Advertisement

Lower Bounds on Lattice Enumeration with Extreme Pruning

  • Yoshinori Aono
  • Phong Q. Nguyen
  • Takenobu Seito
  • Junji Shikata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)

Abstract

At Eurocrypt ’10, Gama, Nguyen and Regev introduced lattice enumeration with extreme pruning: this algorithm is implemented in state-of-the-art lattice reduction software and used in challenge records. They showed that extreme pruning provided an exponential speed-up over full enumeration. However, no limit on its efficiency was known, which was problematic for long-term security estimates of lattice-based cryptosystems. We prove the first lower bounds on lattice enumeration with extreme pruning: if the success probability is lower bounded, we can lower bound the global running time taken by extreme pruning. Our results are based on geometric properties of cylinder intersections and some form of isoperimetry. We discuss their impact on lattice security estimates.

Notes

Acknowledgements

This work was supported by JSPS KAKENHI Grant Numbers 16H02780, 16H02830 and 18H03238, and JST CREST JPMJCR168A.

References

  1. 1.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of the 33rd STOC, pp. 601–610. ACM (2001)Google Scholar
  2. 2.
    Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! Posted on the PQC-forum, 1 February 2018. https://estimate-all-the-lwe-ntru-schemes.github.io/paper.pdf
  3. 3.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Proceedings of the 25th USENIX Security Symposium, pp. 327–343. USENIX Association (2016)Google Scholar
  4. 4.
    Aono, Y.: A faster method for computing Gama-Nguyen-Regev’s extreme pruning coefficients. CoRR, abs/1406.0342 (2014)Google Scholar
  5. 5.
    Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_3CrossRefGoogle Scholar
  6. 6.
    Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning (2018). https://eprint.iacr.org/2018/546
  7. 7.
    Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016)CrossRefGoogle Scholar
  8. 8.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Proceedings of the 27th ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 10–24 (2016)Google Scholar
  9. 9.
    The FPLLL Development Team.: FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll
  10. 10.
    Chen, Y.: Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe. Ph.D. thesis, Univ. Paris 7 (2013)Google Scholar
  11. 11.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Cheon, M.-S.: Global optimization of monotonic programs: applications in polynomial and stochastic programming. Ph.D. thesis, Georgia Institute of Technology (2005)Google Scholar
  13. 13.
    Dadush, D., Micciancio, D.: Algorithms for the densest sub-lattice problem. In: Proceedings of the 24th ACM-SIAM Symposium on Discrete Algorithms, SODA 2013, pp. 1103–1122 (2013)CrossRefGoogle Scholar
  14. 14.
    de Boer, P.-T., Kroese, D.P., Mannor, S., Rubinstein, R.Y.: A tutorial on the cross-entropy method. Ann. Oper. Res. 134(1), 19–67 (2005)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–471 (1985)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5CrossRefGoogle Scholar
  17. 17.
    Hülsing, A., Rijneveld, J., Schanck, J.M., Schwabe, P.: NTRU-HRSS-KEM: algorithm specifications and supporting documentation. NIST submission, 30 November 2017Google Scholar
  18. 18.
    Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proceedings of the 15th ACM STOC, pp. 193–206 (1983)Google Scholar
  19. 19.
    Kroese, D.P., Porotsky, S., Rubinstein, R.Y.: The cross-entropy method for continuous multi-extremal optimization. Methodol. Comput. Appl. Probab. V 8(3), 383–407 (2006)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_1CrossRefMATHGoogle Scholar
  21. 21.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36095-4_19CrossRefGoogle Scholar
  22. 22.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proceedings of the ACM-SIAM SODA, pp. 1468–1480 (2010)CrossRefGoogle Scholar
  23. 23.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Proceedings of the SODA 2015, pp. 276–294 (2015)Google Scholar
  24. 24.
    Montanaro, A.: Quantum walk speedup of backtracking algorithms. ArXiv e-prints (2015)Google Scholar
  25. 25.
    Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS-RSME (2009)Google Scholar
  26. 26.
    Nguyen, P.Q.: Hermite’s constant and lattice algorithms. In: The LLL Algorithm: Survey and Applications. Springer, Heidelberg (2010). In [27]Google Scholar
  27. 27.
    Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02295-1CrossRefGoogle Scholar
  28. 28.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2, 181–207 (2008)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15(1), 37–44 (1981)CrossRefGoogle Scholar
  30. 30.
    Rubinstein, R.Y.: Optimization of computer simulation models with rare events. Eur. J. Oper. Res. 99, 89–112 (1996)CrossRefGoogle Scholar
  31. 31.
    Rubinstein, R.Y., Kroese, D.P.: The Cross-Entropy Method, A Unified Approach to Combinatorial Optimization, Monte-Carlo Simulation and Machine Learning. Information Science and Statistics. Springer, New York (2004).  https://doi.org/10.1007/978-1-4757-4321-0CrossRefMATHGoogle Scholar
  32. 32.
    Schneider, M., Gama, N.: SVP challenge. http://www.latticechallenge.org/svp-challenge/
  33. 33.
    Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36494-3_14CrossRefGoogle Scholar
  34. 34.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-49264-X_1CrossRefGoogle Scholar
  36. 36.
    Shapira, U., Weiss, B.: A volume estimate for the set of stable lattices. Comptes Rendus Mathématique 352(11), 875–879 (2014)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Thunder, J.L.: Higher-dimensional analogs of Hermite’s constant. Michigan Math. J. 45(2), 301–314 (1998)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Venkatesh, S.A.: The Theory of Probability: Explorations and Applications. Cambridge University Press, Cambridge (2012)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Yoshinori Aono
    • 1
  • Phong Q. Nguyen
    • 2
    • 3
  • Takenobu Seito
    • 4
  • Junji Shikata
    • 5
  1. 1.National Institute of Information and Communications TechnologyTokyoJapan
  2. 2.Inria ParisParisFrance
  3. 3.CNRS, JFLI, University of TokyoTokyoJapan
  4. 4.Bank of JapanTokyoJapan
  5. 5.Yokohama National UniversityYokohamaJapan

Personalised recommendations