quantum lattice enumeration and tweaking discrete pruning
play

Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori - PowerPoint PPT Presentation

Apr 04, 2024 •12 likes •232 views

Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori Aono Phong Q. Nguyen Yixin Shen ASIACRYPT 2018 Context NIST standardization of post-quantum cryptography: Need to convince security

  1. Quantum Lattice Enumeration and Tweaking Discrete Pruning Yoshinori Aono Phong Q. Nguyen Yixin Shen ASIACRYPT 2018

  2. Context NIST standardization of post-quantum cryptography: Need to convince security estimates for lattice-based cryptosystems (especially in the quantum setting) Typical attacks rely on a lattice reduction algorithm (BKZ) uses SVP as a subroutine Main approaches to solve SVP Sieving: time and space 2 O ( n ) 2 O ( n ) Best known classical heuristic time 2 0.292 n + o ( n ) SVP: the Shortest Vector Problem n: dim of the lattice Best known quantum heuristic time 2 0.265 n + o ( n ) Enumeration: time and poly(n) space 2 O ( n log( n )) Speed-up in quantum setting? 2/17

  3. Contribution Quasi-quadratic quantum speed-up for cylinder pruning and discrete pruning Optimizing discrete pruning preprocessing (open problem in [AN17]) 3/17

  4. What is a lattice? n ∑ L ( b 1 , ⋯ , b n ) = { x i b i | x i ∈ ℤ , ∀ 1 ≤ i ≤ n } i =1 ℝ n where is a basis of ( b 1 , ⋯ , b n ) ASIACRYPT 2018 4/17

  5. Enumeration Algorithm (*,...,*,*) x n =0 x n =-R/||b n* || x n =R/||b n* || : a centered n-dimension S ( R ) … … ball of radius R … (*,...,*,x n ) (*,...,*,x n ) Search for all vectors x=x 1 b 1 +x 2 b 2 …+x n b n in Xn-1 =… Xn-1 =0 Xn-1 =… S ( R ) Xn-1 =… Xn-1 =… … … :the orthogonal projection on π i (*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n ) 𝚝𝚚𝚋𝚘 ( b 1 , ⋯ , b i − 1 ) ⊥ Xn-2 =… Xn-2 =… x n , ⋯ , x i +1 Given , ∥ π i ( x ) ∥ ≤ R (*,...,*,x n-2 ,x n-1 ,x n )(*,...,*,x n-2 ,x n-1 ,x n ) … ⇒ x i the integer belongs to an (b 1* ,…b n *) Gram- Schmidt interval of small length. orthogonalization of (b 1 ,…,b n ) Leaf (x 1 ,...,x n-1 ,x n ) 5/17

  6. Quantum Speed-up for Enumeration Implicit in [Alkim et al 2016] [Alkim et al 2017] [del Pino et al 2016] Quantum backtracking [Montanaro 2015]: A tree of size T, of depth n, of constant max degree, with marked nodes A blackbox which specifies the local structure of the tree ⇒ queries for finding a marked node O *( T ) Application to the previous enumeration algorithm: ( Quantum Lattice Enumeration ) Difficulties: If the basis is only LLL-reduced, max degree can be 2 O(n) Idea: Transform the tree into a binary one ⇒ time for finding one vector in L ∩ S ( R ) O *( T ) ⇒ time for finding all vectors in L ∩ S ( R ) O *(#( L ∩ S ( R )) T ) 6/17

  7. Enumeration with Pruning [ScEu94, ScHo95, GNR10] 7/17

  8. Enumeration with Pruning [ScEu94, ScHo95, GNR10] Previous Enumeration algorithm: Running-time depends on the quality of the basis Running-time typically superexponential, much larger than #(L ∩ S(R)). 7/17

  9. Enumeration with Pruning [ScEu94, ScHo95, GNR10] Previous Enumeration algorithm: Running-time depends on the quality of the basis Running-time typically superexponential, much larger than #(L ∩ S(R)). Enumeration with Pruning: a pruning set P ⊆ ℝ n Search only the vectors in L ∩ S(R) ∩ P Pros: Enumerating Tree L ∩ S(R) ∩ P can be much smaller than the one of L ∩ S(R) Cons: Maybe L ∩ S(R) ∩ P= ∅ 7/17

  10. Extreme Pruning [GNR10] Repeat until a vector is found Generate a « random » basis and a pruning set P based on it Enumeration (L ∩ S(R) ∩ P) Even if Pr(L ∩ S(R) ∩ P ≠ ∅ ) is tiny, what matters is the trade-off: Cost( Enumeration (L ∩ S(R) ∩ P))/Pr(L ∩ S(R) ∩ P ≠ ∅ ) 8/17

  11. Cylinder Pruning [ScEu94, ScHo95, GNR10] (*,...,*,*) x n =0 x n =R/||b n* || x n =-R/||b n* || … (*,...,*,x n ) (*,...,*,x n ) Xn-1 Xn-1 Xn-1 Xn-1 Xn-1 (*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n ) Xn-2 Xn-2 (*,...,*,x n-2 ,x n-1 ,x n ) (*,...,*,x n-2 ,x n-1 ,x n ) ∥ π i ( x ) ∥ ≤ R ∥ π i ( x ) ∥ ≤ R i R Each level … where 0 < R i ≤ 1 (x 1 ,...,x n-1 ,x n ) Leaf 9/17

  12. Cylinder Pruning [ScEu94, ScHo95, GNR10] (*,...,*,*) x n =0 x n =R/||b n* || x n =-R/||b n* || … (*,...,*,x n ) (*,...,*,x n ) Xn-1 Xn-1 Xn-1 Xn-1 Xn-1 (*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n )(*,...,*,x n-1 ,x n ) (*,...,*,x n-1 ,x n ) Xn-2 Xn-2 (*,...,*,x n-2 ,x n-1 ,x n ) (*,...,*,x n-2 ,x n-1 ,x n ) ∥ π i ( x ) ∥ ≤ R ∥ π i ( x ) ∥ ≤ R i R Each level … where 0 < R i ≤ 1 (x 1 ,...,x n-1 ,x n ) Leaf 9/17

  13. Quantum Speed-up for Cylinder Pruning n − 1 2 λ 1 ( L ) In practice, L is an integer lattice. The basis is LLL-reduced R = ∥ b 1 ∥ ≤ 2 Quantum Lattice Enumeration on the truncated tree: time for finding one vector L ∩ S(R) ∩ P, if it’s not empty → O *( T ) + dichotomy on R time for finding the shortest vector in L ∩ S(R) ∩ P, if it’s not empty → O *( T ) 10/17

  14. Quantum Speed-up for Cylinder Pruning n − 1 2 λ 1 ( L ) In practice, L is an integer lattice. The basis is LLL-reduced R = ∥ b 1 ∥ ≤ 2 Quantum Lattice Enumeration on the truncated tree: time for finding one vector L ∩ S(R) ∩ P, if it’s not empty → O *( T ) + dichotomy on R time for finding the shortest vector in L ∩ S(R) ∩ P, if it’s not empty → O *( T ) Extreme Cylinder Pruning : Given m LLL-reduced bases of the same lattice, T 1 ,…,T m the m corresponding enumeration tree sizes, time for finding the shortest vector among all ∑ O *( T i ) i =1 the pruning sets. 10/17

  15. Discrete Pruning [AN 2017] ℝ n = ∪ t =( t 1 , ⋯ , t n ) ∈ℤ n C ( t ) Lattice partition: 1 cell<-> 1 lattice vector Two examples: Babai’s partition The natural partition The pruning set: P = ∪ t ∈ U C ℕ ( t ), U ⊂ ℤ n , | U | = 𝚚𝚙𝚖𝚣 ( n ) ⋅ M 11/17

  16. Discrete Pruning [AN17] Step 1: Find the pruning set f ( t i ) = t 2 n 4 + t i 4 + 1 i ∑ Find approximatively M best cells minimizing where i ∥ 2 f ( t i ) ∥ b * 12 i =1 n Roughly, the smaller , the shorter the vector x inside ∑ i ∥ 2 C ℕ ( t ) f ( t i ) ∥ b * i =1 n Equivalent to find R such that #Solutions of is close to M. i ∥ 2 ≤ R ∑ f ( t i ) ∥ b * i =1 Step 2: Find the shortest vector among these cells Step 2 can also be seen as a depth-first search of a tree. 1 lattice vector <-> 1 cell 12/17

  17. Quantum Speed-up for Discrete Pruning n i ∥ 2 ≤ R Step 1: Find R such that #Sol of is close to M (up to poly(n) factor). ∑ f ( t i ) ∥ b * i =1 TreeSizeEstimation [Ambainis and Kokainis 2017]: A blackbox which specifies the local structure of the tree An estimation T of #nodes, δ : precision parameter queries to give an estimate of #nodes within δ precision when T ≤ #nodes, or output → O *( T ) T>#nodes 12 ) ∥ b * i =1 ( n n n t 2 4 + t i 4 + 1 i ∥ 2 → C ∑ ∑ i ∑ ( t 2 i + t i ) ∥ b * i ∥ 2 Additional tweak: f ( t i ) ∥ b * i ∥ = i =1 i =1 Consequence: linear relation between #nodes and #leaves By dichotomy, we can find R such that M ≤ #Sol ≤ 32n ² M in time. O *( M ) 13/17

  18. ⃗ Quantum Speed-up for Discrete Pruning n Step 2: Find the shortest vector among the cells corresponding to leaves satisfying i ∥ 2 ≤ R ∑ ( t 2 i + t i ) ∥ C b * i =1 Same as before: Quantum backtracking + binary tree transformation + dichotomy Step 1+ Step 2 In total, time to find a shortest non-zero vector in L ∩ P O *( M ) 14/17

  19. ⃗ ⃗ Quantum Speed-up for Discrete Pruning n Step 2: Find the shortest vector among the cells corresponding to leaves satisfying i ∥ 2 ≤ R ∑ ( t 2 i + t i ) ∥ C b * i =1 Same as before: Quantum backtracking + binary tree transformation + dichotomy Step 1+ Step 2 In total, time to find a shortest non-zero vector in L ∩ P O *( M ) Extreme Discrete Pruning : Given m LLL-reduced bases of the same lattice, we can find a R n i ∥ 2 ≤ R such that the total number of cells such that at least one is satisfied is close to ∑ ( t 2 i + t i ) ∥ C b * i =1 M, then find the shortest non-zero vector inside these cells. times in total → O *( M ) 14/17

  20. Our results In this talk: Quasi-quadratic speed-up for both cylinder and discrete pruning for SVP (for integer lattice) Speed-up applicable in the extreme pruning setting In the paper: Quasi-quadratic speed-up for cylinder pruning for CVP (same as for SVP) Tweak which adapts discrete pruning to CVP Quasi-quadratic speed-up for discrete pruning for CVP when the target has integer coordinates 15/17

  21. Revisiting Q-sieve vs Q-enum quasi-HKZ bases Rankin bases Complexity: , N: upper bound of the number of nodes of enumeration with extreme pruning # bases * N with probability 1/#bases [ANSS18] Quantum enumeration with extreme pruning would be faster than quantum sieve up to higher dimensions than previously thought! Our results affect the security estimates of between 11 and 17 NIST submissions. 16/17

  22. Thank you for your attention! 17/17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono Phong Nguy n Summary Motivation Lattices, Enumeration and Pruning Enumeration with Discrete Pruning Motivation Context Needs: convincing

457 views • 43 slides
Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu

Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu

Title Lower Bounds on Lattice Enumeration with Extreme Pruning Yoshinori Aono Phong Nguyn Takenobu Seito Junji Shikata @Crypto2018, Santa Barbara, 20, Aug. *The views expressed in this talk do not necessarily reflect the official views of

492 views • 28 slides
Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu

Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu

Simulating Quantum Chromodynamics coupled with Quantum Electromagnetics on the lattice Yuzhi Liu Indiana University liuyuz@indiana.edu Fermilab Lattice and MILC Collaborations The 36th Annual International Symposium on Lattice Field Theory

460 views • 25 slides
Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof.

Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof.

Introduction and Definitions LattE and Barvinoks algorithm Calculating the Hilbert basis using 4ti2 Integer Programming and Lattice Point Enumeration Seminar Mathematical Software, Prof. Komei Fukuda Christoph Glanzer November 25,

884 views • 31 slides
Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o ( k ) Martin R. Albrecht 1 , Shi Bai 2 , Pierre-Alain Fouque 3 , Paul Kirchner 3 , Damien Stehl 4 and Weiqiang Wen 3 1 Royal Holloway, University of

985 views • 50 slides
Tamari lattice, Intervals, and Enumeration Guillaume Chapuy, LIAFA (Paris) Mireille Bousquet-M

Tamari lattice, Intervals, and Enumeration Guillaume Chapuy, LIAFA (Paris) Mireille Bousquet-M

Tamari lattice, Intervals, and Enumeration Guillaume Chapuy, LIAFA (Paris) Mireille Bousquet-M elou LaBRI (Bordeaux) Louis-Fran cois Pr eville-Ratelle IMAFI (Talca) pour le GT-ALEA, Journ ees du GDR-IM, Lyon. 2013 Introduction

1.01k views • 63 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Periodic quantum graphs in magnetic fields Differential Operators on Graphs and Waveguides

Periodic quantum graphs in magnetic fields Differential Operators on Graphs and Waveguides

Periodic quantum graphs in magnetic fields Differential Operators on Graphs and Waveguides Graz 2019 Simon Becker Cambridge Consider a lattice Z 2 or the honeycomb lattice. Consider a lattice Z 2 or the honeycomb lattice. We study quantum

1.03k views • 69 slides
Simulating quantum field theory with a quantum computer John Preskill Lattice 2018 28 July 2018

Simulating quantum field theory with a quantum computer John Preskill Lattice 2018 28 July 2018

Simulating quantum field theory with a quantum computer John Preskill Lattice 2018 28 July 2018 This talk has two parts (1) Near-term prospects for quantum computing. (2) Opportunities in quantum simulation of quantum field theory. Exascale

603 views • 38 slides
Pruning for Cropload Management and Productivity 2013 Winter Pruning Workshop Dr. Mercy

Pruning for Cropload Management and Productivity 2013 Winter Pruning Workshop Dr. Mercy

Pruning for Cropload Management and Productivity 2013 Winter Pruning Workshop Dr. Mercy Olmstead, UF/IFAS Pruning Principles for Orchards Pruning: Develops strong tree structure Thins buds to achieve yields of high quality fruit

781 views • 23 slides
Properties of - //the leaf node (terminal state) ) 9 ( The - algorithm //the leaf

Properties of - //the leaf node (terminal state) ) 9 ( The - algorithm //the leaf

G Game Playing Pl i - Pruning Pruning Introduction to Artificial Intelligence Hadi Moradi 1 2. - pruning: search cutoff Pruning: eliminating a branch of the search tree from consideration without exhaustive examination

825 views • 67 slides
About the course From the CSE catalog: CSE 321 Discrete Structures (4) CSE 321 Discrete

About the course From the CSE catalog: CSE 321 Discrete Structures (4) CSE 321 Discrete

About the course From the CSE catalog: CSE 321 Discrete Structures (4) CSE 321 Discrete Structures Fundamentals of set theory, graph theory, enumeration, and algebraic structures, with applications in computing. Prerequisite: CSE

214 views • 3 slides
NETWORK MODELS FOR THE QUANTUM HALL EFFECT AND ITS GENERALISATIONS John Chalker Physics

NETWORK MODELS FOR THE QUANTUM HALL EFFECT AND ITS GENERALISATIONS John Chalker Physics

NETWORK MODELS FOR THE QUANTUM HALL EFFECT AND ITS GENERALISATIONS John Chalker Physics Department, Oxford University Outline Network models Quantum lattice models for single-particle systems with disorder Symmetry classes Discrete

465 views • 13 slides
BASICS Natural Target Pruning Terminology and Tools Reasons for Pruning Fruit Trees

BASICS Natural Target Pruning Terminology and Tools Reasons for Pruning Fruit Trees

FRUIT TREE PRUNING BASICS Natural Target Pruning Terminology and Tools Reasons for Pruning Fruit Trees Pruning for structural strength, tree health, fruit production and size Traditional pruning methods have frequently emphasized

839 views • 57 slides
Efficient approaches to multidimensional quantum dynamics: Dynamical pruning in phase, position

Efficient approaches to multidimensional quantum dynamics: Dynamical pruning in phase, position

Efficient approaches to multidimensional quantum dynamics: Dynamical pruning in phase, position and configuration space Henrik R. Larsson April 20, 2018 Group Prof. Hartke / Christiana Albertina University of Kiel, Germany Group Prof.

318 views • 30 slides
QUANTUM INFORMATION METHODS FOR LATTICE GAUGE THEORIES EREZ ZOHAR a Theory Group, Max Planck

QUANTUM INFORMATION METHODS FOR LATTICE GAUGE THEORIES EREZ ZOHAR a Theory Group, Max Planck

Next Steps in Quantum Science for HEP, Fermilab, September 2018 QUANTUM INFORMATION METHODS FOR LATTICE GAUGE THEORIES EREZ ZOHAR a Theory Group, Max Planck Institute of Quantum Optics (MPQ) Max Planck Harvard Quantum Optics Research Center

1.37k views • 75 slides
The Parameterized Complexity of Finding Point Sets with Hereditary Properties David Eppstein

The Parameterized Complexity of Finding Point Sets with Hereditary Properties David Eppstein

The Parameterized Complexity of Finding Point Sets with Hereditary Properties David Eppstein University of California, Irvine Daniel Lokshtanov University of Bergen University of California, Santa Barbara 13th International Conference on

535 views • 16 slides
Global theory of one-frequency Schr odinger operators Artur Avila CNRS and IMPA August 21,

Global theory of one-frequency Schr odinger operators Artur Avila CNRS and IMPA August 21,

Dynamical motivation Quasiperiodic Schr odinger operators Global theory Global theory of one-frequency Schr odinger operators Artur Avila CNRS and IMPA August 21, 2012 Artur Avila Global theory of one-frequency Schr odinger

835 views • 37 slides
The Theory of Statistical Comparison with Applications in Quantum Information Science Francesco

The Theory of Statistical Comparison with Applications in Quantum Information Science Francesco

The Theory of Statistical Comparison with Applications in Quantum Information Science Francesco Buscemi (Nagoya University) buscemi@is.nagoya-u.ac.jp Tutorial Lecture for AQIS2016 Academia Sinica, Taipei, Taiwan 28 August 2016 these slides are

538 views • 26 slides
Combinatorial invariants and weak equivalence Clinton T. Conley, Cornell University Set Theory

Combinatorial invariants and weak equivalence Clinton T. Conley, Cornell University Set Theory

Combinatorial invariants and weak equivalence Clinton T. Conley, Cornell University Set Theory Special Session ASL 2012 North American Annual Meeting University of Wisconsin, April 2, 2012 Part I Introduction I. Introduction Introduction

268 views • 23 slides
On a class of Polish-like spaces Claudio Agostini Universit degli Studi di Torino 03 February

On a class of Polish-like spaces Claudio Agostini Universit degli Studi di Torino 03 February

On a class of Polish-like spaces Claudio Agostini Universit degli Studi di Torino 03 February 2020 Joint work with Luca Motto Ros Claudio Agostini (Univ. Torino) -DST spaces 03 February 2020 1 / 14 The starting point From classical to

984 views • 40 slides
Constraints, Symmetry, and Complexity Part 2 Andrei Krokhin Andrei Krokhin Constraints,

Constraints, Symmetry, and Complexity Part 2 Andrei Krokhin Andrei Krokhin Constraints,

Constraints, Symmetry, and Complexity Part 2 Andrei Krokhin Andrei Krokhin Constraints, Symmetry, and Complexity Mantra Symmetries of solution spaces are relevant for complexity Lack of symmetries hardness Symmetries efficient

1.27k views • 99 slides
NEMO Basic Support Protocol NEMO Design Team Vijay Devarapalli (NOKIA) Ryuji Wakikawa

NEMO Basic Support Protocol NEMO Design Team Vijay Devarapalli (NOKIA) Ryuji Wakikawa

NEMO Basic Support Protocol NEMO Design Team Vijay Devarapalli (NOKIA) Ryuji Wakikawa (Keio/WIDE) Alexandru Petrescu (Motorola) Pascal Thubert (Cisco Systems) IETF 57th NEMO WG NEMO Basic Support draft is out Design Team was formed

269 views • 11 slides
Noisy Quantum Measurements: a nuisance or fundamental physics? Wolfgang Belzig Universitt

Noisy Quantum Measurements: a nuisance or fundamental physics? Wolfgang Belzig Universitt

Noisy Quantum Measurements: a nuisance or fundamental physics? Wolfgang Belzig Universitt Konstanz Conference on Quantum Measurement: Fundamentals, Twists, and ApplicaBons ICTP Triest, 2019 Content Quantum measurement: projection and

419 views • 39 slides

More recommend