analysis of bkz
play

Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl e - PowerPoint PPT Presentation

Aug 30, 2022 •517 likes •1.44k views

Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl e ENSL, LIP, CNRS, INRIA, Universit e de Lyon, UCBL May 5, 2011 Analysis of BKZ 1/32 b b b b b b b b b b b b b b b b b Lattices a 1 a 2 (SVP) Analysis of BKZ

  1. Analysis of BKZ Guillaume Hanrot, Xavier Pujol, Damien Stehl´ e ENSL, LIP, CNRS, INRIA, Universit´ e de Lyon, UCBL May 5, 2011 Analysis of BKZ 1/32

  2. b b b b b b b b b b b b b b b b b Lattices a 1 a 2 (SVP) Analysis of BKZ 2/32

  3. b b b b b b b b b b b b b b b b b Lattices b 1 (SVP)Shortest vector problem (SVP)(SVP) Analysis of BKZ 2/32

  4. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Lattice reduction(SVP) Analysis of BKZ 2/32

  5. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Determinant(SVP) Analysis of BKZ 2/32

  6. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  7. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  8. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor: � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analysis of BKZ 2/32

  9. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  10. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  11. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  12. Lattice reduction Lattice reduction and shortest vector problem: The security of lattice-based cryptosystems relies on the hardness of (variants of) SVP. SVP and lattice reduction are interdependent problems. Hierarchy of lattice reductions in dimension n : HKZ BKZ β LLL Hermite √ γ n n − 1 n − 1 ≃ ( γ β (1 + ǫ )) ( γ 2 (1 + ǫ )) 2( β − 1) 2 factor 2 O ( n ) 2 O ( β ) × ? Time Poly ( n ) HKZ = Hermite-Korkine-Zolotareff BKZ = Block Korkine-Zolotareff Analysis of BKZ 3/32

  13. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  14. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  15. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  16. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  17. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  18. History of BKZ Practice Theory Schnorr and Euchner (1994): Schnorr (1987): first algorithm for BKZ-reduction, hierarchies of algorithms without complexity analysis. between LLL and HKZ. Shoup: first public Gama et al. (2006): implementation of BKZ in Block-Rankin-reduction. NTL. Gama and Nguyen (2008): Gama and Nguyen (2008): Slide-reduction. BKZ behaves badly when the block size is ≥ 25. Analysis of BKZ 4/32

  19. Slide-reduction: Outputs a basis whose theoretical quality is equivalent to BKZ. Polynomial number of calls to a SVP oracle. Not as efficient as BKZ in practice. Analysis of BKZ 5/32

  20. Progress made during the execution of BKZ Quality of BKZ output 1.021 BKZ BKZ’ 1.02 1.019 1.018 Hermite factor 1.017 1.016 1.015 1.014 1.013 1.012 0 20 40 60 80 100 Number of tours Experience on 64 LLL-reduced knapsack-like matrices ( n = 108 , β = 24). Analysis of BKZ 6/32

  21. Progress made during the execution of BKZ Quality of BKZ output 1.021 BKZ BKZ’ 1.02 1.019 1.018 Hermite factor 1.017 1.016 1.015 1.014 1.013 1.012 0 200 400 600 800 1000 1200 Number of tours Experience on 64 LLL-reduced knapsack-like matrices ( n = 108 , β = 24). Analysis of BKZ 6/32

  22. Our result γ β = Hermite constant ≤ β . L a lattice with basis ( b 1 , . . . , b n ). Theorem � n 3 � �� � b i � log n After O ǫ + log log max calls to HKZ β , β 2 (det L ) 1 / n BKZ β returns a basis C of L such that: 2( β − 1) + 3 n − 1 HF ( C ) ≤ (1 + ǫ ) γ β 2 Analysis of BKZ 7/32

  23. Reminders on lattice reduction 1 Analysis of BKZ in the sandpile model 2 Analysis of BKZ 3 Applications to LLL 4 Conclusion 5 Analysis of BKZ 8/32

  24. Reminders on lattice reduction 1 Analysis of BKZ in the sandpile model 2 Analysis of BKZ 3 Applications to LLL 4 Conclusion 5 Analysis of BKZ 9/32

  25. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ n is defined by: For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ For all i , i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 b 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  26. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ b ∗ n is defined by: 3 For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ b ∗ For all i , 2 i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 = b ∗ b 1 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  27. Gram-Schmidt orthogonalization b 1 , . . . , b n linearly independent. The Gram-Schmidt orthogona- b 3 lization b ∗ 1 , . . . , b ∗ b ∗ n is defined by: 3 For all i > j , ( b i , b ∗ j ) µ i , j = j � 2 . � b ∗ b ∗ For all i , 2 i = b i − � b ∗ j < i µ i , j b ∗ j . b 2 = b ∗ b 1 1 A basis is size-reduced if all the | µ i , j | are ≤ 1 2 . Analysis of BKZ 10/32

  28. LLL B is δ -LLL-reduced if: It is size-reduced; i � 2 ≤ � b ∗ i +1 � 2 + µ 2 i � 2 for all i < n . δ � b ∗ i +1 , i � b ∗ → x i ≤ 1 ( x i = log � b ∗ 2 log γ 2 + x i +1 − log δ i � ) Analysis of BKZ 11/32

  29. LLL B is δ -LLL-reduced if: It is size-reduced; i � 2 ≤ � b ∗ i +1 � 2 + µ 2 i � 2 for all i < n . δ � b ∗ i +1 , i � b ∗ → x i ≤ 1 ( x i = log � b ∗ 2 log γ 2 + x i +1 − log δ i � ) 1 2 log γ 2 − log δ x 1 x 2 x 3 x 4 x 5 Analysis of BKZ 11/32

Recommend

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction

Technical Analysis Technical Analysis Technical Analysis Technical Analysis Introduction Technical analysis is the attempt to forecast stock prices on the basis of market-derived data. Technicians (also known as quantitative analysts or

853 views • 73 slides
T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task

T ask Analysis Ov erview What is task analysis? T ask Analysis Metho ds task decomp osition kno wledge based analysis en tit y-relati onshi p tec hniques Sources of Information Uses of T ask Analysis

398 views • 27 slides
Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also

Technical Analysis for FX Options W hat is Technical Analysis? Technical analysis, also known as charting, is an attempt to predict future prices, by studying the trading history of a traded security (currencies, equities, commodities,

473 views • 44 slides
various analysis, and all necessary analysis tools

various analysis, and all necessary analysis tools

Analysis page includes topics for analysis, descriptions of various analysis, and all necessary analysis tools

512 views • 9 slides
DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS

DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS

SNAME Philadelphia Section Meeting May 2013 y USA (originally presented at MTU Naval Symposium, September 2011, GERMANY) DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS METHODS FOR DESIGN &amp; ANALYSIS METHODS DESIGN &amp; ANALYSIS

1.11k views • 80 slides
. . . . . . . . . . . . . . . . . . . . . Let denote an average .

. . . . . . . . . . . . . . . . . . . . . Let denote an average .

Overview Factor Analysis and Beyond Principal Components Analysis Factor Analysis Independent Components Analysis Chris Williams Non-linear Factor Analysis School of Informatics, University of Edinburgh Reading: Handout on

206 views • 7 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572

Bioinformatics: Network Analysis Flux Balance Analysis and Metabolic Control Analysis COMP 572 (BIOS 572 / BIOE 564) - Fall 2013 Luay Nakhleh, Rice University 1 Flux Balance Analysis (FBA) Flux balance analysis (FBA), an optimality-base

955 views • 52 slides
SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT

SWOT Analysis W T S O SWOT Analysis Learning Objectives What is SWOT Analysis? What is SWOT Analysis? Aim of SWOT Analysis Who needs SWOT Analysis? How to conduct SWOT Analysis? Benefits &amp; Pitfalls of SWOT Analysis Brainstorming

445 views • 31 slides
ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis?

ROT Content Analysis Workshop ECAS Office of Communications What is a ROT analysis? Examples of ROT content Why conduct a ROT Analysis? Steps in conducting an analysis Writing for the web Questions What is a ROT analysis?

491 views • 17 slides
The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

The Deliverables of Gap Analysis Conducted by NAMA: To Provide a Comprehensive Gap Analysis

1 Infrastructure Gap Analysis and Aviation Master Planning ICAO WORKSHOP ON AVIATION INFRASTRUCTURE GAP ANALYSIS ABUJA, NIGERIA Aviation Infrastructure Gap Analysis and Master Plan Development Process - Exchange of experiences and lessons

408 views • 40 slides
Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis

csci 210: Data Structures Program Analysis 1 Summary Summary analysis of algorithms asymptotic analysis big-O big-Omega big-theta asymptotic notation commonly used functions discrete math

500 views • 33 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis

Amortized Analysis Chapter 17 1 CPTR 430 Algorithms Amortized Analysis Amortized Analysis Amortized analysis averages the time required to perform a sequence of operations on a data structure over all the operations performed An

2.15k views • 56 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Analyzing Quantitative Data Analysis is about QUESTIONS Does physical vs soft keyboard, known

Analyzing Quantitative Data Analysis is about QUESTIONS Does physical vs soft keyboard, known

Analyzing Quantitative Data Analysis is about QUESTIONS Does physical vs soft keyboard, known vs unknown language affect typing speed or error rate? Hypotheses? Analysis Analysis (2) Analysis (3) Analysis (2) Results Univariate Tests

647 views • 27 slides
Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis

Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis

Board Presentation dated 17 th July 2018 Quarter ended 30 th June 2018 1 1 2 3 Sales and Performance Collection Asset Analysis Analysis Analysis 4 5 6 Management Liability Analysis Discussion &amp; Analysis 5 Quarters Analysis BLUE

356 views • 33 slides
Interprocedural Analysis Last time Alias analysis Today Interprocedural analysis CS553

Interprocedural Analysis Last time Alias analysis Today Interprocedural analysis CS553

Interprocedural Analysis Last time Alias analysis Today Interprocedural analysis CS553 Lecture Interprocedural Analysis 2 Using Alias Information Example: reaching definitions Compute at each point in the program a set of ( s,v

99 views • 9 slides
Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is

Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is

Real Analysis a short presentation on what and why I. Fourier Analysis Fourier analysis is about taking functions and realizing them or approximating them in terms of periodic (trig) functions. Many, many practical applications. Def: R = {

191 views • 17 slides
Assignment 1 1. Intra Procedural Dominator Analysis Dominator analysis is an important problem,

Assignment 1 1. Intra Procedural Dominator Analysis Dominator analysis is an important problem,

Assignment 1 1. Intra Procedural Dominator Analysis Dominator analysis is an important problem, with applications ranging from optimizing compilers to network flow analysis. The analysis determines for each node in a directed graph by which

296 views • 3 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Discriminant Analysis aka. Discriminant Function Analysis Discriminant Analysis (DISCRIM)

Discriminant Analysis aka. Discriminant Function Analysis Discriminant Analysis (DISCRIM)

Multivariate Fundamentals: Rotation Pre-determined Groups Discriminant Analysis aka. Discriminant Function Analysis Discriminant Analysis (DISCRIM) Analysis for pre-determined groups Objective - Rotate that data so that variation between groups

110 views • 8 slides

More recommend