Hostname: page-component-586b7cd67f-dlnhk Total loading time: 0 Render date: 2024-11-24T11:16:23.141Z Has data issue: false hasContentIssue false

A sieve algorithm based on overlattices

Published online by Cambridge University Press:  01 August 2014

Anja Becker
Affiliation:
EPFL, École Polytechnique Fédérale de Lausanne, Laboratory for Cryptologic Algorithms (LACAL), Switzerland email [email protected]
Nicolas Gama
Affiliation:
UVSQ/PRISM, Université de Versailles, France email [email protected]
Antoine Joux
Affiliation:
CryptoExperts, INRIA/Ouragan, Chaire de Cryptologie de la Fondation de l’UPMC, Sorbonne Universités, UPMC Univ Paris 06, CNRS UMR 7606, LIP 6, France email [email protected]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

In this paper, we present a heuristic algorithm for solving exact, as well as approximate, shortest vector and closest vector problems on lattices. The algorithm can be seen as a modified sieving algorithm for which the vectors of the intermediate sets lie in overlattices or translated cosets of overlattices. The key idea is hence no longer to work with a single lattice but to move the problems around in a tower of related lattices. We initiate the algorithm by sampling very short vectors in an overlattice of the original lattice that admits a quasi-orthonormal basis and hence an efficient enumeration of vectors of bounded norm. Taking sums of vectors in the sample, we construct short vectors in the next lattice. Finally, we obtain solution vector(s) in the initial lattice as a sum of vectors of an overlattice. The complexity analysis relies on the Gaussian heuristic. This heuristic is backed by experiments in low and high dimensions that closely reflect these estimates when solving hard lattice problems in the average case.

This new approach allows us to solve not only shortest vector problems, but also closest vector problems, in lattices of dimension $\def \xmlpi #1{}\def \mathsfbi #1{\boldsymbol {\mathsf {#1}}}\let \le =\leqslant \let \leq =\leqslant \let \ge =\geqslant \let \geq =\geqslant \def \Pr {\mathit {Pr}}\def \Fr {\mathit {Fr}}\def \Rey {\mathit {Re}}n$ in time $2^{0.3774\, n}$ using memory $2^{0.2925\, n}$. Moreover, the algorithm is straightforward to parallelize on most computer architectures.

Type
Research Article
Copyright
© The Author(s) 2014 

References

Ajtai, M., ‘The shortest vector problem in ${L}_2$ is NP-hard for randomized reductions (extended abstract)’, Proceedings of the 30th Annual ACM Symposium on Theory of Computing, STOC ’98 (ACM Press, 1998) 10–19.CrossRefGoogle Scholar
Ajtai, M., ‘Random lattices and a conjectured 0–1 law about their polynomial time computable properties’, Proceedings of the 43rd Symposium on Foundations of Computer Science, FOCS ’02 (IEEE Computer Society, 2002) 733–742.Google Scholar
Ajtai, M., Kumar, R. and Sivakumar, D., ‘A sieve algorithm for the shortest lattice vector problem’, Proceedings of the 33rd Annual ACM Symposium on Theory of Computing, STOC ’01 (ACM Press, 2001) 601–610.Google Scholar
Becker, A., Coron, J.-S. and Joux, A., ‘Improved generic algorithms for hard knapsacks’, Advances in cryptology — EUROCRYPT 2011, Lecture Notes in Computer Science 6632 (ed. Paterson, K. G.; Springer, 2011) 364385.CrossRefGoogle Scholar
Becker, A., Joux, A., May, A. and Meurer, A., ‘Decoding random binary linear codes in 2n∕20: how 1 + 1 = 0 improves information set decoding’, Advances in cryptology — EUROCRYPT 2012, Lecture Notes in Computer Science 7237 (ed. Pointcheval, T. J. D.; Springer, 2012) 520536.CrossRefGoogle Scholar
Boguslavsky, M. I., ‘Radon transforms and packings’, Discrete Appl. Math. 111 (2001) no. 1–2, 322.CrossRefGoogle Scholar
Cadé, X., Pujol , D. and Stehlé, D., fplll 4.0.4, May 2013.Google Scholar
Coppersmith, D., ‘Finding a small root of a bivariate integer equation; factoring with high bits known’, Advances in cryptology — EUROCRYPT 1996, Lecture Notes in Computer Science 1070 (ed. Maurer, U.; Springer, 1996) 178189.Google Scholar
Coppersmith, D., ‘Finding a small root of a univariate modular equation’, Advances in cryptology — EUROCRYPT 1996, Lecture Notes in Computer Science 1070 (ed. Darnell, M.; Springer, 1996) 155165.Google Scholar
Dinur, I., Kindler, G. and Safra, S., ‘Approximating-CVP to within almost-polynomial factors is NP-hard’, Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS ’98 (IEEE Computer Society, 1998) 99.Google Scholar
T. G. et al., ‘GNU multiple precision arithmetic library 5.1.3’, September 2013, https://gmplib.org/.Google Scholar
Fukase, M. and Yamaguchi, K., ‘Finding a very short lattice vector in the extended search space’, J. Information Processing 20 (2012) no. 3, 785795.CrossRefGoogle Scholar
Gama, N., Howgrave-Graham, N., Koy, H. and Nguyen, P. Q., ‘Rankin’s constant and blockwise lattice reduction’, Advances in cryptology – CRYPTO 2006, Lecture Notes in Computer Science 4117 (Springer, 2006) 112130.Google Scholar
Gama, N., Izabachene, M., Nguyen, P. Q. and Xie, X., ‘Structural lattice reduction: generalized worst-case to average-case reductions’, Cryptology ePrint Archive, Report 2014/283, 2014.Google Scholar
Gama, N., Nguyen, P. Q. and Regev, O., ‘Lattice enumeration using extreme pruning’, Advances in cryptology — EUROCRYPT 2010, Lecture Notes in Computer Science 6110 (Springer, 2010) 257278.Google Scholar
Gama, N., van de Pol, J. and Schanck, J. M., ‘Fork of V. Shoup’s number theory library NTL, with improved lattice functionalities’, February 2013, http://www.prism.uvsq.fr/∼gama/newntl.html.Google Scholar
Hanrot, G., Pujol, X. and Stehlé, D., ‘Analyzing blockwise lattice algorithms using dynamical systems’, Advances in cryptology — CRYPTO 2011, Lecture Notes in Computer Science 6841 (Springer, 2011) 447464.Google Scholar
Hanrot, G. and Stehlé, D., ‘Improved analysis of Kannan’s shortest lattice vector algorithm (extended abstract)’, Advances in cryptology — CRYPTO 2007, Lecture Notes in Computer Science 4622 (Springer, 2007) 170186.CrossRefGoogle Scholar
Ishiguro, T., Kiyomoto, S., Miyake, Y. and Takagi, T., ‘Parallel Gauss sieve algorithm: solving the SVP in the ideal lattice of 128-dimensions’, Cryptology ePrint Archive, Report 2013/388, 2013.CrossRefGoogle Scholar
Joux, A. and Stern, J., ‘Lattice reduction: a toolbox for the cryptanalyst’, J. Cryptology 11 (1998) no. 3, 161185.CrossRefGoogle Scholar
Kannan, R., ‘Improved algorithms for integer programming and related lattice problems’, Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC ’83 (ACM Press, 1983) 193206.CrossRefGoogle Scholar
Karp, R. M., ‘Reducibility among combinatorial problems’, Complexity of computer computations, IBM Research Symposia Series (eds Miller, R. E. and Thatcher, J. W.; Plenum Press, New York, 1972) 85103.CrossRefGoogle Scholar
Korkine, A. and Zolotarev, G., ‘Sur les formes quadratiques’, Math. Ann. 6 (1973) 336389.Google Scholar
Lenstra, A. K., Lenstra, H. W. and Lovász, L., ‘Factoring polynomials with rational coefficients’, Math. Ann. 261 (1982) 515534.CrossRefGoogle Scholar
May, A., Meurer, A. and Thomae, E., ‘Decoding random linear codes in 20. 054 n’, Advances in cryptology — ASIACRYPT 2011, Lecture Notes in Computer Science 7073 (Springer, 2011) 107124.CrossRefGoogle Scholar
Micciancio, D., ‘The shortest vector in a lattice is hard to approximate to within some constant’, Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS ’98 (IEEE Computer Society, 1998) 92.Google Scholar
Micciancio, D. and Voulgaris, P., ‘A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations’, Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC ’10 (ACM Press, 2010) 351358.Google Scholar
Micciancio, D. and Voulgaris, P., ‘Faster exponential time algorithms for the shortest vector problem’, Proceedings of the Twenty-first Annual ACM–SIAM Symposium on Discrete Algorithms, SODA ’10 (ACM/SIAM, 2010) 14681480.Google Scholar
Milde, B. and Schneider, M., ‘A parallel implementation of gausssieve for the shortest vector problem in lattices’, Parallel computing technologies, Lecture Notes in Computer Science 6873 (Springer, 2011) 452458.CrossRefGoogle Scholar
Mordell, L. J., ‘On some arithmetical results in the geometry of numbers’, Compos. Math. 1 (1935) 248253.Google Scholar
Nguyen, P. Q. and Vidick, T., ‘Sieve algorithms for the shortest vector problem are practical’, J. Math. Cryptol. 2 (2008) no. 2, 181207.CrossRefGoogle Scholar
‘OpenMP Architecture Review Board, OpenMP API version 4.0’, 2013.Google Scholar
Pujol, X. and Stehlé, D., ‘Solving the shortest lattice vector problem in time $2^{2.465n}$’, IACR Cryptology ePrint Archive 2009/605, 2009.Google Scholar
Rankin, R., ‘On positive definite quadratic forms’, J. Lond. Math. Soc. 28 (1953) 309314.CrossRefGoogle Scholar
Schneider, M., Gama, N., Baumann, P. and Nobach, P., http://www.latticechallenge.org/svp-challenge/halloffame.php.Google Scholar
Schnorr, K.-P. and Euchner, M., ‘Lattice basis reduction: improved practical algorithms and solving subset sum problems’, Math. Program. 66 (1994) 181199.CrossRefGoogle Scholar
Thunder, J. L., ‘Higher-dimensional analogs of Hermite’s constant’, Michigan Math. J. 45 (1998) no. 2, 301314.CrossRefGoogle Scholar
Wang, X., Liu, M., Tian, C. and Bi, J., ‘Improved Nguyen–Vidick heuristic sieve algorithm for shortest vector problem’, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11 (ACM Press, 2011) 19.Google Scholar
Zhang, F., Pan, Y. and Hu, G., ‘A three-level sieve algorithm for the shortest vector problem’, Selected areas in cryptography — SAC 2013, Lecture Notes in Computer Science 8282 (eds Lange, T., Lauter, K. and Lisonek, P.; Springer, 2014).Google Scholar