Abstract
Recently, it was shown that angular locality-sensitive hashing (LSH) can be used to significantly speed up lattice sieving, leading to a heuristic time complexity for solving the shortest vector problem (SVP) of \(2^{0.337n + o(n)}\) (and space complexity \(2^{0.208n + o(n)}\). We study the possibility of applying other LSH methods to sieving, and show that with the spherical LSH method of Andoni et al. we can heuristically solve SVP in time \(2^{0.298n + o(n)}\) and space \(2^{0.208n + o(n)}\). We further show that a practical variant of the resulting SphereSieve is very similar to Wang et al.’s two-level sieve, with the key difference that we impose an order on the outer list of centers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A similarity measure D may informally be thought of as a “slightly relaxed” metric, which may not satisfy all properties associated to metrics; see e.g. [21] for details.
- 2.
Technically speaking, [4] uses the Johnson-Lindenstrauss lemma to project n- to \(n_0\)-dimensional vectors with \(n_0 = o(n)\), so that single-exponential costs in \(n_0\) (\(2^{\varTheta (n_0)}\)) are sub-exponential in n (\(2^{o(n)}\)). However, this projection only preserves inter-point distances up to small errors if the length of the list is sufficiently small (\(N = 2^{o(n)}\)), which is not the case in sieving. Moreover, we estimated the potential improvement using Euclidean LSH to be smaller than the improvement we obtain here.
- 3.
In Sect. 3 we will justify why this assumption makes sense in sieving.
- 4.
Note that Andoni et al. sample vectors with average norm \(\sqrt{n}\) instead, which means that everything in our description is scaled by a factor \(\sqrt{n}\).
- 5.
Here “close” means that \(\Vert \varvec{v} - \varvec{w}\Vert \le \gamma R\), which corresponds to \(\theta (\varvec{v}, \varvec{w}) \le 60^{\circ } + o(1)\). Similarly “far away” corresponds to a large angle \(\theta (\varvec{v}, \varvec{w}) > 60^{\circ } + o(1)\).
- 6.
By choosing the order terms in k appropriately, the o(1)-term inside \(w(\theta )\) may be cancelled out, in which case the \(\delta \)-term dominates. Note that the o(1)-term in \(w(\theta )\) can be further controlled by the choice of \(\gamma = 1 - o(1)\).
- 7.
Note that \(\alpha \) is implicitly a function of \(c_t\) as well.
References
Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling. In: STOC (2015)
Ajtai, M.: The shortest vector problem in \(L_2\) is NP-hard for randomized reductions (extended abstract). In: STOC, pp. 10–19 (1998)
Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)
Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)
Andoni, A., Indyk, P., Nguyen, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)
Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC (2015)
Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)
Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522 (2015)
Becker, A., Laarhoven, T.: Efficient sieving on (ideal) lattices using cross-polytopic LSH. (preprint 2015)
Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Heidelberg (2009)
Bos, J., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014)
Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)
Datar, M., Immorlica, N., Indyk, P., Mirrokni, V.S.: Locality-sensitive hashing scheme based on \(p\)-stable distributions. In: SOCG, pp. 253–262 (2004)
Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)
Fitzpatrick, R., Bischof, C., Buchmann, J., Dagdelen, Ö., Göpfert, F., Mariano, A., Yang, B.-Y.: Tuning gausssieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Heidelberg (2015)
Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)
Hanrot, G., Pujol, X., Stehlé, D.: Algorithms for the shortest and closest lattice vector problems. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 159–190. Springer, Heidelberg (2011)
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)
Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a \(128\)-dimensional ideal lattice. In: PKC, pp. 411–428 (2014)
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)
Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: CRYPTO (2015)
Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des., Codes Crypt. (2015)
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)
Mariano, A., Timnat, S., Bischof, C.: Lock-free gausssieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)
Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel listsieve and gausssieve. In: Lopes, L., et al. (eds.) Euro-Par 2014 Workshops. LNCS, pp. 48–59. Springer, Heidelberg (2014)
Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free hashsieve: a practical sieving algorithm for the SVP. In: ICPP (2015)
Micciancio, D.: The shortest vector in a lattice is hard to approximate to within some constant. In: FOCS, pp. 92–98 (1998)
Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: STOC, pp. 351–358 (2010)
Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)
Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)
Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011)
Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)
Plantard, T., Schneider, M.: Ideal lattice challenge (2014). http://latticechallenge.org/ideallattice-challenge/
Pohst, M.E.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. ACM SIGSAM Bull. 15(1), 37–44 (1981)
van de Pol, J., Smart, N.P.: Estimating key sizes for high dimensional lattice-based systems. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 290–303. Springer, Heidelberg (2013)
Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). Cryptology ePrint Archive, Report 2009/605 (2009)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)
Schneider, M.: Analysis of gauss-sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011)
Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013)
Schneider, M., Gama, N., Baumann, P., Nobach, L.: SVP challenge (2015). http://latticechallenge.org/svp-challenge
Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2), 201–224 (1987)
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994)
Wang, X., Liu, M., Tian, C., Bi, J.: Improved nguyen-vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)
Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 29–47. Springer, Heidelberg (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Proof of Proposition 1
To prove Proposition 1, we will show how to choose a sequence of parameters \(\{(k_n, t_n)\}_{n \in \mathbb {N}}\) such that for large n, the following holds:
-
1.
The probability that a list vector \(\varvec{w}\) closeFootnote 5 to a target vector \(\varvec{v}\) collides with \(\varvec{v}\) in at least one of the t hash tables is at least constant in n:
$$\begin{aligned} p_1^* = \mathbb {P}_{\{h_{i,j}\} \subset \mathcal {H}}(\varvec{v}, \varvec{w} \text { collide} \mid \theta (\varvec{v}, \varvec{w}) \le \tfrac{\pi }{3}) \ge 1 - \varepsilon . \quad (\varepsilon \ne \varepsilon (n)) \end{aligned}$$(6) -
2.
The average probability that a list vector \(\varvec{w}\) far away (See footnote 5) from a target vector \(\varvec{v}\) collides with \(\varvec{v}\) is exponentially small:
$$\begin{aligned} p_2^* = \mathbb {P}_{\{h_{i,j}\} \subset \mathcal {H}}(\varvec{v}, \varvec{w} \text { collide} \mid \theta (\varvec{v}, \varvec{w}) > \tfrac{\pi }{3}) \le N^{-0.5681 + o(1)}. \end{aligned}$$(7) -
3.
The number of hash tables grows as \(t = N^{0.4319 + o(1)}\).
This would imply that for each search, the number of candidate vectors is of the order \(N \cdot N^{-0.5681} = N^{0.4319}\). Overall we search the list \(\tilde{O}(N)\) times, so after substituting \(N = (4/3)^{n/2 + o(n)}\) this leads to the following time and space complexities:
-
Time (hashing): \(O(N \cdot t) = 2^{0.2972n + o(n)}\).
-
Time (searching): \(O(N^2 \cdot p_2^*) = 2^{0.2972n + o(n)}\).
-
Space: \(O(N \cdot t) = 2^{0.2972n + o(n)}\).
The next two subsections are dedicated to proving Eqs. (6) and (7).
1.1 A.1 Good Vectors Collide with Constant Probability
The following lemma shows how to choose k (in terms of t) to guarantee that (6) holds.
Lemma 3
Let \(\varepsilon > 0\) and let \(k = 6 n^{-1/2} (\ln t - \ln \ln (1/\varepsilon )) \approx (6 \ln t) / \sqrt{n}\). Then the probability that reducing vectors collide in at least one of the hash tables is at least \(1 - \varepsilon \).
Proof
The probability that a reducing vector \(\varvec{w}\) is a candidate vector, given the angle \(\varTheta = \varTheta (\varvec{v}, \varvec{w}) \in (0, \frac{\pi }{3})\), is \(p_1^* = \mathbb {E}_{\varTheta \in (0, \frac{\pi }{3})} \left[ p^*(\varTheta )\right] \), where we recall that \(p^*(\theta ) = 1 - (1 - p(\theta )^k)^t\) and \(p(\theta ) = \mathbb {P}_{h \in \mathcal {H}}[h(\varvec{v}) = h(\varvec{w})]\) is given in Lemma 2. Since \(p^*(\varTheta )\) is strictly decreasing in \(\varTheta \), we can obtain a lower bound by substituting \(\varTheta = \frac{\pi }{3}\) above. Using the bound \(1 - x \le e^{-x}\) which holds for all x, and inserting the given expression for k, we obtain \(p_1^* \ge p^*\left( \tfrac{\pi }{3}\right) = 1 - (1 - \exp (\ln \ln (\tfrac{1}{\varepsilon }) - \ln t))^t = 1 - \left( 1 - \tfrac{\ln (1/\varepsilon )}{t}\right) ^t \ge 1 - \varepsilon \).
1.2 A.2 Bad Vectors Collide with Low Probability
We first recall a lemma about the density of angles between random vectors. In short, the density at an angle \(\theta \) is proportional to \((\sin \theta )^n\).
Lemma 4
[24, Lemma 4] Assuming Heuristic 1 holds, the pdf \(f(\theta )\) of the angle between target vectors and list vectors satisfies
The following lemma relates the collision probability \(p_2^*\) of (7) to the parameters k and t. Since Lemma 3 relates k to t, this means that only t ultimately remains to be chosen.
Lemma 5
Suppose \(N = 2^{c_n \cdot n}\) with \(c_n \ge \gamma _1 = \frac{1}{2} \log _2(\frac{4}{3}) \approx 0.2075\), and suppose \(t = 2^{c_t \cdot n}\). Let \(k = \frac{6 \ln t}{\sqrt{n}}(1 - o(1))\). Then, for large n, under Heuristic 1 we have
where \(\alpha \in (0,1)\) is defined as
Proof
First, if we know the angle \(\theta \in (\frac{\pi }{3}, \frac{\pi }{2})\) between two bad vectors, then according to Lemma 2 the probability of a collision in at least one of the hash tables is equal to
Letting \(f(\theta )\) denote the density of angles \(\theta \) on \((\frac{\pi }{3}, \frac{\pi }{2})\), we have
Substituting \(p^*(\theta )\) and the expression of Lemma 4 for \(f(\theta )\), noting that \(\int _{\pi /3}^{\pi /2} f(\theta ) d\theta \approx \int _0^{\pi /2} f(\theta ) d\theta = 1\), we get
For convenience, let us write \(w(\theta ) = [-3 \ln t\tan ^2\left( \frac{\theta }{2}\right) (1 + o(1))\). Note that for \(\theta \gg \frac{\pi }{3}\) we have \(w(\theta ) \ll -\ln t\) so that \((1 - \exp w(\theta ))^t \approx 1 - t \exp w(\theta )\), in which case we can simplify the expression between square brackets. However, the integration range includes \(\frac{\pi }{3}\) as well, so to be careful we will split the integration interval at \(\frac{\pi }{3} + \delta \), where \(\delta = \varTheta (n^{-1/2})\). (Note that any value \(\delta \) with \(\frac{1}{n} \ll \delta \ll 1\) suffices.)
Bounding \(I_1\). Using \(f(\theta ) \le f(\frac{\pi }{3} + \delta )\), \(p^*(\theta ) \le 1\), and \(\sin (\frac{\pi }{3} + \delta ) = \frac{1}{2} \sqrt{3} \left[ 1 + O(\delta )\right] \) (which follows from a Taylor expansion of \(\sin x\) around \(x = \frac{\pi }{3}\)), we obtain
Bounding \(I_2\). For \(I_2\), our choice of \(\delta \) is sufficient to make the aforementioned approximation workFootnote 6. Thus, for \(I_2\) we obtain the simplified expression
Note that the integrand is exponential in n and that the exponent \(E(\theta ) = n \log _2 \sin \theta + (-3 \tan ^2 \frac{\theta }{2} - 1) \log _2 t\) is a continuous, differentiable function of \(\theta \). So the asymptotic behavior of the entire integral \(I_2\) is the same as the asymptotic behavior of the integrand’s maximum value:
Bounding \(p_2^* = I_1 + I_2\). Combining (15), (18), and \(c_t = \frac{1}{n} \log _2 t\), we have
The assumption \(c_n \ge \gamma _1\) and the definition of \(\alpha \le 1\) now give \(\log _2 p_2^* \le -\alpha c_n n + o(n)\) which completes the proof.
1.3 A.3 Balancing the Parameters
Recall that the overall time and space complexities are given by \(O(N \cdot t) = 2^{(c_n + c_t)n + o(n)}\) (time for hashing), \(O(N^2 \cdot p_2^*) = 2^{(c_n + (1 - \alpha ) c_n)n + o(n)}\) (time for comparing vectors), and \(O(N \cdot t) = 2^{(c_n + c_t)n + o(n)}\) (memory requirement). For the overall time and space complexities \(2^{c_{\text {time}} n}\) and \(2^{c_{\text {space}} n}\) we find
Further recall that from Nguyen and Vidick’s analysis, we have \(N = (4/3)^{n/2 + o(n)}\) or \(c_n = \gamma _1\). To balance the time complexities of hashing and searching, so that the overall time complexity is minimized, we solve \((1 - \alpha ) \gamma _1 = c_t\) numericallyFootnote 7 for \(c_t\) to obtain the following corollary. Here \(\theta ^*\) denotes the dominant angle \(\theta \) maximizing the expression in (10). Note that the final result takes into account the density at \(\theta = \theta ^*\) as well, and so the result does not simply follow from Lemma 2.
Corollary 1
Taking \(c_t \approx 0.089624\) leads to:
Thus, setting \(t \approx 2^{0.08962 n}\) and \(k = \varTheta (\sqrt{n})\), the heuristic time and space complexities of the SphereSieve algorithm are balanced at \(2^{0.29714n + o(n)}\).
1.4 A.4 Trade-Off Between the Space and Time Complexities
Finally, note that \(c_t = 0\) leads to the original Nguyen-Vidick sieve algorithm, while \(c_t \approx 0.089624\) minimizes the heuristic time complexity at the cost of more space. One can obtain a continuous trade-off between these two extremes by considering values \(c_t \in (0, 0.089624)\). Numerically evaluating the resulting complexities for this range of values of \(c_t\) leads to the curve shown in Fig. 1.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Laarhoven, T., de Weger, B. (2015). Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-22174-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22173-1
Online ISBN: 978-3-319-22174-8
eBook Packages: Computer ScienceComputer Science (R0)