Advertisement

Finding Closest Lattice Vectors Using Approximate Voronoi Cells

  • Emmanouil Doulgerakis
  • Thijs LaarhovenEmail author
  • Benne de Weger
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)

Abstract

The two traditional hard problems underlying the security of lattice-based cryptography are the shortest vector problem (SVP) and the closest vector problem (CVP). For a long time, lattice enumeration was considered the fastest method for solving these problems in high dimensions, but recent work on memory-intensive methods has resulted in lattice sieving overtaking enumeration both in theory and in practice. Some of the recent improvements [Ducas, Eurocrypt 2018; Laarhoven–Mariano, PQCrypto 2018; Albrecht–Ducas–Herold–Kirshanova–Postlethwaite–Stevens, 2018] are based on the fact that these methods find more than just one short lattice vector, and this additional data can be reused effectively later on to solve other, closely related problems faster. Similarly, results for the preprocessing version of CVP (CVPP) have demonstrated that once this initial data has been generated, instances of CVP can be solved faster than when solving them directly, albeit with worse memory complexities [Laarhoven, SAC 2016].

In this work we study CVPP in terms of approximate Voronoi cells, and obtain better time and space complexities using randomized slicing, which is similar in spirit to using randomized bases in lattice enumeration [Gama–Nguyen–Regev, Eurocrypt 2010]. With this approach, we improve upon the state-of-the-art complexities for CVPP, both theoretically and experimentally, with a practical speedup of several orders of magnitude compared to non-preprocessed SVP or CVP. Such a fast CVPP solver may give rise to faster enumeration methods, where the CVPP solver is used to replace the bottom part of the enumeration tree, consisting of a batch of CVP instances in the same lattice.

Asymptotically, we further show that we can solve an exponential number of instances of CVP in a lattice in essentially the same amount of time and space as the fastest method for solving just one CVP instance. This is in line with various recent results, showing that perhaps the biggest strength of memory-intensive methods lies in being able to reuse the generated data several times. Similar to [Ducas, Eurocrypt 2018], this further means that we can achieve a “few dimensions for free” for sieving for SVP or CVP, by doing \(\varTheta (d/\log d)\) levels of enumeration on top of a CVPP solver based on approximate Voronoi cells.

Keywords

Lattices Preprocessing Voronoi cells Sieving algorithms Shortest vector problem (SVP) Closest vector problem (CVP) 

Notes

Acknowledgments

The authors are indebted to Léo Ducas, whose ideas and suggestions on this topic motivated work on this paper. The authors are further grateful to the reviewers, whose thorough study of the contents (with one review even exceeding the page limit for the conference) significantly helped improve the contents of the paper, as well as improve the presentation of the results. Emmanouil Doulgerakis is supported by the NWO under grant 628.001.028 (FASOR). At the time of writing a preliminary version of this paper, Thijs Laarhoven was supported by the SNSF ERC Transfer Grant CRETP2-166734 FELICITY. At the time of publishing, Thijs Laarhoven is supported by a Veni Innovational Research Grant from NWO under project number 016.Veni.192.005.

References

  1. 1.
  2. 2.
    Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: STOC, pp. 733–742 (2015)Google Scholar
  3. 3.
    Aggarwal, D., Dadush, D., Stephens-Davidowitz, N.: Solving the closest vector problem in \(2^n\) time - the discrete Gaussian strikes again! In: FOCS, pp. 563–582 (2015)Google Scholar
  4. 4.
    Agrell, E., Eriksson, T., Vardy, A., Zeger, K.: Closest point search in lattices. IEEE Transact. Inf. Theor. 48(8), 2201–2214 (2002) MathSciNetCrossRefGoogle Scholar
  5. 5.
    Aharonov, D., Regev, O.: Lattice problems in \({\sf NP} \cap {\sf coNP}\). In: FOCS, pp. 362–371 (2004)Google Scholar
  6. 6.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  7. 7.
    Albrecht, M., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E., Stevens, M.: The general sieve kernel and new records in lattice reduction. Preprint, 2018Google Scholar
  8. 8.
    Alekhnovich, M., Khot, S., Kindler, G., Vishnoi, N.: Hardness of approximating the closest vector problem with pre-processing. In: FOCS, pp. 216–225 (2005)Google Scholar
  9. 9.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)Google Scholar
  10. 10.
    Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)Google Scholar
  11. 11.
    Andoni, A., Indyk, P., Laarhoven, T., Razenshteyn, I., Schmidt, L.: Practical and optimal LSH for angular distance. In: NIPS, pp. 1225–1233 (2015)Google Scholar
  12. 12.
    Andoni, A., Laarhoven, T., Razenshteyn, I., Waingarten, E.: Optimal hashing-based time-space trade-offs for approximate near neighbors. In: SODA, pp. 47–66 (2017)Google Scholar
  13. 13.
    Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC, pp. 793–801 (2015)Google Scholar
  14. 14.
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_3CrossRefGoogle Scholar
  15. 15.
    Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 405–434. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03326-2_14CrossRefGoogle Scholar
  16. 16.
    Babai, L.: On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. In: ANTS, pp. 146–162 (2016)Google Scholar
  18. 18.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24 (2016)Google Scholar
  19. 19.
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522, pp. 1–14 (2015)Google Scholar
  21. 21.
    Becker, A., Laarhoven, T.: Efficient (ideal) lattice sieving using cross-polytope LSH. In: AFRICACRYPT, pp. 3–23 (2016)CrossRefGoogle Scholar
  22. 22.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum Cryptography. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-540-88702-7CrossRefzbMATHGoogle Scholar
  23. 23.
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-72565-9_12CrossRefGoogle Scholar
  24. 24.
    Bhattacharya, S., et al.: Round5: Compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2018/725 (2018)Google Scholar
  25. 25.
    Bonifas, N., Dadush, D.: Short paths on the Voronoi graph and the closest vector problem with preprocessing. In: SODA, pp. 295–314 (2015)Google Scholar
  26. 26.
    Bos, J., et al.: Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In: CCS, pp. 1006–1018 (2016)Google Scholar
  27. 27.
    Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: Euro S&P, pp. 353–367 (2018)Google Scholar
  28. 28.
    Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Int. J. Appl. Crypt. 3(4), 313–329 (2016)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)Google Scholar
  30. 30.
    Christiani, T.: A framework for similarity search with space-time tradeoffs using locality-sensitive filtering. In: SODA, pp. 31–46 (2017)Google Scholar
  31. 31.
    Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Springer, Heidelberg (1999).  https://doi.org/10.1007/978-1-4757-6568-7CrossRefzbMATHGoogle Scholar
  32. 32.
    Correia, F., Mariano, A., Proenca, A., Bischof, C., Agrell, E.: Parallel improved Schnorr-Euchner enumeration SE++ for the CVP and SVP. In: PDP, pp. 596–603 (2016)Google Scholar
  33. 33.
    Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: CCC, pp. 98–109 (2014)Google Scholar
  34. 34.
    The FPLLL development team. FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
  35. 35.
    Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
  36. 36.
    Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - Dilithium: Digital signatures from module lattices. CHES 2018, 238–268 (2018)Google Scholar
  37. 37.
    Feige, U., Micciancio, D.: The inapproximability of lattice and coding problems with preprocessing. In: CCC, pp. 32–40 (2002)Google Scholar
  38. 38.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)CrossRefGoogle Scholar
  39. 39.
    Fitzpatrick, R., et al.: Tuning gausssieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16295-9_16CrossRefGoogle Scholar
  40. 40.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_13CrossRefGoogle Scholar
  41. 41.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)Google Scholar
  42. 42.
    Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel shortest lattice vector enumeration on graphics cards. In: AFRICACRYPT, pp. 52–68 (2010)CrossRefGoogle Scholar
  43. 43.
    Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_2CrossRefGoogle Scholar
  44. 44.
    Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_14CrossRefGoogle Scholar
  45. 45.
    Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)Google Scholar
  46. 46.
    Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a 128-dimensional ideal lattice. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 411–428. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_24CrossRefGoogle Scholar
  47. 47.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)Google Scholar
  48. 48.
    Kirchner, P., Fouque, P.-A.: Time-memory trade-off for lattice enumeration in a ball. Cryptology ePrint Archive, Report 2016/222 (2016)Google Scholar
  49. 49.
    Klein, P.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)Google Scholar
  50. 50.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1CrossRefzbMATHGoogle Scholar
  51. 51.
    Laarhoven, T.: Tradeoffs for nearest neighbors on the sphere. arXiv:1511.07527 [cs.DS], pp. 1–16 (2015)
  52. 52.
    Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-69453-5_28CrossRefGoogle Scholar
  53. 53.
    Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_6CrossRefGoogle Scholar
  54. 54.
    Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: PQCrypto, pp. 292–311 (2018)Google Scholar
  55. 55.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2), 375–400 (2015)MathSciNetCrossRefGoogle Scholar
  56. 56.
    Lagarias, J.C., Lenstra, H.W., Schnorr, C.-P.: Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatorica 10(4), 333–348 (1990)MathSciNetCrossRefGoogle Scholar
  57. 57.
    Mariano, A., Bischof, C.: Enhancing the scalability and memory usage of HashSieve on multi-core CPUs. In: PDP, pp. 545–552 (2016)Google Scholar
  58. 58.
    Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free HashSieve: a practical sieving algorithm for the SVP. In: ICPP, pp. 590–599 (2015)Google Scholar
  59. 59.
    Mariano, A., Laarhoven, T., Bischof, C.: A parallel variant of LDSieve for the SVP on lattices. In: PDP, pp. 23–30 (2017)Google Scholar
  60. 60.
    Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel listsieve and gausssieve. In: Lopes, L., et al. (eds.) Euro-Par 2014. LNCS, vol. 8805, pp. 48–59. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-14325-5_5CrossRefGoogle Scholar
  61. 61.
    Mariano, A., Timnat, S., Bischof, C.: Lock-free GaussSieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)Google Scholar
  62. 62.
    Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Transact. Inf. Theory 47(3), 1212–1215 (2001)MathSciNetCrossRefGoogle Scholar
  63. 63.
    Micciancio, D.: Efficient reductions among lattice problems. In: SODA, pp. 84–93 (2008)Google Scholar
  64. 64.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)Google Scholar
  65. 65.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)Google Scholar
  66. 66.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)Google Scholar
  67. 67.
    Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23178-0_40CrossRefzbMATHGoogle Scholar
  68. 68.
    Nguyên, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefGoogle Scholar
  69. 69.
    Dagdelen, Ö., Schneider, M.: Parallel enumeration of shortest lattice vectors. In: D’Ambra, P., Guarracino, M., Talia, D. (eds.) Euro-Par 2010. LNCS, vol. 6272, pp. 211–222. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15291-7_21CrossRefGoogle Scholar
  70. 70.
    Regev, O.: Improved inapproximability of lattice and coding problems with preprocessing. IEEE Transact. Inf. Theory 50(9), 2031–2037 (2004)MathSciNetCrossRefGoogle Scholar
  71. 71.
    Schneider, M.: Analysis of Gauss-Sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19094-0_11CrossRefGoogle Scholar
  72. 72.
    Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38553-7_22CrossRefGoogle Scholar
  73. 73.
    Sommer, N., Feder, M., Shalvi, O.: Finding the closest lattice point by iterative slicing. SIAM J. Discret. Math. 23(2), 715–731 (2009)MathSciNetCrossRefGoogle Scholar
  74. 74.
    Stephens-Davidowitz, N.: Dimension-preserving reductions between lattice problems, pp. 1–6 (2016). http://noahsd.com/latticeproblems.pdf
  75. 75.
    van de Pol, J.: Lattice-based cryptography. Master’s thesis, Eindhoven University of Technology (2011)Google Scholar
  76. 76.
    Viterbo, E., Biglieri, E.: Computing the voronoi cell of a lattice: the diamond-cutting algorithm. IEEE Transact. Inf. Theory 42(1), 161–171 (1996)MathSciNetCrossRefGoogle Scholar
  77. 77.
    Wang, J., Shen, H.T., Song, J., Ji, J.: Hashing for similarity search: a survey. arXiv:1408.2927 [cs.DS], pp. 1–29 (2014)
  78. 78.
    Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)Google Scholar
  79. 79.
    Yang, S.-Y., Kuo, P.-C., Yang, B.-Y., Cheng, C.-M.: Gauss sieve algorithm on GPUs. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 39–57. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_3CrossRefGoogle Scholar
  80. 80.
    Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: SAC, pp. 29–47 (2013)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Emmanouil Doulgerakis
    • 1
  • Thijs Laarhoven
    • 1
    Email author
  • Benne de Weger
    • 1
  1. 1.Eindhoven University of TechnologyEindhovenThe Netherlands

Personalised recommendations