.html

  6. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Mathematics of Computation 44(170), 463–471 (1985)

    CrossRef  MATH  MathSciNet  Google Scholar 

  7. Gama, N., Howgrave-Graham, N., Koy, H., Nguyên, P.Q.: Rankin’s Constant and Blockwise Lattice Reduction. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 112–130. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  8. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proc. STOC 2008. ACM (2008)

    Google Scholar 

  9. Gama, N., Nguyen, P.Q.: Predicting Lattice Reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  10. Gama, N., Nguyen, P.Q., Regev, O.: Lattice Enumeration Using Extreme Pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  11. Gentry, C., Halevi, S.: Public challenges for fully-homomorphic encryption (2010), http://researcher.ibm.com/researcher/view_project.php?id=1548

  12. Goldreich, O., Goldwasser, S., Halevi, S.: Challenges for the GGH cryptosystem (1997), http://theory.lcs.mit.edu/~shaih/challenge.html

  13. Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Math. 15(2), 165–189 (2003)

    CrossRef  MATH  MathSciNet  Google Scholar 

  14. Hanrot, G., Pujol, X., Stehlé, D.: Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  15. Hanrot, G., Stehlé, D.: Improved Analysis of Kannan’s Shortest Lattice Vector Algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  16. Hirschhorn, P.S., Hoffstein, J., Howgrave-Graham, N., Whyte, W.: Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 437–455. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  17. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: [35] (2010)

    Google Scholar 

  18. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  19. Hoffstein, J., Silverman, J.H., Whyte, W.: Estimated breaking times for ntru lattices. Technical report, NTRU Cryptosystems, Report #012, v2 (October 2003)

    Google Scholar 

  20. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC 1983, pp. 193–206. ACM (1983)

    Google Scholar 

  21. Lee, M.S., Hahn, S.G.: Cryptanalysis of the GGH cryptosystem. Mathematics in Computer Science 3, 201–208 (2010)

    CrossRef  MATH  MathSciNet  Google Scholar 

  22. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513–534 (1982)

    Google Scholar 

  23. Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwe-based encryption. Cryptology ePrint Archive, Report 2010/613, Full version of the CT-RSA 2011

    Google Scholar 

  24. Lindner, R., Rückert, M.: TU Darmstadt lattice challenge, http://www.latticechallenge.org/

  25. May, A.: Cryptanalysis of NTRU–107. Draft of 1999, available on May’s webpage (1999)

    Google Scholar 

  26. May, A., Silverman, J.H.: Dimension Reduction Methods for Convolution Modular Lattices. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 110–125. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  27. Mazo, J.E., Odlyzko, A.M.: Lattice points in high dimensional spheres. Monatsheft Mathematik 17, 47–61 (1990)

    CrossRef  MathSciNet  Google Scholar 

  28. Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009)

    CrossRef  Google Scholar 

  29. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC 2010. ACM (2010)

    Google Scholar 

  30. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA 2010, pp. 1468–1480. ACM-SIAM (2010)

    Google Scholar 

  31. Nguyên, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto’97. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)

    Google Scholar 

  32. Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS–RSME (2009)

    Google Scholar 

  33. Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: [35] (2010)

    Google Scholar 

  34. Nguyên, P.Q., Stehlé, D.: LLL on the Average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  35. Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010)

    Google Scholar 

  36. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2), 181–207 (2008)

    CrossRef  MATH  MathSciNet  Google Scholar 

  37. Novocin, A., Stehlé, D., Villard, G.: An LLL-reduction algorithm with quasi-linear time complexity. In: Proc. STOC 2011. ACM (2011)

    Google Scholar 

  38. Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15(1), 37–44 (1981)

    CrossRef  MATH  MathSciNet  Google Scholar 

  39. Rückert, M., Schneider, M.: Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137 (2010)

    Google Scholar 

  40. Schneider, M., Gama, N.: SVP challenge, http://www.latticechallenge.org/svp-challenge/

  41. Schnorr, C.-P.: A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science 53(2-3), 201–224 (1987)

    CrossRef  MATH  MathSciNet  Google Scholar 

  42. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181–199 (1994)

    CrossRef  MATH  MathSciNet  Google Scholar 

  43. Schnorr, C.-P., Hörner, H.H.: Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995)

    Google Scholar 

  44. Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1, http://www.shoup.net/ntl/

  45. Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: Cryptology ePrint Archive, Report 2010/647 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 International Association for Cryptologic Research

About this paper

Cite this paper

Chen, Y., Nguyen, P.Q. (2011). BKZ 2.0: Better Lattice Security Estimates. In: Lee, D.H., Wang, X. (eds) Advances in Cryptology – ASIACRYPT 2011. ASIACRYPT 2011. Lecture Notes in Computer Science, vol 7073. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25385-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25385-0_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25384-3

  • Online ISBN: 978-3-642-25385-0

  • eBook Packages: Computer ScienceComputer Science (R0)