Progressive lattice sieving Thijs Laarhoven and Artur Mariano - - PowerPoint PPT Presentation

progressive lattice sieving
SMART_READER_LITE
LIVE PREVIEW

Progressive lattice sieving Thijs Laarhoven and Artur Mariano - - PowerPoint PPT Presentation

Apr 09, 2023 423 likes •1.05k views

Progressive lattice sieving Thijs Laarhoven and Artur Mariano ts ttts PQCrypto 2018, Fort Lauderdale (FL), USA (April 10, 2018) Lattices What is a lattice?

slide-1
SLIDE 1

Progressive lattice sieving

Thijs Laarhoven and Artur Mariano

♠❛✐❧❅t❤✐❥s✳❝♦♠ ❤tt♣✿✴✴✇✇✇✳t❤✐❥s✳❝♦♠✴

PQCrypto 2018, Fort Lauderdale (FL), USA

(April 10, 2018)

slide-2
SLIDE 2

O

Lattices

What is a lattice?

slide-3
SLIDE 3

O b1 b2

Lattices

What is a lattice?

slide-4
SLIDE 4

O b1 b2

Lattices

What is a lattice?

slide-5
SLIDE 5

O b1 b2 s

Lattices

Shortest Vector Problem (SVP)

slide-6
SLIDE 6

O b1 b2 s

  • s

Lattices

Shortest Vector Problem (SVP)

slide-7
SLIDE 7

SVP hardness

Theory

Algorithm log2(Time) log2(Space)

Proven SVP

Enumeration [Poh81, Kan83, ..., MW15, AN17] O(nlogn) O(logn) AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985n ListSieve [MV10, MDB14] 3.199n 1.327n Birthday sieves [PS09, HPS11] 2.465n 1.233n Enumeration/DGS hybrid [CCL17] 2.048n 0.500n Voronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000n Quantum sieve [LMP13, LMP15] 1.799n 1.286n Quantum enum/DGS [CCL17] 1.256n 0.500n Discrete Gaussian sampling [ADRS15, ADS15, AS18] 1.000n 1.000n

Heuristic SVP

The Nguyen–Vidick sieve [NV08] 0.415n 0.208n The GaussSieve [MV10, ..., IKMT14, BNvdP16, YKYC17] 0.415n 0.208n Triple sieve [BLS16, HK17] 0.396n 0.189n Two-level sieve [WLTB11] 0.384n 0.256n Three-level sieve [ZPH13] 0.3778n 0.283n Overlattice sieve [BGJ14] 0.3774n 0.293n Triple sieve with NNS [HK17, HKL18] 0.359n 0.189n Hyperplane LSH [Cha02, Laa15, ..., LM18, Duc18] 0.337n 0.337n Graph-based NNS [EPY99, DCL11, MPLK14, Laa18] 0.327n 0.282n Hypercube LSH [TT07, Laa17] 0.322n 0.322n Quantum sieve [LMP13, LMP15] 0.312n 0.208n May–Ozerov NNS [MO15, BGJ15] 0.311n 0.311n Spherical LSH [AINR14, LdW15] 0.298n 0.298n Cross-polytope LSH [TT07, AILRS15, BL16, KW17] 0.298n 0.298n Spherical LSF [BDGL16, MLB17, ALRW17, Chr17] 0.292n 0.292n Quantum NNS sieve [LMP15, Laa16] 0.265n 0.265n

slide-8
SLIDE 8

SVP hardness

Practice [SVP17] ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■

▼▼ ▼ ▼ ▼ ▼ ▼ ▼▼ ▼ ▼ ▼ ▼ ▼▼▼▼ ▼▼

★ ★★★★★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ■ Enumeration (continuous pruning)

▼ Enumeration (discrete pruning)

★ Sieving

80 100 120 140 160 100 104 106 108 1010 → Lattice dimension → Single core timings (seconds) 1 hour 1 day 1 year 1 century

slide-9
SLIDE 9

SVP hardness

NIST submissions

Title Si En Submitters

CRYSTALS–Dilithium

  • Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, Stehlé

CRYSTALS–Kyber

  • Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, ...

Ding Key Exchange

  • Ding, Takagi, Gao, Wang

(R.)EMBLEM

  • Seo, Park, Lee, Kim, Lee

FALCON

  • Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, ...

FrodoKEM

  • Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, ...

Giophantus

  • Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, Ikematsu

HILA5

  • Saarinen

KCL

  • Zhao, Jin, Gong, Sui

KINDI

  • El Bansarkhani

LAC

  • Lu, Liu, Jia, Xue, He, Zhang

LIMA

  • Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, Peer

Lizard

  • Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, ...

LOTUS

  • Phong, Hayashi, Aono, Moriai

NewHope

  • Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, Stebila

NTRUEncrypt

  • Zhang, Chen, Hoffstein, Whyte

NTRU-HRSS-KEM

  • Schanck, Hülsing, Rijneveld, Schwabe

NTRU Prime

  • Bernstein, Chuengsatiansup, Lange, Van Vredendaal

pqNTRUSign

  • Zhang, Chen, Hoffstein, Whyte

qTESLA

  • Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, ...

Round2

  • Garcia-Morchon, Zhang, Bhattacharya, Rietman, Tolhuizen, Torre-Arce

SABER

  • D’Anvers, Karmakar, Roy, Vercauteren

Three Bears

  • Hamburg

Titanium

  • Steinfeld, Sakzad, Zhao

Totals: 21 3 Total: 24 proposals estimate SVP hardness with sieving/enumeration *Not included in this overview: Compact LWE, DRS, Mersenne, Odd Manhattan, Ramstake, ...

slide-10
SLIDE 10

SVP hardness

Overview

Problem: How hard is SVP in high dimensions?

  • Two main approaches: enumeration and sieving

◮ Enumeration: memory-efficient, asymptotically slow ◮ Sieving: memory-intensive, asymptotically fast

  • Theoretically (large n): sieving > enumeration
  • Practically (small n): enumeration > sieving
  • NIST submissions: (mostly) sieving
slide-11
SLIDE 11

SVP hardness

Overview

Problem: How hard is SVP in high dimensions?

  • Two main approaches: enumeration and sieving

◮ Enumeration: memory-efficient, asymptotically slow ◮ Sieving: memory-intensive, asymptotically fast

  • Theoretically (large n): sieving > enumeration
  • Practically (small n): enumeration > sieving
  • NIST submissions: (mostly) sieving

Problem: Can sieving still be improved?

slide-12
SLIDE 12

SVP hardness

Overview

Problem: How hard is SVP in high dimensions?

  • Two main approaches: enumeration and sieving

◮ Enumeration: memory-efficient, asymptotically slow ◮ Sieving: memory-intensive, asymptotically fast

  • Theoretically (large n): sieving > enumeration
  • Practically (small n): enumeration > sieving
  • NIST submissions: (mostly) sieving

Problem: Can sieving still be improved?

  • Theoretically: Probably not... [BDGL16, ALRW17, HKL18]
slide-13
SLIDE 13

SVP hardness

Overview

Problem: How hard is SVP in high dimensions?

  • Two main approaches: enumeration and sieving

◮ Enumeration: memory-efficient, asymptotically slow ◮ Sieving: memory-intensive, asymptotically fast

  • Theoretically (large n): sieving > enumeration
  • Practically (small n): enumeration > sieving
  • NIST submissions: (mostly) sieving

Problem: Can sieving still be improved?

  • Theoretically: Probably not... [BDGL16, ALRW17, HKL18]
  • Practically: Yes! (this work), [Duc18]
slide-14
SLIDE 14

O

GaussSieve

  • 1. Generate random lattice vectors
slide-15
SLIDE 15

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10

GaussSieve

  • 1. Generate random lattice vectors
slide-16
SLIDE 16

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10

GaussSieve

  • 2. Reduce the vectors with each other
slide-17
SLIDE 17

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v1

GaussSieve

  • 2. Reduce the vectors with each other
slide-18
SLIDE 18

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v2 v2

GaussSieve

  • 2. Reduce the vectors with each other
slide-19
SLIDE 19

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v2 v1

GaussSieve

  • 2. Reduce the vectors with each other
slide-20
SLIDE 20

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v2 v3 v3

GaussSieve

  • 2. Reduce the vectors with each other
slide-21
SLIDE 21

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v2 v3 v1 v2

GaussSieve

  • 2. Reduce the vectors with each other
slide-22
SLIDE 22

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v1 v2 v3 v1

GaussSieve

  • 2. Reduce the vectors with each other
slide-23
SLIDE 23

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v3

GaussSieve

  • 2. Reduce the vectors with each other
slide-24
SLIDE 24

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v4 v4

GaussSieve

  • 2. Reduce the vectors with each other
slide-25
SLIDE 25

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v5 v5

GaussSieve

  • 2. Reduce the vectors with each other
slide-26
SLIDE 26

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v6 v6

GaussSieve

  • 2. Reduce the vectors with each other
slide-27
SLIDE 27

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v7 v7

GaussSieve

  • 2. Reduce the vectors with each other
slide-28
SLIDE 28

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v8 v8

GaussSieve

  • 2. Reduce the vectors with each other
slide-29
SLIDE 29

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v9 v9

GaussSieve

  • 2. Reduce the vectors with each other
slide-30
SLIDE 30

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v10 v10

GaussSieve

  • 2. Reduce the vectors with each other
slide-31
SLIDE 31

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3

GaussSieve

  • 3. Search the list for a shortest vector
slide-32
SLIDE 32

O v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v2 v3 v2

GaussSieve

  • 3. Search the list for a shortest vector
slide-33
SLIDE 33

O b1 b2

ProGaussSieve

  • 1. Generate random vectors on sublattice
slide-34
SLIDE 34

O b1 b2

ProGaussSieve

  • 1. Generate random vectors on sublattice
slide-35
SLIDE 35

O

ProGaussSieve

  • 1. Generate random vectors on sublattice
slide-36
SLIDE 36

O v1 v2 v3

ProGaussSieve

  • 1. Generate random vectors on sublattice
slide-37
SLIDE 37

O v1 v2 v3

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-38
SLIDE 38

O v1 v2 v3 v1 v1

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-39
SLIDE 39

O v1 v2 v3 v1 v2 v2

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-40
SLIDE 40

O v1 v2 v3 v1 v2 v1

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-41
SLIDE 41

O v1 v2 v3 v2 v3 v3

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-42
SLIDE 42

O v1 v2 v3 v2

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-43
SLIDE 43

O v2

ProGaussSieve

  • 2. Reduce the vectors with each other
slide-44
SLIDE 44

O v0

ProGaussSieve

  • 3. Generate random vectors on full lattice
slide-45
SLIDE 45

O v1 v2 v3 v4 v5 v0

ProGaussSieve

  • 3. Generate random vectors on full lattice
slide-46
SLIDE 46

O v1 v2 v3 v4 v5 v0

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-47
SLIDE 47

O v1 v2 v3 v4 v5 v0 v1 v1

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-48
SLIDE 48

O v1 v2 v3 v4 v5 v0 v1 v2 v2

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-49
SLIDE 49

O v1 v2 v3 v4 v5 v0 v1 v2 v0 v1

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-50
SLIDE 50

O v1 v2 v3 v4 v5 v0 v1 v2 v1

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-51
SLIDE 51

O v1 v2 v3 v4 v5 v0 v2 v3 v3

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-52
SLIDE 52

O v1 v2 v3 v4 v5 v0 v2 v4 v4

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-53
SLIDE 53

O v1 v2 v3 v4 v5 v0 v2 v5 v5

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-54
SLIDE 54

O v1 v2 v3 v4 v5 v0 v2

ProGaussSieve

  • 4. Reduce the vectors with each other
slide-55
SLIDE 55

Progressive sieving

Time complexities ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★

★ ★ ★ ★ ★

  • ★ GaussSieve
  • HashSieve

★ ProGaussSieve

  • ProHashSieve

40 50 60 70 80 0.1 1 10 100 1000 104 105 Dimension d Time (seconds)

20.52 d-22 20.45 d-20 20.49 d-25 2

. 4 2 d

  • 2

2

slide-56
SLIDE 56

Progressive sieving

Execution profiles (n = 70)

HashSieve ProHashSieve 1 2 3 4 5 6 7 500 1000 1500 2000 2500 3000 Iteration (× 106) Time (seconds) HashSieve ProHashSieve 1 2 3 4 5 6 7 20 40 60 80 Iteration (× 106) List size (× 1000)

slide-57
SLIDE 57

Progressive sieving

Execution profiles (n = 70)

HashSieve ProHashSieve 1 2 3 4 5 6 7 30 40 50 60 70 Iteration (× 106) Lattice rank HashSieve ProHashSieve 1 2 3 4 5 6 7 2000 2200 2400 2600 2800 3000 Iteration (× 106) Norm of shortest vector

slide-58
SLIDE 58

Progressive sieving

Effects of basis reduction (n = 70)

Exact SVP ←− GaussSieve −→ ←− HashSieve −→ LLL BKZ-10 BKZ-30 LLL BKZ-10 BKZ-30 Standard sieving 19100 18100 16500 3300 3050 2900 Progressive sieving 595 440 390 165 125 115 Speedup factor 32× 41× 42× 20× 24× 25× Approximate SVP ←− GaussSieve −→ ←− HashSieve −→ (γ = 1.1) LLL BKZ-10 BKZ-30 LLL BKZ-10 BKZ-30 Standard sieving 18500 17200 15600 3180 2960 2700 Progressive sieving 120 40 3 65 20 2 Speedup factor 150× 400× 5000× 50× 150× 1000×

slide-59
SLIDE 59

Conclusion

Progressive lattice sieving

  • Uses recursive approach (rank reduction)
  • Finds approximate solutions faster
  • Benefits more from reduced bases
  • Better predictability
  • Faster, using slightly less memory
  • No theoretical/asymptotic improvements...

◮ Best classical time: (3/2)n/2+o(n) ≈ 20.292n+o(n) ◮ Best quantum time: (13/9)n/2+o(n) ≈ 20.265n+o(n)

slide-60
SLIDE 60

Questions?