Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / - - PowerPoint PPT Presentation

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1/(2k) in Time k k/8+o(k)

Martin R. Albrecht1, Shi Bai2, Pierre-Alain Fouque3, Paul Kirchner3, Damien Stehlé4 and Weiqiang Wen3

1 Royal Holloway, University of London 2 Florida Atlantic University 3 Rennes Univ 4 ENS de Lyon

CRYPTO 2020

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 1 / 19

What is this work about?

Enumeration-based lattice reduction algorithms

k

1 2k

k

k 8 +o(k)

k

k 2e +o(k)

Prior works This work

◮ In case of input lattices of

◮ large dimension: proved under a heuristic assumption; ◮ small dimension: simulation still works for a variant algorithm.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 2 / 19

Lattices

γ · V

• l

( L )

1 / n

b1 b2 c1 c2 c2 A definition of lattice

Given B = {b1, · · · , bn} ⊆ Qm a set of linearly independent vectors, the lattice L spanned by the bi’s is L(B) =   

• i∈[n]

uibi : u ∈ Zn    .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Lattices

γ · V

• l

( L )

1 / n

b1 b2 c1 c2 c2 A definition of lattice

Given B = {b1, · · · , bn} ⊆ Qm a set of linearly independent vectors, the lattice L spanned by the bi’s is L(B) =   

• i∈[n]

uibi : u ∈ Zn    .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Invariants in lattices

γ · V

• l

( L )

1 / n

b1 b2 c1 c2 c2

λ1 Vol(L(B))

First minimum λ1(L) = min{b : b ∈ L\{0}}. Volume of lattice Vol(L(B)) =

• det(BTB) for any basis B.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Lattice problems

γ · V

• l

( L )

1 / n

b1 b2 c1 c2 c2

λ1

Shortest vector problem (SVP)

Given B ⊆ Qm a basis of the lattice L, it asks to find a vector s in the lattice such that s= λ1(L).

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Lattice problems

b1 b2 c1 c2 c2

λ1 γ · V

• l

( L )

1 / n

SVP

Given B ⊆ Qm a basis of the lattice L, finds a vector s in the lattice such that s= λ1(L).

γ-Hermite SVP (γ-HSVP)

Given B ⊆ Qm a basis of the lattice L, finds a non-zero vector s in the lattice such that s≤ γ · Vol(L)

1 n .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Lattice problems

γ · V

• l

( L )

1 / n

b1 b2 c1 c2 c2

λ1

√ n · V

• l

( L )

1 / n

Minkowski’s theorem: SVP ⇒ √n-HSVP. (λ1 ≤ √n · Vol(L)1/n)

SVP

Given B a basis of L, finds a non-zero vector s in L such that s= λ1(L).

γ-Hermite SVP (γ-HSVP)

Given B a basis of L, finds a non-zero vector s in L such that s≤ γ · Vol(L)

1 n .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 3 / 19

Best known solution: reduce the basis

b1 b2 c1 c2 Bad basis [less orthogonal] c2 b1 b2 c1 c2 Good basis [more orthogonal] c2

Hermite factor

Given B = {b1, · · · , bn} ⊆ Qm a basis of the lattice L, its Hermite factor is

HF(B) =

b1 Vol(L)

1 n .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 4 / 19

Best known solution: reduce the basis

b1 b2 c1 c2 Bad basis [less orthogonal] c2 b1 b2 c1 c2 Good basis [more orthogonal] c2

The BKZ lattice reduction is the most practical algorithm to achieve such task!

Hermite factor

Given B = {b1, · · · , bn} ⊆ Qm a basis of the lattice L, its Hermite factor is

HF(B) =

b1 Vol(L)

1 n .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 4 / 19

Introduce root Hermite factor to quantify lattice reduction

b1 b2 c1 c2 Bad basis [less orthogonal] c2 b1 b2 c1 c2 Good basis [more orthogonal] c2

The BKZ lattice reduction is the most practical algorithm to achieve such task!

Hermite factor

Given B = {b1, · · · , bn} ⊆ Qm a basis

• f the lattice L, its Hermite factor is

HF(B) =

b1 Vol(L)

1 n .

Root Hermite factor

Given B ⊆ Qm a basis of the lattice L, its root Hermite factor is

RHF(B) = HF(B)

1 n−1 .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 4 / 19

Gram-Schmidt orthogonalization

b1 b2 c∗

2

c1(c∗

1)

c2 Bad basis [less orthogonal] c2 b∗

2

b1(b∗

1)

b2 c1 c2 Good basis [more orthogonal] c2

The BKZ lattice reduction is the most practical algorithm to achieve such task! Gram-Schmidt orthogonalization

A matrix B∗ = (b∗

1, ..., b∗ n) is the Gram-Schmidt orthogonalization of B, if

b∗

i = bi − i−1 j=1 µi,jb∗ j , where µi,j = bi,b∗

j

b∗

j 2 . Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 4 / 19

Orthogonal projection

x y z b2(3, 1, 0) b1(1, 3, 0) b3(1, 1, 3) b(2)

3 (0, 0, 3)

Notation of projection

Given a basis B = (b1, · · · , bn) ∈ Qm, we let b(j)

i

denote the orthogonal projection over (b1, · · · , bj)⊥ of bi.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The BKZ algorithm [SE94]

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• b∗

1 = b1 = λ1 (L (b1, b2, · · · , bk))

Notation of projection

Given a basis B = (b1, · · · , bn) ∈ Qm, we let b(j)

i

denote the orthogonal projection over (b1, · · · , bj)⊥ of bi.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The BKZ algorithm [SE94]

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• b∗

1 = b1 = λ1 (L (b1, b2, · · · , bk))

Notation of projection

Given a basis B = (b1, · · · , bn) ∈ Qm, we let b(j)

i

denote the orthogonal projection over (b1, · · · , bj)⊥ of bi.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The BKZ algorithm [SE94]

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• Notation of projection

Given a basis B = (b1, · · · , bn) ∈ Qm, we let b(j)

i

denote the orthogonal projection over (b1, · · · , bj)⊥ of bi.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The BKZ algorithm [SE94]

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• The two practical SVP solver families

Sieve [BDGL16] Enumeration [Kan83; FP83; HS07; GNR10] Space

exp(k) poly(k)

Time

20.292k+o(k) kk/(2e)+o(k) (≈ k0.184k)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The BKZ algorithm [SE94]

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• The two practical SVP solver families

Sieve [BDGL16] Enumeration [Kan83; FP83; HS07; GNR10] Space

exp(k) poly(k)

Time

20.292k+o(k) kk/(2e)+o(k) (≈ k0.184k)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

The prior results and our result (informal)

b1 b2

···

bkbk+1

·· ·

bn SVP solver b∗

2 = b(1) 2 = λ1

• L
• b(1)

2 , b(1) 3 , · · · , b(1) k+1

• Performance of enumeration-based (SD)BKZ and ours

(SD)BKZ [HPS11; MW16; Neu17] This work (informally)

RHF k1/(2k) k1/(2k) Time kk/(2e)+o(k) kk/8+o(k)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 5 / 19

Observation on BKZ and SDBKZ reduced bases

k 2k 3k

Line

Index i

log2b∗

i

Study of δi=bi/bi+1 for i < n − k BKZ SDBKZ (in this work)

[This work, Appendix]: δi is not fixed . [MW16]⋆: fixed δi = γ2/(k−1) , (E.g., it does not give a line.) given γ-HSVP on k-dim lattice.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 6 / 19

The SDBKZ reduced basis

k 2k 3k

Line Kannan’s algorithm

Index i

log2b∗

i

◮ Enum_Cost(’first block’) = kk/8+o(k); ◮ Enum_Cost(’last block’) = kk/(2e)+o(k).

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 7 / 19

The SDBKZ reduced basis

k 2k 3k

Line HKZ curve Kannan’s algorithm

Index i

log2b∗

i

◮ Enum_Cost(’first block’) = kk/8+o(k); ◮ Enum_Cost(’last block’) = kk/(2e)+o(k).

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 7 / 19

How can we do better than kk/(2e)?

k 2k 3k

kk/2e

Index i

log2b∗

i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 8 / 19

How can we do better than kk/(2e)?

k 2k 3k

kk/8

kk/8

Index i

log2b∗

i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 8 / 19

How can we do better than kk/(2e)?

◮ Start from a smaller k0 = k · 2e/8(≈ 0.67k) as kk0/(2e)

≤ kk/8. ◮ k0-dim SVP ⇒ √ k0-HSVP ⇒ For k0-dim lattice, reach HF: √ k0 and RHF: √ k0

1/(k0−1) ≈ k1/(1.36·k).

γ0-HSVP γ0 = √ k0

[k0-dim]

RHF: k1/(1.36·k)

γ1-HSVP for a new γ1

[k1-dim]

Smaller and smaller RHF γ⋆-HSVP for final γ⋆

[k⋆-dim]

Target RHF: k1/(2·k)

···

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 8 / 19

Targeting RHF : k1/(2k) (k = 1000)

670

kk/8

Index i logb∗

i

◮ Starting block-size:

k0 = k · 2e 8 ≈ 0.67k ⇒ k

k0/2e

≈ k k/8.

γ0-HSVP γ0 = √

k0 SDBKZ oracle

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Targeting RHF : k1/(2k) (k = 1000)

670

kk/8

Index i logb∗

i

◮ RHF: γ1/(k0−1)

;

[0] k 1/(1.36k);

γ0-HSVP γ0 = √

k0 SDBKZ oracle

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Boosting from bottom up [1st iteration]

830 1500

kk/8 kk/8 δ

Index i logb∗

i

◮ RHF: γ1/(k0−1)

;

[0] k 1/(1.36k);

γ0-HSVP γ0 = √

k0 SDBKZ oracle

GS-norms slope: δ0 = γ

2 k0−1

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Boosting from bottom up [1st iteration]

830 1500

kk/8 kk/8 δ

Index i logb∗

i

◮ Determine next dimension k1:

Enum(δ0, k1 − k0) ≤ k

k 8 .

γ0-HSVP γ0 = √

k0 SDBKZ oracle Enumeration

GS-norms slope: δ0 = γ

2 k0−1

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Boosting from bottom up [1st iteration]

830 1500

kk/8 kk/8 δ

Index i logb∗

i

◮ Determine next dimension k1:

Enum(δ0, k1 − k0) ≤ k

k 8 .

SDBKZ oracle Enumeration

GS-norms slope: δ0 = γ

2 k0−1

γ1-HSVP γ1 = k1

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Boosting from bottom up [1st iteration]

830 1500

kk/8 kk/8 δ

Index i logb∗

i

◮ RHF: γ1/(k1−1)

1

;

[0] k 1/(1.36k); [1] k 1/(1.50k);

SDBKZ oracle Enumeration

GS-norms slope: δ0 = γ

2 k0−1

γ1-HSVP γ1 = k1

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Boosting from bottom up [1st iteration]

830 1500

kk/8 kk/8 δ

Index i logb∗

i

◮ RHF: γ1/(k1−1)

1

;

[0] k 1/(1.36k); [1] k 1/(1.50k); [2] k 1/(1.58k);

SDBKZ oracle Enumeration

GS-norms slope: δ0 = γ

2 k0−1

γ1-HSVP γ1 = k1

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 9 / 19

Overall complexity bound: kk/8+o(k)

k 2k 3k 4k 5k 6k

kk/8+o(k)

kk/8

Index i logb∗

i

2 4 6 8 10 12 14 16 18

Iteration level i log δi at level i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 10 / 19

Fast convergence

k 2k 3k 4k 5k 6k

kk/8+o(k)

kk/8

δ0 δ

1

δ

2

δ3 δ4

Index i logb∗

i

2 4 6 8 10 12 14 16 18

Iteration level i log δi at level i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 10 / 19

Fast convergence

k 2k 3k 4k 5k 6k

kk/8+o(k)

kk/8

δ0 δ

1

δ

2

δ3 δ4

Index i logb∗

i

2 4 6 8 10 12 14 16 18

k

1 1.36k

k

1 2k

Iteration level i

RHF at level i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 10 / 19

The FastEnum algorithm

Algorithm 1 The FastEnum algorithm (γi-HSVP solver).

Require: A cost parameter k, a basis B of dimension ki, and a level i ≥ 0. Ensure: A solution of γi-HSVP on L(B). 1: if i = 0 then 2: b ← Enum(B); // worst-case cost: k k/8 for size k · 2e/8 3: else 4: C ← SDBKZ on B using γi−1-HSVP solver from last iteration; 5: b ← Enum

• C[0:ki −ki−1]
• with ki−1 from last iteration;

6: end if 7: return b;

Heuristic 1

During the SDBKZ execution, each call to γ-HSVP for a k-dimensional block B[i,i+k−1] returns a vector of norm γ · Vol(L(B[i,i+k−1]))

1 k .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 11 / 19

Main result

Theorem (Under Heuristic 1)

Given a basis B of a lattice and a parameter k, our new algorithm can reach root Hermite factor k

1 2k (1+o(1)) in time k k 8 +o(k) · poly(size(B)),

where the dimension of L(B) is k · ω(1) .

Heuristic 1

During the SDBKZ execution, each call to γ-HSVP for a k-dimensional block B[i,i+k−1] returns a vector of norm around γ · Vol(L(B[i,i+k−1]))

1 k .

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 12 / 19

Practical case: n is relatively close to k

k 2k Index i

log2b∗

i

◮ FastEnum: enumeration over 100%-line.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 13 / 19

Make the enumeration zone cover the HKZ zone

k 2k Index i

log2b∗

i

◮ Enumeration over: c-line + (1-c)-HKZ curve for some c ∈ [0, 1].

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 13 / 19

Determine concrete parameter c

Interpolated dominating constant u0 on k u0·k+o(k).

0.2 0.4 0.6 0.8 1 1/8 1/(2e)

c

Interpolated constant

BKZ

We choose c = 0.25!

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 14 / 19

Handling the tailing blocks

k 2k Index i

log2b∗

i

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 15 / 19

Handling the tailing blocks

k 2k Index i

log2b∗

i

◮ Decrease enumeration sizes for the tailing blocks.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 15 / 19

Handling the tailing blocks

k 2k Index i

log2b∗

i

◮ Decrease enumeration sizes for the tailing blocks.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 15 / 19

Experimental results (n = 2k)

Simulated cost of the practical variant when c = 0.25.

100 200 300 400 500 k

kk/8−0.547k+10.4 The practical variant free preprocessing

RHF: BKZ vs the practical variant.

100 150 200 250 300 350 400 450 500 k

BKZ The practical variant Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 16 / 19

Conclusion

Performance of enumeration-based (SD)BKZ and ours (SD)BKZ This work (informally) RHF k1/(2k) k1/(2k) Time kk/(2e)+o(k) kk/8+o(k) Quantum acceleration Time kk/(4e)+o(k) [ANS18] kk/16+o(k) [ANS18]+[This work]

◮ Large n/k = ω(1): heuristic analysis of our FastEnum algorithm. ◮ Small n/k = 2: simulation analysis of our practical variant.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 17 / 19

Future works and open questions

◮ [+] Remove the heuristic assumption;

(e.g., follow the work of [HS07] + [HPS11; Neu17].)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 18 / 19

Future works and open questions

◮ [+] Remove the heuristic assumption;

(e.g., follow the work of [HS07] + [HPS11; Neu17].)

◮ [++] Extend to other lattice reduction algorithms;

(e.g., BKZ reduction, slide reduction.)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 18 / 19

Future works and open questions

◮ [+] Remove the heuristic assumption;

(e.g., follow the work of [HS07] + [HPS11; Neu17].)

◮ [++] Extend to other lattice reduction algorithms;

(e.g., BKZ reduction, slide reduction.)

◮ [++] Further investigation on cost below kk/8.

(e.g., the cost can be below kk/8 for “free preprocessing”.)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 18 / 19

Future works and open questions

◮ [+] Remove the heuristic assumption;

(e.g., follow the work of [HS07] + [HPS11; Neu17].)

◮ [++] Extend to other lattice reduction algorithms;

(e.g., BKZ reduction, slide reduction.)

◮ [++] Further investigation on cost below kk/8.

(e.g., the cost can be below kk/8 for “free preprocessing”.)

◮ [+++] Study cryptographic relevance of this work;

(e.g., give analysis for small n/k; concrete cross-over points with sieve-based algorithms classically and quantumly.)

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 18 / 19

References I

[ANS18] Yoshinori Aono, Phong Q. Nguyen, and Yixin Shen, Quantum lattice enumeration and tweaking discrete pruning, AISACRYPT, 2018, pp. 405–434. [BDGL16] Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven, New directions in nearest neighbor searching with applications to lattice sieving, SODA, 2016, pp. 10–24. [FP83] Ulrich Fincke and Michael Pohst, A procedure for determining algebraic integers of given norm, EUROCAL (J. A. van Hulzen, ed.), LNCS, vol. 162, Springer, 1983, pp. 194–202. [GNR10] Nicolas Gama, Phong Q. Nguyen, and Oded Regev, Lattice enumeration using extreme pruning, EUROCRYPT, 2010, pp. 257–278. [HPS11] Guillaume Hanrot, Xavier Pujol, and Damien Stehlé, Analyzing blockwise lattice algorithms using dynamical systems, CRYPTO, 2011, pp. 447–464. [HS07] Guillaume Hanrot and Damien Stehlé, Improved analysis of kannan’s shortest lattice vector algorithm, CRYPTO, 2007, pp. 170–186. [Kan83] Ravi Kannan, Improved algorithms for integer programming and related lattice problems, STOC, 1983, pp. 193–206. [MW16] Daniele Micciancio and Michael Walter, Practical, predictable lattice basis reduction, EUROCRYPT, 2016, pp. 820–849. [Neu17] Arnold Neumaier, Bounding basis reduction properties, Des. Codes Cryptogr. 84 (2017),

• no. 1-2, 237–259.

[SE94] Claus-Peter Schnorr and Michael Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum problems, Math. Program. 66 (1994), 181–199.

Weiqiang Wen (Rennes Univ) Faster Enumeration-based Lattice Reduction CRYPTO 2020 19 / 19