analysis of bkz
play

Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl e - PowerPoint PPT Presentation

Aug 30, 2022 •517 likes •1.44k views

Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl e ENSL, LIP, CNRS, INRIA, Universit e de Lyon, UCBL May 5, 2011 Analysis of BKZ 1/32 b b b b b b b b b b b b b b b b b Lattices a 1 a 2 (SVP) Analysis of BKZ

  1. Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl´ e ENSL, LIP, CNRS, INRIA, Universit´ e de Lyon, UCBL May 5, 2011 Analysis of BKZ 1/32

  2. b b b b b b b b b b b b b b b b b Lattices a 1 a 2 (SVP) Analysis of BKZ 2/32

  3. b b b b b b b b b b b b b b b b b Lattices b 1 (SVP)Shortest vector problem (SVP)(SVP) Analysis of BKZ 2/32

  4. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Lattice reduction(SVP) Analysis of BKZ 2/32

  5. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Determinant(SVP) Analysis of BKZ 2/32

  6. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  7. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  8. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  9. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  10. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  11. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  12. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  13. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  14. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  15. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  16. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  17. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  18. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  19. Slide-reduction: Outputs a basis whose theoretical quality is equivalent to BKZ. Polynomial number of calls to a SVP oracle. Not as efficient as BKZ in practice. Analysis of BKZ 5/32

  20. Progress made during the execution of BKZ Quality of BKZ output 1.021 BKZ BKZ’ 1.02 1.019 1.018 Hermite factor 1.017 1.016 1.015 1.014 1.013 1.012 0 20 40 60 80 100 Number of tours Experience on 64 LLL-reduced knapsack-like matrices ( n = 108 , β = 24). Analysis of BKZ 6/32

  21. Progress made during the execution of BKZ Quality of BKZ output 1.021 BKZ BKZ’ 1.02 1.019 1.018 Hermite factor 1.017 1.016 1.015 1.014 1.013 1.012 0 200 400 600 800 1000 1200 Number of tours Experience on 64 LLL-reduced knapsack-like matrices ( n = 108 , β = 24). Analysis of BKZ 6/32

  22. Our result γ β = Hermite constant ≤ β . L a lattice with basis ( b 1 , . . . , b n ). Theorem � n 3 � �� � b i � log n After O ǫ + log log max calls to HKZ β , β 2 (det L ) 1 / n BKZ β returns a basis C of L such that: 2( β − 1) + 3 n − 1 HF ( C ) ≤ (1 + ǫ ) γ β 2 Analysis of BKZ 7/32

  23. Reminders on lattice reduction 1 Analysis of BKZ in the sandpile model 2 Analysis of BKZ 3 Applications to LLL 4 Conclusion 5 Analysis of BKZ 8/32

  24. Reminders on lattice reduction 1 Analysis of BKZ in the sandpile model 2 Analysis of BKZ 3 Applications to LLL 4 Conclusion 5 Analysis of BKZ 9/32

  25. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ n is defined by: For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ For all i , i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 b 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  26. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ b ∗ n is defined by: 3 For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ b ∗ For all i , 2 i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 = b ∗ b 1 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  27. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ b ∗ n is defined by: 3 For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ b ∗ For all i , 2 i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 = b ∗ b 1 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  28. LLL B is δ -LLL-reduced if: It is size-reduced; i � 2 ≤ � b ∗ i +1 � 2 + µ 2 i � 2 for all i < n . δ � b ∗ i +1 , i � b ∗ → x i ≤ 1 ( x i = log � b ∗ 2 log γ 2 + x i +1 − log δ i � ) Analysis of BKZ 11/32

  29. LLL B is δ -LLL-reduced if: It is size-reduced; i � 2 ≤ � b ∗ i +1 � 2 + µ 2 i � 2 for all i < n . δ � b ∗ i +1 , i � b ∗ → x i ≤ 1 ( x i = log � b ∗ 2 log γ 2 + x i +1 − log δ i � ) 1 2 log γ 2 − log δ x 1 x 2 x 3 x 4 x 5 Analysis of BKZ 11/32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task decomp osition kno wledge based analysis en tit y-relati onshi p tec hniques Sources of Information Uses of T ask Analysis

398 views • 27 slides
Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also known as charting, is an attempt to predict future prices, by studying the trading history of a traded security (currencies, equities, commodities,

473 views • 44 slides
various analysis, and all necessary analysis tools

various analysis, and all necessary analysis tools

Analysis page includes topics for analysis, descriptions of various analysis, and all necessary analysis tools

512 views • 9 slides
DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS

DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS

SNAME Philadelphia Section Meeting May 2013 y USA (originally presented at MTU Naval Symposium, September 2011, GERMANY) DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS

1.11k views • 80 slides
. . . . . . . . . . . . . . . . . . . . . Let denote an average .

. . . . . . . . . . . . . . . . . . . . . Let denote an average .

Overview Factor Analysis and Beyond Principal Components Analysis Factor Analysis Independent Components Analysis Chris Williams Non-linear Factor Analysis School of Informatics, University of Edinburgh Reading: Handout on

206 views • 7 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 Flux Balance Analysis (FBA) Flux balance analysis (FBA), an optimality-base

955 views • 52 slides
SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT Analysis? Aim of SWOT Analysis Who needs SWOT Analysis? How to conduct SWOT Analysis? Benefits &amp; Pitfalls of SWOT Analysis Brainstorming

445 views • 31 slides
ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis? Examples of ROT content Why conduct a ROT Analysis? Steps in conducting an analysis Writing for the web Questions What is a ROT analysis?

491 views • 17 slides
The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

1 Infrastructure Gap Analysis and Aviation Master Planning ICAO WORKSHOP ON AVIATION INFRASTRUCTURE GAP ANALYSIS ABUJA, NIGERIA Aviation Infrastructure Gap Analysis and Master Plan Development Process - Exchange of experiences and lessons

408 views • 40 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations performed An

2.15k views • 56 slides
rs

rs

rs Ptr

1.26k views • 97 slides
Strichartz inequalities on surfaces with cusps Jean-Marc Bouclet Institut de Math ematiques de

Strichartz inequalities on surfaces with cusps Jean-Marc Bouclet Institut de Math ematiques de

Strichartz inequalities on surfaces with cusps Jean-Marc Bouclet Institut de Math ematiques de Toulouse 118 route de Narbonne F-31062 Toulouse Cedex 9 jean-marc.bouclet@math.univ-toulouse.fr Abstract We prove Strichartz inequalities for

705 views • 43 slides
Log-Minkowski measurability and complex dimensions Goran Radunovi c University of California,

Log-Minkowski measurability and complex dimensions Goran Radunovi c University of California,

Log-Minkowski measurability and complex dimensions Goran Radunovi c University of California, Riverside 14 th June 2017 6th Cornell Conference on Analysis, Probability, and Mathematical Physics on Fractals, Ithaca, NY Joint work with Michel

943 views • 55 slides
Hermite versus Minkowski Jacques Martinet Universit e de Bordeaux, IMB/A2X Luminy,

Hermite versus Minkowski Jacques Martinet Universit e de Bordeaux, IMB/A2X Luminy,

Hermite versus Minkowski Jacques Martinet Universit e de Bordeaux, IMB/A2X Luminy, NovemberDecember, 2009 Jacques Martinet (Universit e de Bordeaux, IMB/A2X) Hermite versus Minkowski Luminy, NovemberDecember, 2009 1 / 12 The

665 views • 27 slides
Curvature and Diffusion in the Heisenberg group Nicolas JUILLET IRMA, Strasbourg Paris, IHP ,

Curvature and Diffusion in the Heisenberg group Nicolas JUILLET IRMA, Strasbourg Paris, IHP ,

Curvature and Diffusion in the Heisenberg group Curvature and Diffusion in the Heisenberg group Nicolas JUILLET IRMA, Strasbourg Paris, IHP , October 2014 Nicolas JUILLET Curvature and Diffusion in the Heisenberg group Curvature and

558 views • 27 slides
Fubini type results for Hausdorff dimension Tam as Keleti with Korn elia H era and

Fubini type results for Hausdorff dimension Tam as Keleti with Korn elia H era and

Fubini type results for Hausdorff dimension Tam as Keleti with Korn elia H era and Andr as M ath e E otv os Lor and University, Budapest Warwick, 12 July 2017 Tam as Keleti (Budapest) with Korn elia H era

792 views • 45 slides
Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca

758 views • 63 slides
An optimal Lp -bound on the Krein spectral shift function (Birmingham, November 1012, 2000)

An optimal Lp -bound on the Krein spectral shift function (Birmingham, November 1012, 2000)

An optimal Lp -bound on the Krein spectral shift function (Birmingham, November 1012, 2000) Barry Simon and D. H. Let A,B be the Krein spectral shift function for a pair of operators A, B , with C = A B trace class. Then F (

536 views • 12 slides

More recommend