sieve enumerate slice and lift
play

Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP - PowerPoint PPT Presentation

Nov 30, 2023 •542 likes •1.25k views

Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP via CVPP Emmanouil Doulgerakis, Thijs Laarhoven, and Benne de Weger Technische Universiteit Eindhoven July 2020 AfricaCrypt 2020, Cairo, Egypt Outline Introduction 1

  1. Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP via CVPP Emmanouil Doulgerakis, Thijs Laarhoven, and Benne de Weger Technische Universiteit Eindhoven July 2020 AfricaCrypt 2020, Cairo, Egypt

  2. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 1

  3. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 1

  4. What is a lattice? Definition A lattice L is a discrete additive subgroup of R n . AfricaCrypt 2020 2

  5. What is a lattice? Definition A lattice L is a discrete additive subgroup of R n . AfricaCrypt 2020 2

  6. What is a lattice? A lattice is an infinite grid of points in the n -dimensional space. AfricaCrypt 2020 3

  7. What is a lattice? A lattice: The set of all integer linear combinations of some basis B where B = { b 1 , . . . , b n } ⊂ R n . b 2 b 1 O AfricaCrypt 2020 3

  8. What is a lattice? A lattice: The set of all integer linear combinations of some basis B where B = { b 1 , . . . , b n } ⊂ R n . A lattice has many bases. b 2 b 4 b 3 b 1 O AfricaCrypt 2020 3

  9. The Shortest Vector Problem (SVP) Shortest Vector Problem (SVP) Given an arbitrary basis for L , find a shortest non-zero vector s in L i.e. � s � = min v ∈L\{ 0 } � v � . We denote λ 1 ( L ) = min v ∈L\{ 0 } � v � . b 2 b 1 s O AfricaCrypt 2020 4

  10. The Closest Vector Problem (CVP) Closest Vector Problem (CVP) Given an arbitrary basis for L and a target vector t , find the closest lattice vector v in L such that � t − v � = d ( t , L ). b 2 b 1 t AfricaCrypt 2020 5

  11. The Closest Vector Problem (CVP) Closest Vector Problem (CVP) Given an arbitrary basis for L and a target vector t , find the closest lattice vector v in L such that � t − v � = d ( t , L ). b 2 b 1 t v AfricaCrypt 2020 5

  12. The Approximate Closest Vector Problem (CVP κ ) Approximate Closest Vector Problem (CVP κ ) Given an arbitrary basis for L , a target vector t and an approximation factor κ ≥ 1, find a lattice vector v in L such that � t − v � ≤ κ d ( t , L ). b 2 b 1 t AfricaCrypt 2020 6

  13. The Closest Vector Problem with Pre-processing (CVPP) The CVPP variant Given an arbitrary basis for L , compute some pre-processing data such that when later given a target vector t , it will be ”easy” to solve the CVP for t . b 2 t v b 1 AfricaCrypt 2020 7

  14. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 8

  15. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). AfricaCrypt 2020 9

  16. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . AfricaCrypt 2020 9

  17. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . We know that λ 1 ( L ) ≤ � b 1 � . Enumeration explores all the choices of the x i such that � x 1 b 1 + · · · + x n b n � ≤ � b 1 � . AfricaCrypt 2020 9

  18. Enumeration tree (example) root 0 b n − 1 0 1 ( − 1 , − 1)(0 , − 1) ( − 1 , 0) (0 , 0) (1 , 0) (0 , 1) (1 , 1) b n − 1 . ( − 1 , 1 , 0)(0 , 1 , 0) (1 , 1 , 0) . . . . . b 1 AfricaCrypt 2020 10

  19. Enumeration costs in small depth Lemma (Costs of enumeration HS07) Let B be a strongly reduced basis of a lattice. Then the number of nodes E k at depth k = o ( n ) , k = n 1 − o (1) , satisfies: E k = n k / 2+ o ( k ) . Enumerating all these nodes can be done in time T enum and space S enum , with: T enum = E k · n O (1) , S enum = n O (1) . AfricaCrypt 2020 11

  20. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 12

  21. Solving CVP(P) We have t ∈ t + L and t ′ = t − s so t ′ ∈ t + L as well... It suffices to find t ′ . b 2 t ′ b 1 t O s AfricaCrypt 2020 13

  22. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t ′ t r 6 r 4 O s r 5 AfricaCrypt 2020 14

  23. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t O − 4 r 1 AfricaCrypt 2020 15

  24. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t O +3 r 2 AfricaCrypt 2020 15

  25. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 − 2 r 1 t O AfricaCrypt 2020 15

  26. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 + r 3 t ′ t O AfricaCrypt 2020 15

  27. The iterative slicer (in practice) Computing t ′ correctly depends on the list L . Computing “the proper” list L is too costly. We can use approximations instead. r 1 r 2 r 3 r 4 t AfricaCrypt 2020 16

  28. The iterative slicer (in practice) Computing t ′ correctly depends on the list L . Computing “the proper” list L is too costly. We can use approximations instead. Disadvantage: We might get a wrong t ′ . r 1 r 2 r 3 r 4 t AfricaCrypt 2020 16

  29. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). r 1 r 2 r 3 r 4 t AfricaCrypt 2020 17

  30. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). Randomize t sufficiently many times (as t i ) and reduce it. t 3 t 2 r 1 r 2 t 4 r 3 r 4 t 1 t 5 AfricaCrypt 2020 17

  31. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). Randomize t sufficiently many times (as t i ) and reduce it. Keep the shortest t ′ i found as t ′ . t 3 t 2 t 4 t 1 t 5 AfricaCrypt 2020 17

  32. The randomized slicer algorithm AfricaCrypt 2020 18

  33. Costs of preprocessing Lemma (Costs of lattice sieving BDGL16) Given a basis B of a lattice L , the LDSieve heuristically returns a list L ⊂ L containing the (4 / 3) n / 2+ o ( n ) shortest lattice vectors, in time T sieve and space S sieve with: T sieve = (3 / 2) n / 2+ o ( n ) , S sieve = (4 / 3) n / 2+ o ( n ) . With the LDSieve we can therefore solve SVP with the above complexities. AfricaCrypt 2020 19

  34. Costs of the randomized slicer Lemma (single target DLW20) Given a list of the (4 / 3) n / 2+ o ( n ) shortest vectors of a lattice L and a target t ∈ R n , the randomized slicer solves CVP for t in time T slice and space S slice , with: T slice = 2 ζ n + o ( n ) , S slice = (4 / 3) n / 2+ o ( n ) . In our case ζ = 0 . 2639 . . . AfricaCrypt 2020 20

  35. Costs of the randomized slicer Lemma (many targets DLW20) Given a list of the (4 / 3) n / 2+ o ( n ) shortest vectors of a lattice L and a batch of N ≥ (13 / 12) n / 2+ o ( n ) target vectors t 1 , . . . , t N ∈ R n , the batched randomized slicer solves CVP for all targets t i in total time T slice and space S slice , with: T slice = N · (18 / 13) n / 2+ o ( n ) , S slice = (4 / 3) n / 2+ o ( n ) . AfricaCrypt 2020 21

  36. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 22

  37. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). AfricaCrypt 2020 23

  38. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . AfricaCrypt 2020 23

  39. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . This partitions the lattice as L = L bot ⊕ L top where L bot := L ( B bot ) and L top := L ( B top ). AfricaCrypt 2020 23

  40. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . This partitions the lattice as L = L bot ⊕ L top where L bot := L ( B bot ) and L top := L ( B top ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . AfricaCrypt 2020 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice Informally What is a program slice? A program slice is a set of program statements that contributes to or affects the value of a variable at

517 views • 18 slides
Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis! Vaccine!efficacy!versus!par*cular!pathogen!strains! Sieve!effects!and!other!effects! Some!immunological!considera*ons!

383 views • 15 slides
The Time Slice Axiom in Perturbative Quantum Field Theory Klaus Fredenhagen 1 II. Institut f

The Time Slice Axiom in Perturbative Quantum Field Theory Klaus Fredenhagen 1 II. Institut f

Introduction Time slice axiom for a free scalar field The algebra of Wick polynomials Time slice axiom for Wick polynomials Time slice axiom for interacting field theories Conclusions and Outlook The Time Slice Axiom in Perturbative Quantum

228 views • 18 slides
1 Multi-Slice CT Multi-Slice CT Wider beam widths Thinner slices and more of them Z -

1 Multi-Slice CT Multi-Slice CT Wider beam widths Thinner slices and more of them Z -

Multi-Slice CT Image quality and capability increasing The impact of MDCT on optimisation and 2006 quality assurance of CT scanners < 0.4s rotation 64 x 0.5 mm slices Dose S. Edyvean Imaging Performance Assessment

605 views • 14 slides
Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift

Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift

Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift is given by: L J. Scavini - CC - BY - SA Lift equation Lift is given by: L What is the unit of C L ? J. Scavini - CC - BY - SA Lift

684 views • 16 slides
GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop

GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop

ASME/API/ISO Gas Lift Workshop Doha 2007 GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop Doha 2007 GAS LIFT in NEW FIELDS NEW DESIGN FOR WELLS AND COMPRESSORS RESERVOIR AND

224 views • 9 slides
PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

26 07 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE

468 views • 11 slides
JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO

JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO

JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO (Polydioxanone) Embedding therapy needle with absorbable suture (PDO) Injecting several dozen of needles on cheeks one by one. After pulling

859 views • 9 slides
Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation The number-field sieve Goal: Find

435 views • 25 slides
Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One

Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One

Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One Slide https://github.com/nsubtil/lift Lean and mean C++ parallel programming library Pass-by-value memory containers Parallel primitive

581 views • 36 slides
How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This

How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This

How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This slide is a report on paper How Should I Slice My Network? A Multi-Service Empirical Evaluation of Resource Sharing Efficiency , published on

973 views • 44 slides
Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2 and James Maynard 3 1 Universit de Montral 2 University College London 3 University of Oxford Oberwolfach, 10 November 2016 Selbergs sieve 2

658 views • 65 slides
Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November

Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November

Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November 2016 Prof. Alex Galis Kiran Makhijani Delei Yu a.gais@ucl.ac.uk; http://www.ee.ucl.ac.uk/~agalis/ yudelei@huawei.com kiran.makhijani@huawei.com

379 views • 13 slides
Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First

Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First

Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First Step Towards the Future of Vertical Lift Aviation Tony Melita Office of Land Warfare and Munitions Office of the Secretary of Defense 3 Purpose

958 views • 67 slides
RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder

RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder

POWERFUL SOLUTIONS. GLOBAL FORCE. RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder LONGER LASTING. The unique GR2 bearing system protects the RC-Series Duo cylinder seal by surrounding it. This

421 views • 14 slides
Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi (STAT615@ISU) Slice sampling November 14, 2017 1 / 26 Slice sampling Slice sampling Suppose the target distribution is p ( | y ) with scalar

1.13k views • 26 slides
Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on

Lifting Applied to Proof Complexity Marc Vinyals Technion Haifa, Israel FSTTCS Workshop on Extension Complexity and Lifting Theorems Supported by ERC project HARMONIC Proof Complexity Lifting Examples Wishlist SAT Is this formula

1.26k views • 82 slides
Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and

Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and

Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and Drag in Potential Flow Definitions Flat Plate Example Munson 9.5. Assume the following average pressure and shear stress on the surface of the

347 views • 7 slides
An introduction to the algorithmic of p -adic numbers David Lubicz 1 1 Universt de Rennes 1,

An introduction to the algorithmic of p -adic numbers David Lubicz 1 1 Universt de Rennes 1,

Introduction Basic definitions First properties Field extensions Newton lift Algorithmic p adic integers Basic operations A point counting algorithm An introduction to the algorithmic of p -adic numbers David Lubicz 1 1 Universt de

675 views • 39 slides
Not necessarily algebraic topology Darryl McCullough University of Oklahoma April 1, 2000 1

Not necessarily algebraic topology Darryl McCullough University of Oklahoma April 1, 2000 1

Not necessarily algebraic topology Darryl McCullough University of Oklahoma April 1, 2000 1 Theorem 1 S 1 is not contractible (i. e. there is no homotopy from the identity map of S 1 to the constant map). Equivalently, there is no map from D 2

503 views • 11 slides
Example 1 1. Find the equation of the line joining P = (1 , 1 , 1) to Q = (1 , 0 , 1) in vector

Example 1 1. Find the equation of the line joining P = (1 , 1 , 1) to Q = (1 , 0 , 1) in vector

Lines and Planes in R 3 1.3 P. Danziger Lines in R 3 We wish to represent lines in R 3 . Note that a line may be described in two different ways: By specifying two points on the line. By specifying one point on the line and a vector

472 views • 13 slides
The Role of Interbank Lending in the Predication of Individual Bank Failure during a Bank Crisis:

The Role of Interbank Lending in the Predication of Individual Bank Failure during a Bank Crisis:

The Role of Interbank Lending in the Predication of Individual Bank Failure during a Bank Crisis: Analysis of a Network Model of Systemic Risk Andreas Krause Simone Giansante University of Bath Latsis Symposium Z urich The idea The idea

432 views • 29 slides
RMTA Contract MR-2017 Miscellaneous Repairs Pre-Bid Meeting March 30, 2017 MR-2017 Agenda:

RMTA Contract MR-2017 Miscellaneous Repairs Pre-Bid Meeting March 30, 2017 MR-2017 Agenda:

RICHMOND METROPOLITAN TRANSPORTATION AUTHORITY We provide safe, convenient, efficient facilities and excellent customer service while maintaining the lowest feasible costs. RMTA Contract MR-2017 Miscellaneous Repairs Pre-Bid Meeting March 30,

444 views • 40 slides
Fourth Quarter 2014 Earnings Conference Call February 4, 2015 Cautionary Note Regarding

Fourth Quarter 2014 Earnings Conference Call February 4, 2015 Cautionary Note Regarding

Fourth Quarter 2014 Earnings Conference Call February 4, 2015 Cautionary Note Regarding Forward-Looking Statements Certain information contained in this presentation is forward looking information based on current expectations and plans that

483 views • 20 slides

More recommend