Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice - - PowerPoint PPT Presentation

parallel gauss sieve algorithm solving the ideal
SMART_READER_LITE
LIVE PREVIEW

Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice - - PowerPoint PPT Presentation

Jan 30, 2023 199 likes •531 views

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice Challenge of 128 dimensions Outline Background Proposed Tsukasa Ishiguro 1 Shinsaku Kiyomoto 1 Algorithm

slide-1
SLIDE 1

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm : Solving the Ideal Lattice Challenge of 128 dimensions

Tsukasa Ishiguro1 Shinsaku Kiyomoto1 Yutaka Miyake1 Tsuyoshi Takagi2

KDDI R&D Laboratories Inc.1 Institute of Mathematics for Industry, Kyushu University2

2014/3/28 1 / 15

slide-2
SLIDE 2

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Background

  • Some contests from TU Darmstadt
  • SVP Challenge, Ideal Lattice Challenge, Lattice Challenge

2 / 15

slide-3
SLIDE 3

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Background

  • Some contests from TU Darmstadt
  • SVP Challenge, Ideal Lattice Challenge, Lattice Challenge

Our contributions · A parallel version of an algorithm for solving SVP · Improvements using ideal structures · Solving the 128 dimensional SVP over ideal lattice

2 / 15

slide-4
SLIDE 4

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

n dimensional lattice and SVP

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

b1 b2 Shortest vectors

  • Lattice basis

B = (b1, . . . , bn) ∈ Zn×n, bi ∈ Zn

  • Lattice

L(B) =

1≤i≤n

αibi, αi ∈ Z

  • (Euclidean) norm of v = (v1, .., vn)

||v|| =

1≤i≤n

v2

i

Definition (Shortest Vector Problem(SVP))

Given a lattice L(B), find a shortest non-zero vector in L(B). 3 / 15

slide-5
SLIDE 5

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

n dimensional ideal lattice

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

v rot(v) rot2(v)

  • Polynomial representation

v = (v1, . . . , vn) ∈ L(B) ⇔ v(x) =

  • 1≤i≤n

vixi−1 ∈ Z[x]

  • Vector rotation

rot(v) = xv(x) mod g(x) g(x): monic, deg(g(x)) = n

  • If rot(v) ∈ L(B) for all v ∈ L(B),

then the L(B) is called ideal lattice 4 / 15

slide-6
SLIDE 6

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss-reduced Definition (Gauss-reduced)

If two different vectors a, b ∈ L(B) satisfy

||a ± b|| ≥ max(||a||, ||b||), then a, b are called Gauss-reduced.

a b b′ = a − b a b a + b b − a a − b′ a + b′ Reduce

a, b are not Gauss-reduced. a, b′ are Gauss-reduced.

We say that b (or b′) was reduced by a. 5 / 15

slide-7
SLIDE 7

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Pairwise-reduced Definition (Pairwise-reduced)

Let A be a set of d vectors in L(B). If every pair of two vectors

(ai, aj) in A for i, j = 1, . . . , d, i j is Gauss-reduced, then the A

is called pairwise-reduced.

Any pair of vectors are Gauss-reduced Set of vectors

6 / 15

slide-8
SLIDE 8

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss Sieve Algorithm[Micciancio, 2009] List L Vector v Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

(1) chosen at random or popped from stack S

7 / 15

slide-9
SLIDE 9

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss Sieve Algorithm[Micciancio, 2009] List L Vector v Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

(2) check and reduce v (3) if v was reduced, move v into stack S

7 / 15

slide-10
SLIDE 10

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss Sieve Algorithm[Micciancio, 2009] List L Vector v Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

(4) check and reduce ℓi (5) if ℓi was reduced, move ℓi into stack S

7 / 15

slide-11
SLIDE 11

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss Sieve Algorithm[Micciancio, 2009] List L Vector v Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

(6) append v to L

7 / 15

slide-12
SLIDE 12

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Gauss Sieve Algorithm[Micciancio, 2009] List L Vector v Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

Gauss Sieve algorithm constructs a big list L of lattice vectors, which is always pairwise-reduced. Finally, a shortest vector appeared in the list L. 7 / 15

slide-13
SLIDE 13

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallelization?

  • The Gauss Sieve algorithm is not easy to be parallelized
  • Milde and Schneider proposed a parallel implementation
  • f the Gauss Sieve[Milde and Schneider, ’10]
  • Them algorithm does not keep the list L pairwise-reduced
  • When they used 10 threads, the list L doubled size of
  • riginal algorithm

8 / 15

slide-14
SLIDE 14

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallelization?

  • The Gauss Sieve algorithm is not easy to be parallelized
  • Milde and Schneider proposed a parallel implementation
  • f the Gauss Sieve[Milde and Schneider, ’10]
  • Them algorithm does not keep the list L pairwise-reduced
  • When they used 10 threads, the list L doubled size of
  • riginal algorithm

Our goal

We propose a fully parallelized Gauss Sieve algorithm. 8 / 15

slide-15
SLIDE 15

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallelization?

  • The Gauss Sieve algorithm is not easy to be parallelized
  • Milde and Schneider proposed a parallel implementation
  • f the Gauss Sieve[Milde and Schneider, ’10]
  • Them algorithm does not keep the list L pairwise-reduced
  • When they used 10 threads, the list L doubled size of
  • riginal algorithm

Our goal

We propose a fully parallelized Gauss Sieve algorithm.

Our strategy

Our algorithm always keeps the list L pairwise-reduced without reference to the number of threads. 8 / 15

slide-16
SLIDE 16

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm List L Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

List V

v4 v3 v2 v1

(1) choose at random or popped from stack S

9 / 15

slide-17
SLIDE 17

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm List L Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

List V

v4 v3 v2 v1

(2) check and reduce vi (3) if vi was reduced, move vi into stack S

9 / 15

slide-18
SLIDE 18

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm List L Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

List V

v4 v3 v2 v1

(4) check and reduce vi (5) if vi was reduced, move vi into stack S

9 / 15

slide-19
SLIDE 19

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm List L Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

List V

v4 v3 v2 v1

(6) check and reduce ℓi (7) if ℓi was reduced, move ℓi into stack S

9 / 15

slide-20
SLIDE 20

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Parallel Gauss Sieve Algorithm List L Stack S

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 L is always pairwise-reduced

List V

v4 v3 v2 v1

(8) append vi to L

v4 v3 v2 v1

9 / 15

slide-21
SLIDE 21

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Is a new L pairwise-reduced? List L

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5

List V

v4 v3 v2 v1 · L and V are pairwise-reduced, respectivery · All pairs (ℓi, v j) are Gauss-reduced → V ∪ L is pairwise-reduced

a new L = List V ∪ L

ℓ1 ℓ2 ℓ3 ℓ4 ℓ5 v4 v3 v2 v1 +

10 / 15

slide-22
SLIDE 22

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Solving the 72 dimensional SVP

200 400 600 800 1000 1200 4 8 12 16 20 24 28 32 Time (minutes) The number of threads Total time

· This instance has 16 cores · The running time dereases until 16 threads · The sizes of the list L are most of the same

11 / 15

slide-23
SLIDE 23

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

List of the improvements of Gauss Sieve

  • Generic improvements
  • Sampling short vectors

· Reduction of lengths of sampling vectors → about 5 times faster

  • Improvement of implementation

· Using SIMD operations → n = 80, 96, 128 → about 4 times fasters

  • Specific improvements
  • Ideal Gauss Sieve for n = 2α (Anti-cyclic lattice)

[Schneider, ’11] → n = 128

  • Trinomial lattice for n = 2s3t

· Inverse rotation rot−1(v) = x−1v(x) mod g(x) · Updating to short vectors

→ n = 96 → more than 25 times faster 12 / 15

slide-24
SLIDE 24

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Experiment environment

  • Amazon EC2 cc1.8xlarge instance
  • OS: Ubuntu12.10
  • Intel Xeon E5-2670(2.6Ghz), total 16 cores
  • gsieve library [Voulgaris]
  • compiler: g++4.1.2, OpenMP

, OpenMPI Improvement of implementation

  • Our assumptions
  • All absolute values of norms of vectors are less than 216
  • Calculating time of inner product is most expensive
  • We optimized inner product by using SIMD operations
  • 8-parallelization of 16-bit addition and multiplication

(SSE4.2)

→ about 4 times faster

13 / 15

slide-25
SLIDE 25

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Solving the Challenges

  • SVP Challenge

dim n CPU hours #instances #threads type 80 0.9 1 32 Random lattice 96 200 4 128 Random lattice

  • Ideal Lattice Challenge

dim n CPU hours #instances #threads type 80 0.9 1 32 Ideal lattice 96 8 1 32 Trinomial lattice 128 29,994 84 2,688 Anti-cyclic lattice

  • Original gsieve library requires about 1 week for solving a

80 dimensional SVP

  • Trinomial lattice : 25 times faster

14 / 15

slide-26
SLIDE 26

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Conclusion

  • We proposed a parallel version of the Gauss Sieve

algorithm

  • We found the new conditions to speed up the Gauss Sieve

algorithm

  • We solved a 128 dimensional SVP over ideal lattice, which

had not been solved before

  • The full-version is published in [ePrint 2013/388]

⋆ Open problems

  • How is the theoretical complexity of the Gauss Sieve, the

Parallel Gauss Sieve, and the Ideal Gauss Sieve?

  • Does there exist other conditions or techniques to speed

up the Gauss Sieve algorithm?

15 / 15

slide-27
SLIDE 27

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

16 / 15

slide-28
SLIDE 28

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Solving the 80 dimensional SVP

1000 2000 3000 4000 5000 10000 20000 30000 40000 50000 Running time (seconds) The number of samples $r$ 17 / 15

slide-29
SLIDE 29

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Sampling short vector

  • Optimization of sampling algorithm, namely SampleD

algorithm in Klein’s randomized rounding algorithm.

  • We try to adjust the parameter which determines the

tradeoff between the length of the norm of sample vectors and the running time of our algorithm.

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

Average : 6.24GH Maximum : 10.58GH→

b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b

Average : 1.66GH Maximum : 2.07GH

GH is the Gaussian heuristic bound:

GH = (1/ √π)Γ(n

2 + 1)

1 n · det(L(B)) 1 n

18 / 15

slide-30
SLIDE 30

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Applying Ideal Gauss Sieve [Schneider, ePrint 2011/458]

  • Anti-cyclic lattice
  • n = 2α, α ∈ N
  • Cyclotomic polynomial: g(x) = xn + 1
  • Vector rotation

rot(v) = (−vn, v1, . . . , vn−1) ||roti(v)|| = ||v||, (1 ≤ i ≤ n)

  • It is easy to generate (n − 1) independent vectors roti(v) of

same length from one vector v

List L ℓ1 ℓ2 ℓ3 ℓ4 List L ℓ1 ℓ2 ℓ3 ℓ4 rot(ℓ1) rot(ℓ2) rot(ℓ3) rot(ℓ4) rotn−1(ℓ1) rotn−1(ℓ2) rotn−1(ℓ3) rotn−1(ℓ4)

19 / 15

slide-31
SLIDE 31

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Trinomial Lattice (1/2)

  • Cyclotomic polynomial : g(x) = xn ± xn/2 + 1
  • (case 1) n = 2 · 3m, m > 0
  • (case 2) n = 2s3t, s > 1, t > 0
  • Vector rotation

rot(v) = (−vn, v1, . . . , v n

2 −2, v n 2 −1 − vn−1, v n 2 , . . . , vn−1)

  • Differential of norm

||rot(v)|| − ||v|| = (vn−1)2 − 2v n

2 −1vn−1

→ If (vn−1)2 − 2v n

2 −1vn−1 < 0, norm of a lattice vector

decreases. 20 / 15

slide-32
SLIDE 32

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, T.Takagi Outline Background Proposed Algorithm Improvements Experiment

Trinomial Lattice (2/2)

  • Improvement 3-1: Inverse rotation
  • rot−1(v) = x−1v(x) mod g(x)

x−1: inverse of x modulo g(x)

  • Improvement 3-2: Vector update
  • choosing the shortest vector in following vectors

rot(v), rot2(v), . . ., rotk(v) rot−1(v), rot−2(v), . . ., rot−k(v)

  • Solving the 72 dimensional SVP

40 80 120 160 200 240 4 8 12 16 20 Running time (seconds) The number of rotation Only rotation[22] Inverse rotation Inverse rotation +Updating vector

21 / 15