Analyzing Blockwise Lattice Algorithms using Dynamical Systems - - PowerPoint PPT Presentation

Analyzing Blockwise Lattice Algorithms using Dynamical Systems

Guillaume Hanrot, Xavier Pujol, Damien Stehl´ e

ENS Lyon, LIP (CNRS – ENSL – INRIA – UCBL - ULyon)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16

Context

Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

Context

Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

Context

Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

Context

Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

Context

Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

Contributions

We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

Contributions

We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

Contributions

We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

Lattices

a1 a2

b b b b b b b b b b b b b b b b b

(SVP)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Lattices

b1 b2

b b b b b b b b b b b b b b b b b

(SVP)Lattice reduction(SVP)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Lattices

b1 b2

b b b b b b b b b b b b b b b b b

(SVP)Determinant(SVP)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Lattices

b1 b2

b b b b b b b b b b b b b b b b b

Hermite factor of B: HF(b1, . . . , bn) = b1 (det L)1/n Goal of lattice reduction: find a basis with small HF. If b1 is a shortest vector = 0, then HF(b1, . . . , bn) ≤ √γn, with γn = Hermite constant ≤ n.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Lattices

b1 b2

b b b b b b b b b b b b b b b b b

Hermite factor of B: HF(b1, . . . , bn) = b1 (det L)1/n Goal of lattice reduction: find a basis with small HF. If b1 is a shortest vector = 0, then HF(b1, . . . , bn) ≤ √γn, with γn = Hermite constant ≤ n.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Lattices

b1 b2

b b b b b b b b b b b b b b b b b

Hermite factor of B: HF(b1, . . . , bn) = b1 (det L)1/n Goal of lattice reduction: find a basis with small HF. If b1 is a shortest vector = 0, then HF(b1, . . . , bn) ≤ √γn, with γn = Hermite constant ≤ n.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

Hierarchy of lattice reductions in dimension n

xi = log b∗

i for i ≤ n (b∗ 1, . . . , b∗ n = Gram-Schmidt basis of B).

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

Hierarchy of lattice reductions in dimension n

xi = log b∗

i for i ≤ n (b∗ 1, . . . , b∗ n = Gram-Schmidt basis of B).

HKZ

Hermite-Korkine-Zolorareff

BKZβ

Block Korkine-Zolotareff

LLL

Lenstra-Lenstra-Lov´ asz

x6 x5 x4 x3 x2 x1 HF: √γn ≃ (γβ)

n 2β

≃ (γ2)

n 2

Time: 2O(n) 2O(β)×? Poly(n)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

Hierarchy of lattice reductions in dimension n

xi = log b∗

i for i ≤ n (b∗ 1, . . . , b∗ n = Gram-Schmidt basis of B).

HKZ

Hermite-Korkine-Zolorareff

BKZβ

Block Korkine-Zolotareff

LLL

Lenstra-Lenstra-Lov´ asz

x6 x5 x4 x3 x2 x1 x6 x5 x4 x3 x2 x1 HF: √γn ≃ (γβ)

n 2β

≃ (γ2)

n 2

Time: 2O(n) 2O(β)×? Poly(n)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

Hierarchy of lattice reductions in dimension n

xi = log b∗

i for i ≤ n (b∗ 1, . . . , b∗ n = Gram-Schmidt basis of B).

HKZ

Hermite-Korkine-Zolorareff

BKZβ

Block Korkine-Zolotareff

LLL

Lenstra-Lenstra-Lov´ asz

x6 x5 x4 x3 x2 x1 x6 x5 x4 x3 x2 x1 x6 x5 x4 x3 x2 x1 HF: √γn ≃ (γβ)

n 2β

≃ (γ2)

n 2

Time: 2O(n) 2O(β)×? Poly(n)

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

Known results on blockwise algorithms

BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2O(β) × Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

Known results on blockwise algorithms

BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2O(β) × Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

Known results on blockwise algorithms

BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2O(β) × Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

Known results on blockwise algorithms

BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2O(β) × Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

Known results on blockwise algorithms

BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2O(β) × Poly(n): Schnorr (1987) : Semi-block-2β-reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

BKZ

Algorithm (BKZβ, modified version)

Input: B of dimension n. Repeat ... times For i from 1 to n − β + 1 do Size-reduce B. HKZ-reduce a projection of the block (bi, . . . , bi+β−1). Report the transformation on B. Termination?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

BKZ

Algorithm (BKZβ, modified version)

Input: B of dimension n. Repeat ... times For i from 1 to n − β + 1 do Size-reduce B. HKZ-reduce a projection of the block (bi, . . . , bi+β−1). Report the transformation on B. Termination?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

BKZ

Algorithm (BKZβ, modified version)

Input: B of dimension n. Repeat ... times For i from 1 to n − β + 1 do Size-reduce B. HKZ-reduce a projection of the block (bi, . . . , bi+β−1). Report the transformation on B. Termination?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

Progress made during the execution of BKZ

1.012 1.013 1.014 1.015 1.016 1.017 1.018 1.019 1.02 1.021 20 40 60 80 100 Hermite factor ^ (1 / n) Number of tours Quality of BKZ output BKZ

Experience on 64 LLL-reduced knapsack-like matrices (n = 108, β = 24).

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 8/16

Progress made during the execution of BKZ

1.012 1.013 1.014 1.015 1.016 1.017 1.018 1.019 1.02 1.021 200 400 600 800 1000 1200 Hermite factor ^ (1 / n) Number of tours Quality of BKZ output BKZ

Experience on 64 LLL-reduced knapsack-like matrices (n = 108, β = 24).

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 8/16

Our result

γβ = Hermite constant ≤ β. L a lattice with basis (b1, . . . , bn).

Theorem

After O n3 β2

• log n

ǫ + log log max bi (det L)1/n

• calls to HKZβ,

BKZβ returns a basis C of L such that: HF(C) ≤ (1 + ǫ)γβ

n−1 2(β−1) + 3 2 . Analyzing Blockwise Lattice Algorithms using Dynamical Systems 9/16

Sandpile model

We consider only xi = log b∗

i for i ≤ n.

We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial xi’s fully determines the xi’s after a call to HKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

Sandpile model

We consider only xi = log b∗

i for i ≤ n.

We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial xi’s fully determines the xi’s after a call to HKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

Sandpile model

We consider only xi = log b∗

i for i ≤ n.

We assume that HKZ-reductions correspond to a fixed pattern. The information on the initial xi’s fully determines the xi’s after a call to HKZ.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 10/16

x1 x2 x3 x4 x5 x6 x7 x8 x9

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x5 x6 x7 x8 x9 x1 x2 x3 x4

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x1 x6 x7 x8 x9 x2 x3 x4 x5

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x1 x2 x7 x8 x9 x3 x4 x5 x6

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x1 x2 x3 x8 x9 x4 x5 x6 x7

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x1 x2 x3 x4 x9 x5 x6 x7 x8

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x1 x2 x3 x4 x5 x6 x7 x8 x9

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

x5 x6 x7 x8 x9 x1 x2 x3 x4

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 11/16

Matrix interpretation

x1 x2 x3 x4 x5 x6 x7 x8 x9 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Matrix interpretation

x5 x6 x7 x8 x9 x1 x2 x3 x4 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Matrix interpretation

x5 x6 x7 x8 x9 x1 x2 x3 x4 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Matrix interpretation

x1 x6 x7 x8 x9 x2 x3 x4 x5 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Matrix interpretation

x1 x2 x3 x4 x5 x6 x7 x8 x9 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Matrix interpretation

x1 x2 x3 x4 x5 x6 x7 x8 x9 X = (x1, . . . , xn)T X0.5 ← A1X X1 ← A1X + Γ1 X2 ← A2X1 + Γ2 . . . Xk = AkXk + Γk with k = n − β + 1 A full tour: X ′ ← AX + Γ

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 12/16

Quality of the output

Method: study the fixed point of:

X = AX + Γ

The β last xi’s have the shape of an HKZ-reduced basis. Asymptotically, line of slope − log γβ

β−1 .

i xi O((log β)2) Corresponds to a Hermite factor close to γ

n−1 2(β−1)

β

.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

Quality of the output

Method: study the fixed point of:

X = AX + Γ

The β last xi’s have the shape of an HKZ-reduced basis. Asymptotically, line of slope − log γβ

β−1 .

i xi O((log β)2) ≃ (n − β)log γβ

β−1

Corresponds to a Hermite factor close to γ

n−1 2(β−1)

β

.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

Quality of the output

Method: study the fixed point of:

X = AX + Γ

The β last xi’s have the shape of an HKZ-reduced basis. Asymptotically, line of slope − log γβ

β−1 .

i xi O((log β)2) ≃ (n − β)log γβ

β−1

Corresponds to a Hermite factor close to γ

n−1 2(β−1)

β

.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 13/16

Fast convergence

Dynamical system:

X ← AX + Γ

Method: study of the eigenvalues of ATA. Result: the largest eigenvalue of ATA smaller than 1 is ≤ 1 − 1 2 β2 n2 . X − X ∞ decreases by a constant factor every n2

β2 tours.

→ leads to the claimed complexity bound.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

Fast convergence

Dynamical system:

X ← AX + Γ

Method: study of the eigenvalues of ATA. Result: the largest eigenvalue of ATA smaller than 1 is ≤ 1 − 1 2 β2 n2 . X − X ∞ decreases by a constant factor every n2

β2 tours.

→ leads to the claimed complexity bound.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

Fast convergence

Dynamical system:

X ← AX + Γ

Method: study of the eigenvalues of ATA. Result: the largest eigenvalue of ATA smaller than 1 is ≤ 1 − 1 2 β2 n2 . X − X ∞ decreases by a constant factor every n2

β2 tours.

→ leads to the claimed complexity bound.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 14/16

From the model to the real algorithm

The results from the previous section cannot be used directly. By averaging the xi’s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

From the model to the real algorithm

The results from the previous section cannot be used directly. By averaging the xi’s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

From the model to the real algorithm

The results from the previous section cannot be used directly. By averaging the xi’s, a rigorous adaptation becomes possible. Working on the averages suffices to get the result.

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 15/16

Conclusion

First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

Conclusion

First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

Conclusion

First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

Conclusion

First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16

Conclusion

First analysis of BKZ. New methodology for analysing blockwise algorithms. Better strategies for reducing? The worst-case analysis does not fully explains the practical behaviour. Predictive model?

Analyzing Blockwise Lattice Algorithms using Dynamical Systems 16/16