Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP - - PowerPoint PPT Presentation

Sieve, Enumerate, Slice, and Lift:

Hybrid Lattice Algorithms for SVP via CVPP

Emmanouil Doulgerakis, Thijs Laarhoven, and Benne de Weger

Technische Universiteit Eindhoven

July 2020

AfricaCrypt 2020, Cairo, Egypt

Outline

1

Introduction

2

Enumeration

3

The slicer algorithms

4

Hybrid algorithms

AfricaCrypt 2020 1

Outline

1

Introduction

2

Enumeration

3

The slicer algorithms

4

Hybrid algorithms

AfricaCrypt 2020 1

What is a lattice?

Definition

A lattice L is a discrete additive subgroup of Rn.

AfricaCrypt 2020 2

What is a lattice?

Definition

A lattice L is a discrete additive subgroup of Rn.

AfricaCrypt 2020 2

What is a lattice?

A lattice is an infinite grid of points in the n-dimensional space.

AfricaCrypt 2020 3

b1 b2 O

What is a lattice?

A lattice: The set of all integer linear combinations of some basis B where B = {b1, . . . , bn} ⊂ Rn.

AfricaCrypt 2020 3

b1 b2 O b3 b4

What is a lattice?

A lattice: The set of all integer linear combinations of some basis B where B = {b1, . . . , bn} ⊂ Rn. A lattice has many bases.

AfricaCrypt 2020 3

O

b1 b2 s

The Shortest Vector Problem (SVP)

Shortest Vector Problem (SVP)

Given an arbitrary basis for L, find a shortest non-zero vector s in L i.e. s = minv∈L\{0}v. We denote λ1(L) = minv∈L\{0}v.

AfricaCrypt 2020 4

b1 b2 t

The Closest Vector Problem (CVP)

Closest Vector Problem (CVP)

Given an arbitrary basis for L and a target vector t, find the closest lattice vector v in L such that t − v = d(t, L).

AfricaCrypt 2020 5

b1 b2 t v

The Closest Vector Problem (CVP)

Closest Vector Problem (CVP)

Given an arbitrary basis for L and a target vector t, find the closest lattice vector v in L such that t − v = d(t, L).

AfricaCrypt 2020 5

b1 b2 t

The Approximate Closest Vector Problem (CVPκ)

Approximate Closest Vector Problem (CVPκ)

Given an arbitrary basis for L, a target vector t and an approximation factor κ ≥ 1, find a lattice vector v in L such that t − v ≤ κd(t, L).

AfricaCrypt 2020 6

b1 b2 t v

The Closest Vector Problem with Pre-processing (CVPP)

The CVPP variant

Given an arbitrary basis for L, compute some pre-processing data such that when later given a target vector t, it will be ”easy” to solve the CVP for t.

AfricaCrypt 2020 7

Outline

1

Introduction

2

Enumeration

3

The slicer algorithms

4

Hybrid algorithms

AfricaCrypt 2020 8

Solving SVP

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L).

AfricaCrypt 2020 9

Solving SVP

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). As s ∈ L then ∃x1, . . . , xn ∈ Z such that s = x1b1 + · · · + xnbn.

AfricaCrypt 2020 9

Solving SVP

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). As s ∈ L then ∃x1, . . . , xn ∈ Z such that s = x1b1 + · · · + xnbn. We know that λ1(L) ≤ b1. Enumeration explores all the choices of the xi such that x1b1 + · · · + xnbn ≤ b1.

AfricaCrypt 2020 9

Enumeration tree (example)

−1 (−1, −1)(0, −1) (−1, 0) (0, 0) (1, 0) (−1, 1, 0)(0, 1, 0) . . . (1, 1, 0) 1 (0, 1) (1, 1) root bn bn−1 . . . b1

AfricaCrypt 2020 10

Enumeration costs in small depth

Lemma (Costs of enumeration HS07)

Let B be a strongly reduced basis of a lattice. Then the number of nodes Ek at depth k = o(n), k = n1−o(1), satisfies: Ek = nk/2+o(k). Enumerating all these nodes can be done in time Tenum and space Senum, with: Tenum = Ek · nO(1), Senum = nO(1).

AfricaCrypt 2020 11

Outline

1

Introduction

2

Enumeration

3

The slicer algorithms

4

Hybrid algorithms

AfricaCrypt 2020 12

b1 b2 t s

t′ O

Solving CVP(P)

We have t ∈ t + L and t′ = t − s so t′ ∈ t + L as well... It suffices to find t′.

AfricaCrypt 2020 13

t s

t′ O

r1 r2 r3 r4 r5 r6

The iterative slicer (ideal case)

Create a list L ⊆ L. Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t′.

AfricaCrypt 2020 14

t

O

r1 r2 r3 −4r1

The iterative slicer (ideal case)

Create a list L ⊆ L. Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t′.

AfricaCrypt 2020 15

t

O

r1 r2 r3 +3r2

The iterative slicer (ideal case)

Create a list L ⊆ L. Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t′.

AfricaCrypt 2020 15

t

O

r1 r2 r3 −2r1

The iterative slicer (ideal case)

Create a list L ⊆ L. Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t′.

AfricaCrypt 2020 15

t

O

r1 r2 r3 +r3

t′

The iterative slicer (ideal case)

Create a list L ⊆ L. Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t′.

AfricaCrypt 2020 15

t r1 r2 r3 r4

The iterative slicer (in practice)

Computing t′ correctly depends on the list L. Computing “the proper” list L is too costly. We can use approximations instead.

AfricaCrypt 2020 16

t r1 r2 r3 r4

The iterative slicer (in practice)

Computing t′ correctly depends on the list L. Computing “the proper” list L is too costly. We can use approximations instead. Disadvantage: We might get a wrong t′.

AfricaCrypt 2020 16

t r1 r2 r3 r4

The randomized slicer

Create a list L of lattice vectors (e.g. by running a sieving algorithm).

AfricaCrypt 2020 17

t1 t2 t3 t4 t5 r1 r2 r3 r4

The randomized slicer

Create a list L of lattice vectors (e.g. by running a sieving algorithm).

Randomize t sufficiently many times (as ti) and reduce it.

AfricaCrypt 2020 17

t1 t2 t3 t4 t5

The randomized slicer

Create a list L of lattice vectors (e.g. by running a sieving algorithm).

Randomize t sufficiently many times (as ti) and reduce it. Keep the shortest t′

i found as t′.

AfricaCrypt 2020 17

The randomized slicer algorithm

AfricaCrypt 2020 18

Costs of preprocessing

Lemma (Costs of lattice sieving BDGL16)

Given a basis B of a lattice L, the LDSieve heuristically returns a list L ⊂ L containing the (4/3)n/2+o(n) shortest lattice vectors, in time Tsieve and space Ssieve with: Tsieve = (3/2)n/2+o(n), Ssieve = (4/3)n/2+o(n). With the LDSieve we can therefore solve SVP with the above complexities.

AfricaCrypt 2020 19

Costs of the randomized slicer

Lemma (single target DLW20)

Given a list of the (4/3)n/2+o(n) shortest vectors of a lattice L and a target t ∈ Rn, the randomized slicer solves CVP for t in time Tslice and space Sslice, with: Tslice = 2ζn+o(n), Sslice = (4/3)n/2+o(n). In our case ζ = 0.2639 . . .

AfricaCrypt 2020 20

Costs of the randomized slicer

Lemma (many targets DLW20)

Given a list of the (4/3)n/2+o(n) shortest vectors of a lattice L and a batch

• f N ≥ (13/12)n/2+o(n) target vectors t1, . . . , tN ∈ Rn, the batched

randomized slicer solves CVP for all targets ti in total time Tslice and space Sslice, with: Tslice = N · (18/13)n/2+o(n), Sslice = (4/3)n/2+o(n).

AfricaCrypt 2020 21

Outline

1

Introduction

2

Enumeration

3

The slicer algorithms

4

Hybrid algorithms

AfricaCrypt 2020 22

Solving SVP via CVPP (Part 1)

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L).

AfricaCrypt 2020 23

Solving SVP via CVPP (Part 1)

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). Choose 0 ≤ k ≤ n and split B as B = Bbot ∪ Btop where Bbot := {b1, . . . , bn−k} and Btop := {bn−k+1, . . . , bn}.

AfricaCrypt 2020 23

Solving SVP via CVPP (Part 1)

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). Choose 0 ≤ k ≤ n and split B as B = Bbot ∪ Btop where Bbot := {b1, . . . , bn−k} and Btop := {bn−k+1, . . . , bn}. This partitions the lattice as L = Lbot ⊕ Ltop where Lbot := L(Bbot) and Ltop := L(Btop).

AfricaCrypt 2020 23

Solving SVP via CVPP (Part 1)

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). Choose 0 ≤ k ≤ n and split B as B = Bbot ∪ Btop where Bbot := {b1, . . . , bn−k} and Btop := {bn−k+1, . . . , bn}. This partitions the lattice as L = Lbot ⊕ Ltop where Lbot := L(Bbot) and Ltop := L(Btop). As s ∈ L then ∃x1, . . . , xn ∈ Z such that s = x1b1 + · · · + xnbn.

AfricaCrypt 2020 23

Solving SVP via CVPP (Part 1)

Let L be a lattice with basis B = {b1, . . . , bn} ⊂ Rn. Question: Find s in L with s = λ1(L). Choose 0 ≤ k ≤ n and split B as B = Bbot ∪ Btop where Bbot := {b1, . . . , bn−k} and Btop := {bn−k+1, . . . , bn}. This partitions the lattice as L = Lbot ⊕ Ltop where Lbot := L(Bbot) and Ltop := L(Btop). As s ∈ L then ∃x1, . . . , xn ∈ Z such that s = x1b1 + · · · + xnbn. We can also split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop.

AfricaCrypt 2020 23

Solving SVP via CVPP (Part 1)

−λbn . . . t1 t2 . . . . . . · · · . . . . . . . . . . . . ti · · · s · · · λbn . . . . . . · · · . . . . . . · · · tN · · · · · ·

root n

. . . . . .

1

Solving SVP via CVPP (Part 1)

−λbn . . . t1 t2 . . . . . . · · · . . . . . . . . . . . . ti · · · s · · · λbn . . . . . . · · · . . . . . . · · · tN · · · · · ·

root n

. . . . . .

1 n − k

AfricaCrypt 2020 24

Solving SVP via CVPP (Part 2)

We split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop.

AfricaCrypt 2020 25

Solving SVP via CVPP (Part 2)

We split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop. Two cases:

◮ If stop = 0 then s = SVP(Lbot). ◮ If stop = 0 then s = stop − CVP(Lbot, stop). AfricaCrypt 2020 25

Solving SVP via CVPP (Part 2)

We split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop. Two cases:

◮ If stop = 0 then s = SVP(Lbot). ◮ If stop = 0 then s = stop − CVP(Lbot, stop).

The vector stop will be one of the vectors ti in the enumeration tree. We do not know in advance which one.

AfricaCrypt 2020 25

Solving SVP via CVPP (Part 2)

We split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop. Two cases:

◮ If stop = 0 then s = SVP(Lbot). ◮ If stop = 0 then s = stop − CVP(Lbot, stop).

The vector stop will be one of the vectors ti in the enumeration tree. We do not know in advance which one. Solve CVP(Lbot, ti) for all ti ⇒ CVPP.

AfricaCrypt 2020 25

Solving SVP via CVPP (Part 2)

We split s as s = sbot + stop where sbot = x1b1 + · · · + xn−kbn−k ∈ Lbot and stop = xn−k+1bn−k+1 + · · · + xnbn ∈ Ltop. Two cases:

◮ If stop = 0 then s = SVP(Lbot). ◮ If stop = 0 then s = stop − CVP(Lbot, stop).

The vector stop will be one of the vectors ti in the enumeration tree. We do not know in advance which one. Solve CVP(Lbot, ti) for all ti ⇒ CVPP. Keep the shortest ti − CVP(Lbot, ti) as s.

AfricaCrypt 2020 25

Solving SVP via CVPP (Part 2)

−λbn . . . t1 t2 · · · . . . . . . . . . . . . ti ti+1 λbn . . . . . . · · · · · · tN · · · · · ·

root n

. . .

n − k

· · · · · ·

t1 − w1 t2 − w2 ti − wi ti+1 − wi+1 tN − wN where wi = CVP(Lbot, ti)

AfricaCrypt 2020 26

Hybrid 1 (sieve, enumerate–and–slice)

Step 1: Generate a list L ⊂ Lbot (running a lattice sieve on Lbot). Step 2: Run enumeration in Ltop, where for each leaf ti ∈ Ltop run the randomized slicer to find the closest vector CVP(ti) ∈ Lbot. Output the shortest vector ti − CVP(ti) found.

AfricaCrypt 2020 27

Hybrid 1 (sieve, enumerate–and–slice)

Step 1: Generate a list L ⊂ Lbot (running a lattice sieve on Lbot). Step 2: Run enumeration in Ltop, where for each leaf ti ∈ Ltop run the randomized slicer to find the closest vector CVP(ti) ∈ Lbot. Output the shortest vector ti − CVP(ti) found. Balancing and minimizing the costs between the two steps leads to a choice of k = αn/ log2 d where α < 0.0570.

AfricaCrypt 2020 27

Hybrid 1 (sieve, enumerate–and–slice)

Step 1: Generate a list L ⊂ Lbot (running a lattice sieve on Lbot). Step 2: Run enumeration in Ltop, where for each leaf ti ∈ Ltop run the randomized slicer to find the closest vector CVP(ti) ∈ Lbot. Output the shortest vector ti − CVP(ti) found. Balancing and minimizing the costs between the two steps leads to a choice of k = αn/ log2 d where α < 0.0570.

Proposition (Heuristic result 1)

Let be k as above and let T(n)

1

and S(n)

1

denote the overall time and space complexities of the sieve, enumerate–and–slice hybrid algorithm in dimension n. Then: T(n)

1

= T(n−k)

sieve · (1 + o(1)),

S(n)

1

= S(n−k)

sieve · (1 + o(1)).

AfricaCrypt 2020 27

Hybrid 2 (sieve, enumerate, slice)

Step 1: Generate a list L ⊂ Lbot (running a lattice sieve on Lbot). Step 2: Enumerate all nodes ti ∈ Ltop at depth k and store them in a list of targets T ⊂ Ltop. Step 3: Run the batched randomized slicer to solve CVP on Lbot for all targets ti ∈ T. Output the shortest vector ti − CVP(ti) found.

AfricaCrypt 2020 28

Hybrid 2 (sieve, enumerate, slice)

Step 1: Generate a list L ⊂ Lbot (running a lattice sieve on Lbot). Step 2: Enumerate all nodes ti ∈ Ltop at depth k and store them in a list of targets T ⊂ Ltop. Step 3: Run the batched randomized slicer to solve CVP on Lbot for all targets ti ∈ T. Output the shortest vector ti − CVP(ti) found.

Proposition (Heuristic result 2)

Let k = αn/ log2 n with α < log2( 13

12) = 0.1154 . . . .

Let T(n)

2

and S(n)

2

denote the overall time and space complexities of the batched sieve, enumerate, slice hybrid algorithm in dimension n. Then: T(n)

2

= T(n−k)

sieve · (1 + o(1)),

S(n)

2

= S(n−k)

sieve · (1 + o(1)).

AfricaCrypt 2020 28

Further Hybrids

A basis B could be partitioned as B = Bbot ∪ Bmid ∪ Btop. The three bases Bbot, Bmid, and Btop generate lattices Lbot, Lmid, Ltop such that L = Lbot ⊕ Lmid ⊕ Ltop.

AfricaCrypt 2020 29

Further Hybrids

A basis B could be partitioned as B = Bbot ∪ Bmid ∪ Btop. The three bases Bbot, Bmid, and Btop generate lattices Lbot, Lmid, Ltop such that L = Lbot ⊕ Lmid ⊕ Ltop. Step 1: Generate a list L ⊂ Lmid (running a lattice sieve on Lmid).

AfricaCrypt 2020 29

Further Hybrids

A basis B could be partitioned as B = Bbot ∪ Bmid ∪ Btop. The three bases Bbot, Bmid, and Btop generate lattices Lbot, Lmid, Ltop such that L = Lbot ⊕ Lmid ⊕ Ltop. Step 1: Generate a list L ⊂ Lmid (running a lattice sieve on Lmid). Step 2:

◮ Enumerate all nodes t ∈ Ltop. ◮ For each t run the slicer with the list L to find close vectors v ∈ Lmid. ◮ For each pair t, v add the vector t − v to an output list S. AfricaCrypt 2020 29

Further Hybrids

A basis B could be partitioned as B = Bbot ∪ Bmid ∪ Btop. The three bases Bbot, Bmid, and Btop generate lattices Lbot, Lmid, Ltop such that L = Lbot ⊕ Lmid ⊕ Ltop. Step 1: Generate a list L ⊂ Lmid (running a lattice sieve on Lmid). Step 2:

◮ Enumerate all nodes t ∈ Ltop. ◮ For each t run the slicer with the list L to find close vectors v ∈ Lmid. ◮ For each pair t, v add the vector t − v to an output list S.

Step 3: Extend each vector s′ ∈ S to a candidate solution s ∈ L by running Babai’s nearest plane algorithm. Output the shortest lifted vector.

AfricaCrypt 2020 29

Further Hybrids

This hybrid depends on

Assumption (Hybrid assumption)

The list S, output by the slicer, contains the 2(α+log2(16/13))·n/2+o(n) shortest lattice vectors of Lmid ⊕ Ltop.

AfricaCrypt 2020 30

Further Hybrids

This hybrid depends on

Assumption (Hybrid assumption)

The list S, output by the slicer, contains the 2(α+log2(16/13))·n/2+o(n) shortest lattice vectors of Lmid ⊕ Ltop. L´ eo Ducas and Wessel van Woerden later informed us that counterexamples can be found where S might only contain at most an exponentially small fraction of the shortest vectors of Lmid ⊕ Ltop.

AfricaCrypt 2020 30

O

Visualisation of the assumption

AfricaCrypt 2020 31

L1 L2 O

Visualisation of the assumption

Split L as L = L1 ⊕ L2.

AfricaCrypt 2020 31

L1 L2 O

t1 t2

Visualisation of the assumption

Split L as L = L1 ⊕ L2. Enumerate targets in L2.

AfricaCrypt 2020 31

L1 L2 O

t1 t2

Visualisation of the assumption

Split L as L = L1 ⊕ L2. Enumerate targets ti in L2. Randomise the ti using vectors in L1.

AfricaCrypt 2020 31

L1 L2 O

t1 t2

Visualisation of the assumption

Reduce all the randomised vectors by short vectors in L1.

AfricaCrypt 2020 31

L1 L2 O

t1 t2

Visualisation of the assumption

Reduce all the randomised vectors by short vectors in L1.

AfricaCrypt 2020 31

O S

Visualisation of the assumption

Reduce all the randomised vectors by short vectors in L1. Keep the resulting vectors as the set S.

AfricaCrypt 2020 31

Experimental results

AfricaCrypt 2020 31

Thank you!