the generalized sieve kernel
play

The Generalized Sieve Kernel The Algorithmic Ant and the Sandpile eo - PowerPoint PPT Presentation

Feb 07, 2023 •125 likes •1.18k views

The Generalized Sieve Kernel The Algorithmic Ant and the Sandpile eo Ducas 1 L Based on joint work in progress with M. Albrecht, E. Postlethwaite, G. Herold, E. Kirshanova, M. Stevens Cryptology Group, CWI, Amsterdam, The Netherlands

  1. Shortest Vector from Lattice Sieving: a Few Dimensions for Free 2 2 EUROCRYPT 2018 L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 25 / 59

  2. Two classes of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 3 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite a lot slower. 3 Given complexities are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 26 / 59

  3. Two classes of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 3 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite a lot slower. 3 Given complexities are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 26 / 59

  4. Two classes of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 3 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite a lot slower. 3 Given complexities are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 26 / 59

  5. Many trade-offs 2 0.45 n 8 0 0 ' 1 V ' N V M 1 1 ' 2 0.40 n B 3 4 T 1 1 L ' ' H W J P G Z B Time complexity Laa '15 ◮ Our main contribution can also 2 0.35 n LdW '15 / BL '15 be applied to other sieving BDGL16 algorithms. e c BGJ '15 a p 2 0.30 n ◮ Implementation limited to the S = e version of m i T [Micciancio Voulgaris 2010] . 2 0.25 n 2 0.20 n 2 0.25 n 2 0.30 n 2 0.35 n Space complexity L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 27 / 59

  6. Many trade-offs 2 0.45 n 8 0 In this 0 ' 1 V ' N V work M 1 1 ' 2 0.40 n B 3 4 T 1 1 L ' ' H W J P G Z B Time complexity Laa '15 ◮ Our main contribution can also 2 0.35 n LdW '15 / BL '15 be applied to other sieving BDGL16 algorithms. e c BGJ '15 a p 2 0.30 n ◮ Implementation limited to the S = e version of m i T [Micciancio Voulgaris 2010] . 2 0.25 n 2 0.20 n 2 0.25 n 2 0.30 n 2 0.35 n Space complexity L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 27 / 59

  7. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 2 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), still with room for many improvements. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 28 / 59

  8. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 2 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), still with room for many improvements. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 28 / 59

  9. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 2 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), still with room for many improvements. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 28 / 59

  10. Sieving Algorithm 1 Sieve ( L ) L ← a set of N random vectors from L where N ≈ (4 / 3) n / 2 . while ∃ ( v , w ) ∈ L 2 such that � v − w � < � v � do v ← v − w end while return L The above runs in heuristic time (4 / 3) n + o ( n ) . Many concrete and asymptotic improvements: [Nguyen Vidick 2008, Micciancio Voulgaris 2010, Laarhoven 2015, Becker Gamma Joux 2015, Becker D. Gamma Laarhoven 2015, . . . ] . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 29 / 59

  11. Sieving Algorithm 2 Sieve ( L ) L ← a set of N random vectors from L where N ≈ (4 / 3) n / 2 . while ∃ ( v , w ) ∈ L 2 such that � v − w � < � v � do v ← v − w end while return L The above runs in heuristic time (4 / 3) n + o ( n ) . Many concrete and asymptotic improvements: [Nguyen Vidick 2008, Micciancio Voulgaris 2010, Laarhoven 2015, Becker Gamma Joux 2015, Becker D. Gamma Laarhoven 2015, . . . ] . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 29 / 59

  12. More than SVP Note that Sieve returns N ≈ (4 / 3) n short vectors, not just a shortest vector. Definition (Gaussian Heuristic: Expected length of the shortest vector) � n / 2 π e · vol( L ) 1 / n . gh( L ) = Observation (heuristic & experimental) � The output of Sieve contains almost all vectors of length ≤ 4 / 3 · gh ( L ): � � � L := Sieve ( L ) = x ∈ L s.t. � x � ≤ 4 / 3 · gh( L ) . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 30 / 59

  13. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � 4 / 3 · gh( L ′′ ) . 4 / 3 · gh( L ′′ ) . · gh( L ) ≤ gh( L ) ≤ n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 31 / 59

  14. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � 4 / 3 · gh( L ′′ ) . 4 / 3 · gh( L ′′ ) . · gh( L ) ≤ gh( L ) ≤ n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 31 / 59

  15. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � 4 / 3 · gh( L ′′ ) . 4 / 3 · gh( L ′′ ) . · gh( L ) ≤ gh( L ) ≤ n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 31 / 59

  16. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � 4 / 3 · gh( L ′′ ) . 4 / 3 · gh( L ′′ ) . · gh( L ) ≤ gh( L ) ≤ n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 31 / 59

  17. With BKZ pre-processing ◮ To ensure (1), we need the basis to be as reduced as possible ◮ We can easily afford BKZ preprocessing with block-size b = n / 2 ◮ Using simple BKZ models 4 we can predict gh( L ) and gh( L ′ ) Heuristic claim SubSieve ( L , d ) algorithm will successfully find the shortest vector of L for some d = Θ( n / ln n ). ⇒ Improve time & memory by a sub-exponential factor 2 Θ( n / log n ) 4 The Geometric Series Assumption L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 32 / 59

  18. With BKZ pre-processing ◮ To ensure (1), we need the basis to be as reduced as possible ◮ We can easily afford BKZ preprocessing with block-size b = n / 2 ◮ Using simple BKZ models 4 we can predict gh( L ) and gh( L ′ ) Heuristic claim SubSieve ( L , d ) algorithm will successfully find the shortest vector of L for some d = Θ( n / ln n ). ⇒ Improve time & memory by a sub-exponential factor 2 Θ( n / log n ) 4 The Geometric Series Assumption L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 32 / 59

  19. Quasi-HKZ preprocessing Idea: Attempt stronger pre-processing. Algorithm 3 SubSieve + ( L , d ) L ← Sieve ( L ′′ ) L = { Lift L ′′ →L ( v ) for v ∈ L } for j = 0 . . . n / 2 − 1 do v j = arg min s ∈ L � π ( v 0 ... v j − 1 ) ⊥ ( s ) � end for return ( v 0 . . . v n / 2 − 1 ) ◮ Insert ( v 0 . . . v n / 2 − 1 ) as the new b 1 . . . b n / 2 ◮ Repeat SubSieve + ( L , d ) for d = n − 1 , n − 2 , . . . , d min ◮ Hope that iteration d min + 1 provided a quasi-HKZ basis. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 33 / 59

  20. Concrete prediction with quasi-HKZ preprocessing Pessimistic prediction for (1) Optimistic prediction for (1) d ≈ n ln 4 / 3 n ln 4 / 3 d ≈ ln( n / 2 π ) ln( n / 2 π e ) d 25 pessimistic simulation pessimistic approximation optimistic simulation optimistic approximation 20 15 10 5 250 n 50 100 150 200 Figure: Predictions of the maximal successful choice of d min . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 34 / 59

  21. Baseline Implementation (V0) Re-implemented GaussSieve [Micciancio Voulgaris 2010] ◮ No gaussian sampling ◮ Initial sphericity of L doesn’t seem to matter ◮ Initial vectors can be made much shorter ⇒ speed-up ◮ Prevent collisions using a hash table √ ◮ Terminate when the ball 4 / 3 · gh( L ) is half-saturated ◮ Sort only periodically ◮ Can use faster data-structures ◮ Vectors represented in bases B and GramSchmidt ( B ) ◮ Required to work in projected-sublattices ◮ Kernel in c++ , control in python ◮ Calls to fpylll to maintain B and GramSchmidt ( B ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 35 / 59

  22. Baseline Implementation (V0) Re-implemented GaussSieve [Micciancio Voulgaris 2010] ◮ No gaussian sampling ◮ Initial sphericity of L doesn’t seem to matter ◮ Initial vectors can be made much shorter ⇒ speed-up ◮ Prevent collisions using a hash table √ ◮ Terminate when the ball 4 / 3 · gh( L ) is half-saturated ◮ Sort only periodically ◮ Can use faster data-structures ◮ Vectors represented in bases B and GramSchmidt ( B ) ◮ Required to work in projected-sublattices ◮ Kernel in c++ , control in python ◮ Calls to fpylll to maintain B and GramSchmidt ( B ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 35 / 59

  23. Baseline Implementation (V0) Re-implemented GaussSieve [Micciancio Voulgaris 2010] ◮ No gaussian sampling ◮ Initial sphericity of L doesn’t seem to matter ◮ Initial vectors can be made much shorter ⇒ speed-up ◮ Prevent collisions using a hash table √ ◮ Terminate when the ball 4 / 3 · gh( L ) is half-saturated ◮ Sort only periodically ◮ Can use faster data-structures ◮ Vectors represented in bases B and GramSchmidt ( B ) ◮ Required to work in projected-sublattices ◮ Kernel in c++ , control in python ◮ Calls to fpylll to maintain B and GramSchmidt ( B ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 35 / 59

  24. Baseline Implementation (V0) Re-implemented GaussSieve [Micciancio Voulgaris 2010] ◮ No gaussian sampling ◮ Initial sphericity of L doesn’t seem to matter ◮ Initial vectors can be made much shorter ⇒ speed-up ◮ Prevent collisions using a hash table √ ◮ Terminate when the ball 4 / 3 · gh( L ) is half-saturated ◮ Sort only periodically ◮ Can use faster data-structures ◮ Vectors represented in bases B and GramSchmidt ( B ) ◮ Required to work in projected-sublattices ◮ Kernel in c++ , control in python ◮ Calls to fpylll to maintain B and GramSchmidt ( B ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 35 / 59

  25. Baseline Implementation (V0) Re-implemented GaussSieve [Micciancio Voulgaris 2010] ◮ No gaussian sampling ◮ Initial sphericity of L doesn’t seem to matter ◮ Initial vectors can be made much shorter ⇒ speed-up ◮ Prevent collisions using a hash table √ ◮ Terminate when the ball 4 / 3 · gh( L ) is half-saturated ◮ Sort only periodically ◮ Can use faster data-structures ◮ Vectors represented in bases B and GramSchmidt ( B ) ◮ Required to work in projected-sublattices ◮ Kernel in c++ , control in python ◮ Calls to fpylll to maintain B and GramSchmidt ( B ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 35 / 59

  26. XOR-POPCNT trick (V0 → V1) Already used in Sieving [Fitzpatrick et al. 2015] . More generally know as SimHash [Charikar 2002] . Idea: Pre-filter pairs ( v , w ) ∈ L with a fast compressed test. ◮ Choose a spherical code C = { c 1 . . . c k } ⊂ S n and a threshold t ≤ k / 2 ◮ Precompute compressions ˜ v = Sign ( � v , c i � ) ∈ { 0 , 1 } k ◮ Only test � v ± w � ≤ � v � if | HammingWeight ( v ⊕ w ) − k / 2 | ≥ t . ◮ Asymptotic speed-up Θ( n / log n ) ? ◮ In practice, k = 128 (2 words), t = 18: about 10 cycles per pairs. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 36 / 59

  27. Progressive Sieving (V1 → V2) Concurrently and independetly invented in [Mariano Laarhoven 2018] . Idea: Increase the dimension progressively. ◮ Recursively, Sieve in the lattice L ( b 1 , . . . b n − 1 ) ◮ Start the sieve in dimension n with many short-ish vectors ◮ Fresh vectors get reduced much faster thanks to this initial pool. Refer to [Mariano Laarhoven 2018] for a full analysis of this trick. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 37 / 59

  28. Dimensions for Free (V2 → V3) ◮ Apply the quasi-HKZ preprocessing strategy ◮ Do not force the choice of d min ◮ Simply increase d until the shortest vector is found. d 19 pessimistic simulation pessimistic approximation 18 optimistic simulation optimistic approximation 17 Experimental average 16 15 14 13 12 11 10 9 8 7 6 n 60 62 64 66 68 70 72 74 76 78 80 82 Figure: Predictions experiments for d min . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 38 / 59

  29. Performances T ( sec. ) Fit V0: 2 0 . 489 n − 21 . 6 Fit V1: 2 0 . 505 n − 24 . 6 10 3 Fit V2: 2 0 . 470 n − 24 . 8 Fit V3: 2 0 . 396 n − 23 . 6 Fit Enum: 2 0 . 0683 n · ln n − 17 . 9 V0 (Sieve) V1 (Sieve) V2 (Sieve) V3 (SubSieve) 10 2 fplll's Pruned Enum. 10 1 10 0 n 40 50 60 70 80 L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 39 / 59

  30. Comparison to other Sieving implementation Algorithms [FBB + 14] V0 V1 V2 V3 [MV10] [ML17] [HK17] Features XOR-POPCNT trick x x x x pogressive sieving x x SubSieve x LSH (more mem.) x tuple (less mem.) x Dimension Running times n = 60 227s 49s 8s 0 . 9s 464s 79s 13s 1080s n = 70 - - 276s 10s 23933s 4500s 250s 33000s n = 80 - - - 234s - - 4320s 94700s CPU freq. (GHz) 3 . 6 3 . 6 3 . 6 3 . 6 4 . 0 4 . 0 2 . 3 2 . 3 L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 40 / 59

  31. Summary Sieving vs. Sieving ◮ Exploit all outputs of Sieve ⇒ Dimensions for Free ◮ Our implementation is 10x faster than all previous Sieving ◮ It does not use LSH techniques: further speed-up expected Sieving vs. Enumeration ◮ Only a factor 4x slower than Enum for dimensions 70–80 ◮ Guesstimates a cross-over at dim ≈ 90 with further improvements (LSH/LSF, fine-tuning, vectorization, . . . ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 41 / 59

  32. Summary Sieving vs. Sieving ◮ Exploit all outputs of Sieve ⇒ Dimensions for Free ◮ Our implementation is 10x faster than all previous Sieving ◮ It does not use LSH techniques: further speed-up expected Sieving vs. Enumeration ◮ Only a factor 4x slower than Enum for dimensions 70–80 ◮ Guesstimates a cross-over at dim ≈ 90 with further improvements (LSH/LSF, fine-tuning, vectorization, . . . ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 41 / 59

  37. The Generalized Sieve Kernel (G6K, pronounced / ζ e.si.ka/) 5 5 Work in Progress with M. Albrecht, E. Postlethwaite, G. Herold, E. Kirshanova, M. Stevens L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 44 / 59

  38. 1st design principle: Go Green ! Idea: Recycle vectors between overlapping blocks. Rather than an function serving as an SVP oracle, design a stateful machine that takes advantages of the overlapping instances. In other words:

  39. 1st design principle: Go Green ! Idea: Recycle vectors between overlapping blocks. Rather than an function serving as an SVP oracle, design a stateful machine that takes advantages of the overlapping instances. In other words:

  40. Moving with a bag of vectors Relations between the projected sublattices: L = ⊃ ⊃ . . . ⊃ . . . L [1:1] L [1: n ] L [1: n − 1] L [1:2] ↓ π ↓ π ↓ π L [2: n ] ⊃ L [2: n − 1] ⊃ . . . L [2:2] . . . · L [ n − 1: n ] ⊃ L [ n − 1: n − 1] ↓ π L [ n : n ] ◮ π can be inverted in many ways. Choose π − 1 to be the Babai lift: the shortest of all possible lifts. ◮ All maps ⊂ , π − 1 , π preserve shortness “somewhat” L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 46 / 59

  41. Moving with a bag of vectors Relations between the projected sublattices: L = ⊃ ⊃ . . . ⊃ . . . L [1:1] L [1: n ] L [1: n − 1] L [1:2] ↓ π ↓ π ↓ π L [2: n ] ⊃ L [2: n − 1] ⊃ . . . L [2:2] . . . · L [ n − 1: n ] ⊃ L [ n − 1: n − 1] ↓ π L [ n : n ] ◮ π can be inverted in many ways. Choose π − 1 to be the Babai lift: the shortest of all possible lifts. ◮ All maps ⊂ , π − 1 , π preserve shortness “somewhat” L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 46 / 59

  42. Moving with a bag of vectors Relations between the projected sublattices: L = ⊃ ⊃ . . . ⊃ . . . L [1:1] L [1: n ] L [1: n − 1] L [1:2] ↓ π ↓ π ↓ π L [2: n ] ⊃ L [2: n − 1] ⊃ . . . L [2:2] . . . · L [ n − 1: n ] ⊃ L [ n − 1: n − 1] ↓ π L [ n : n ] ◮ π can be inverted in many ways. Choose π − 1 to be the Babai lift: the shortest of all possible lifts. ◮ All maps ⊂ , π − 1 , π preserve shortness “somewhat” L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 46 / 59

  43. Moving with a bag of vectors L = ⊃ ⊃ . . . ⊃ L [1: n ] L [1: n − 1] L [1:2] L [1:1] ↓ π ↓ π ↓ π ⊃ ⊃ . . . L [2: n ] L [2: n − 1] L [2:2] . . . . . . · L [ n − 1: n ] ⊃ L [ n − 1: n − 1] ↓ π L [ n : n ] Change of context/block [l:r] : transform the vectors in the bag ◮ Extend-Right : ⊂ (do nothing) ◮ Shrink-Left : π − 1 (Babai lift) ◮ Extend-Left : π (project) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 47 / 59

  44. 2nd design principle: be flexible BKZ theory use exact-SVP for each block consecutively, but maybe we’re better off making different choices. ◮ Maintain a cadidate for insertion at each position ◮ Decide where to insert after sieving L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 48 / 59

  45. 3rd design principle: seize opportunities Algorithm 4 Sieve ( L ) L ← a set of N random vectors from L where N ≈ (4 / 3) n / 2 . while ∃ ( v , w ) ∈ L 2 such that � v − w � < � v � do v ← v − w end while return L Even if � v − w � ≥ � v � , it could be worth considering the lifts of v − w . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 49 / 59

  46. The abstract machine State: ◮ A lattice basis B ◮ Positions 0 ≤ ℓ ′ ≤ ℓ ≤ r ≤ d . [ ℓ : r ] the sieving context , and [ ℓ ′ : r ] the lifting context . ◮ A database db of N vectors in L [ ℓ : r ] (preferably short). ◮ Insertion candidates c ℓ ′ , . . . , c ℓ where c i ∈ L [ i : r ] or c i = ⊥ . Instructions: ◮ Sieve ( S ): make vector shorter, improve insertion candidates ◮ Extend Right, Shrink Left, Extend Left ( ER , SL , EL ): change the sieve-context, updating the database ◮ Insert ( I ): update the basis and the database L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 50 / 59

  47. The ideal BKZ with G6K BKZ can be written very simply: Repeat { S; I; ER; } When starting the second Sieve , vectors are already quite short ⇒ No need to restart progressive sieving from the beginning. The ER bug. It turns out that ER is not very compatible with our fastest sieve implementation. Somehow, the Sieve gets stuck in a subspace. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 51 / 59

  48. The ideal BKZ with G6K BKZ can be written very simply: Repeat { S; I; ER; } When starting the second Sieve , vectors are already quite short ⇒ No need to restart progressive sieving from the beginning. The ER bug. It turns out that ER is not very compatible with our fastest sieve implementation. Somehow, the Sieve gets stuck in a subspace. L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 51 / 59

  49. Pump Before: SubSieve f : Reset 0 , f , f , ( ER , S ) d − f , I 0 , I 1 , . . . , I d − f . ◮ No issues with EL ⇒ Progressive-Sieving toward the left instead. ◮ Can now Sieve again after insertion ◮ Can now insert the best candidate rather than a pre-chosen one pump-up pump-down � �� � � �� � ( I , S ) r − ℓ . ( EL , S ) r − ℓ , Pump ℓ ′ ,ℓ, r , s : Reset ℓ ′ , r , r , L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 52 / 59

  50. WorkOut Workout: Pumps of increasing strength WorkOut κ,β, f , f + , s : Pump κ,κ + β − f + ,κ + β, s , Pump κ,κ + β − 2 f + ,κ + β, s , Pump κ,κ + β − 3 f + ,κ + β, s , . . . Pump κ,κ + f ,κ + β, s , ◮ Termination condition can vary (e.g. fixed number of dims for free, or reached satisfying shortest vector) ◮ steps size of pump strength is not necessarly 1 L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 53 / 59

  51. Pump and Jump ◮ Block is left somewhat reduced by the pump in the previous block: ⇒ no need for a full workout. ◮ Many short vectors inserted, little improvement left around here: ⇒ directly Jump far away. PumpnJumpBKZ β ′ , f , j : Pump 0 , f ,β , Pump j , j + f , j + β , Pump 2 j , 2 j + f , 2 j + β , . . . L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 54 / 59

  52. Implementation 3 layers ◮ c++: multi-threaded heavy duty operation (Sieve, db updates) ◮ cython: middleware, basis maintainance ◮ python: control, tuning, and monitoring Several Sieve inside: ◮ Standard Gauss-Sieve (mono-threaded) Mem = 2 . 208 n + o ( n ) , Time = 2 . 415 n + o ( n ) ◮ Becker-Gama-Joux with 1 level of filtration (multi-threaded) Mem = 2 . 208 n + o ( n ) , Time = 2 . 349 n + o ( n ) ◮ k-sieve k = 2 , 3 (multi-threaded) Mem = 2 . 208 n + o ( n ) , Time = 2 . 349 n + o ( n ) Mem = 2 . 189 n + o ( n ) , Time = 2 . 372 n + o ( n ) L´ eo Ducas (CWI, Amsterdam) G6K or, the Alg. Ant and the Sandpile 24 Sept 2018 55 / 59

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KernGPLM A Package for Kernel-Based Fitting of Aim of this Talk Generalized Partial Linear

KernGPLM A Package for Kernel-Based Fitting of Aim of this Talk Generalized Partial Linear

KernGPLM A Package for Kernel-Based Fitting of Aim of this Talk Generalized Partial Linear and Additive Models analysis of highdimensional data by semiparametric (generalized) regression models June 8, 2006 compare different approaches

491 views • 5 slides
Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis! Vaccine!efficacy!versus!par*cular!pathogen!strains! Sieve!effects!and!other!effects! Some!immunological!considera*ons!

383 views • 15 slides
PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

26 07 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE

468 views • 11 slides
Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation The number-field sieve Goal: Find

435 views • 25 slides
Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2 and James Maynard 3 1 Universit de Montral 2 University College London 3 University of Oxford Oberwolfach, 10 November 2016 Selbergs sieve 2

658 views • 65 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam Mickiewicz University Pozna, Poland Number Theoretic Methods in Cryptology Paris 2019 MG (UAM Pozna) Sieve NutMic 2019 1 / 25 Outline 1 The large

1.04k views • 90 slides
The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois at Chicago The Q sieve factors n by combining enough y -smooth congruences i ( n + i ). Enough &gt; = log y . y Plausible

347 views • 31 slides
The Classification of Generalized Riemann Derivatives Stefan Catoiu DePaul University, Chicago

The Classification of Generalized Riemann Derivatives Stefan Catoiu DePaul University, Chicago

Definition and basic properties Generalized vs. Ordinary Differentiation The Classification of Real Generalized Riemann Derivatives The Classification of Complex Generalized Riemann Derivatives The Classification of Generalized Riemann

768 views • 48 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods &amp; optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

240 views • 5 slides
Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References

Generalized Contagion Generalized Contagion Generalized Model of Contagion Principles of Complex Systems References Course 300, Fall, 2008 Prof. Peter Dodds Department of Mathematics &amp; Statistics University of Vermont Licensed under

466 views • 21 slides
Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice Challenge of 128 dimensions

Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice Challenge of 128 dimensions

Parallel Gauss Sieve Algorithm T.Ishiguro, S.Kiyomoto, Y.Miyake, Parallel Gauss Sieve Algorithm : Solving the Ideal T.Takagi Lattice Challenge of 128 dimensions Outline Background Proposed Tsukasa Ishiguro 1 Shinsaku Kiyomoto 1 Algorithm

528 views • 32 slides
SYLLABUS The Idea of Parallelism: A Parallelised version of the Sieve of Eratosthenes PRAM Model

SYLLABUS The Idea of Parallelism: A Parallelised version of the Sieve of Eratosthenes PRAM Model

26 07 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm SYLLABUS The Idea of Parallelism: A Parallelised version of the Sieve of

449 views • 17 slides
Manage Sieve Protocol Alexey Melnikov, As Transcribed By Eric Burger Introduction Manage

Manage Sieve Protocol Alexey Melnikov, As Transcribed By Eric Burger Introduction Manage

Manage Sieve Protocol Alexey Melnikov, As Transcribed By Eric Burger Introduction Manage Sieve protocol is defined in draft-martin- managesieve (currently draft-martin- managesieve-05.txt) Simple IMAP-like protocol originally written by

336 views • 6 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides
Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off

Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off

Lecture 19 Logistics HW7 due now A few days off before HW8 kicks in A few days off before HW8 kicks in Midterm review session tomorrow 4:15 EEB125 Midterm 2 in class (45min long, starts at 10:35am) Last lecture Moore

675 views • 11 slides
CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What

CS 241: Systems Programming Lecture 1. Introduction Spring 2020 Prof. Stephen Checkoway 1 What is this course about? Tools for succeeding in computer science Unix command line Bash scripting C programming Building software

268 views • 24 slides
Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Acts Series Lesson #94 December 18, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Acts of the Apostles To the end of the earth Acts 1:8 Acts as a Transition and Overview of Things to Come Acts 13; Matthew

551 views • 19 slides
SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural

SnaPEA : Predictive Early Activation for Reducing Computation In Deep Convolutional Neural Networks * * Vahideh Akhlaghi Amir Yazdanbakhsh Kambiz Samadi Rajesh K. Gupta Hadi Esmaeilzadeh * Equal Contribution University

565 views • 32 slides
ANT Actor Network Theory Relevance Process Architecture Governance Strategies Assemblage

ANT Actor Network Theory Relevance Process Architecture Governance Strategies Assemblage

ANT Actor Network Theory Relevance Process Architecture Governance Strategies Assemblage Theory Actor Network Reflexive Complexity Theory Modernisation Science Plan Basic definition review Work in teams with some silly cases

559 views • 12 slides
Java build system by Zoltn Jakab zoltan.jakab@ericsson.com Contents Build a Java program

Java build system by Zoltn Jakab zoltan.jakab@ericsson.com Contents Build a Java program

Java build system by Zoltn Jakab zoltan.jakab@ericsson.com Contents Build a Java program Ant Concept Language elements Reuse and extension Other Java build tools Hello world package demo; public class HelloWorld {

798 views • 50 slides
How Many Ants Does It Take to Find the Food? Jara Uitto ETH Zurich Distributed Computing

How Many Ants Does It Take to Find the Food? Jara Uitto ETH Zurich Distributed Computing

How Many Ants Does It Take to Find the Food? Jara Uitto ETH Zurich Distributed Computing www.disco.ethz.ch Ants Nearby Treasure Search Introduced by Feinerman, Korman, Lotker and Sereni [PODC 2012]. mobile agents,

1.11k views • 92 slides
A Study of Ant Foraging Behaviour Presented by Aditya Tandon and Sandeep Aitha PPpppreB Ants are

A Study of Ant Foraging Behaviour Presented by Aditya Tandon and Sandeep Aitha PPpppreB Ants are

A Study of Ant Foraging Behaviour Presented by Aditya Tandon and Sandeep Aitha PPpppreB Ants are Superorganisms Foraging Nest building Reorganization of tasks Waste management Foraging Behaviour Quantitative Models

512 views • 10 slides

More recommend