analyzing blockwise lattice algorithms using dynamical
play

Analyzing Blockwise Lattice Algorithms using Dynamical Systems - PowerPoint PPT Presentation

Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehl e ENS Lyon, LIP (CNRS ENSL INRIA UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16


  1. Analyzing Blockwise Lattice Algorithms using Dynamical Systems Guillaume Hanrot, Xavier Pujol, Damien Stehl´ e ENS Lyon, LIP (CNRS – ENSL – INRIA – UCBL - ULyon) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 1/16

  2. Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

  3. Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

  4. Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

  5. Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

  6. Context Lattices provide exponentially hard problems suitable for public key cryptography. Best known attacks on lattice-based cryptosystems rely on blockwise lattice reduction algorithms. Understanding these algorithms helps assessing the security of LBC. The most widely used reduction algorithm is BKZ. No reasonable time bound was known about BKZ. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 2/16

  7. Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

  8. Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

  9. Contributions We give the first worst-case analysis of BKZ. We introduce a new BKZ model. It gives new tools for understanding lattice algorithms. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 3/16

  10. b b b b b b b b b b b b b b b b b Lattices a 1 a 2 (SVP) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  11. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Lattice reduction(SVP) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  12. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 (SVP)Determinant(SVP) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  13. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor of B : � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector � = 0, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  14. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor of B : � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector � = 0, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  15. b b b b b b b b b b b b b b b b b Lattices b 2 b 1 Hermite factor of B : � b 1 � HF ( b 1 , . . . , b n ) = (det L ) 1 / n Goal of lattice reduction: find a basis with small HF. If b 1 is a shortest vector � = 0, then HF ( b 1 , . . . , b n ) ≤ √ γ n , with γ n = Hermite constant ≤ n . Analyzing Blockwise Lattice Algorithms using Dynamical Systems 4/16

  16. Hierarchy of lattice reductions in dimension n x i = log � b ∗ i � for i ≤ n ( b ∗ 1 , . . . , b ∗ n = Gram-Schmidt basis of B ). Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

  17. Hierarchy of lattice reductions in dimension n x i = log � b ∗ i � for i ≤ n ( b ∗ 1 , . . . , b ∗ n = Gram-Schmidt basis of B ). HKZ BKZ β LLL Hermite-Korkine-Zolorareff Block Korkine-Zolotareff Lenstra-Lenstra-Lov´ asz x 1 x 2 x 3 x 4 x 5 x 6 HF: √ γ n n n ≃ ( γ β ) ≃ ( γ 2 ) 2 β 2 Time: 2 O ( n ) 2 O ( β ) × ? Poly ( n ) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

  18. Hierarchy of lattice reductions in dimension n x i = log � b ∗ i � for i ≤ n ( b ∗ 1 , . . . , b ∗ n = Gram-Schmidt basis of B ). HKZ BKZ β LLL Hermite-Korkine-Zolorareff Block Korkine-Zolotareff Lenstra-Lenstra-Lov´ asz x 1 x 2 x 3 x 4 x 5 x 6 x 1 x 2 x 3 x 4 x 5 x 6 HF: √ γ n n n ≃ ( γ β ) ≃ ( γ 2 ) 2 β 2 Time: 2 O ( n ) 2 O ( β ) × ? Poly ( n ) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

  19. Hierarchy of lattice reductions in dimension n x i = log � b ∗ i � for i ≤ n ( b ∗ 1 , . . . , b ∗ n = Gram-Schmidt basis of B ). HKZ BKZ β LLL Hermite-Korkine-Zolorareff Block Korkine-Zolotareff Lenstra-Lenstra-Lov´ asz x 1 x 2 x 3 x 4 x 5 x 6 x 1 x 2 x 3 x 4 x 5 x 6 x 1 x 2 x 3 x 4 x 5 x 6 HF: √ γ n n n ≃ ( γ β ) ≃ ( γ 2 ) 2 β 2 Time: 2 O ( n ) 2 O ( β ) × ? Poly ( n ) Analyzing Blockwise Lattice Algorithms using Dynamical Systems 5/16

  20. Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2 O ( β ) × Poly ( n ): Schnorr (1987) : Semi-block-2 β -reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

  21. Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2 O ( β ) × Poly ( n ): Schnorr (1987) : Semi-block-2 β -reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

  22. Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2 O ( β ) × Poly ( n ): Schnorr (1987) : Semi-block-2 β -reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

  23. Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2 O ( β ) × Poly ( n ): Schnorr (1987) : Semi-block-2 β -reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

  24. Known results on blockwise algorithms BKZ Schnorr (1987): first hierarchies between LLL and HKZ. Schnorr and Euchner (1994): algorithm for BKZ-reduction. Gama and Nguyen (2008): BKZ behaves badly when the block size is ≥ 25. Other reductions in time 2 O ( β ) × Poly ( n ): Schnorr (1987) : Semi-block-2 β -reduction. Gama et al. (2006): Block-Rankin-reduction. Gama and Nguyen (2008): Slide-reduction. ...but BKZ remains the most efficient in practice. Analyzing Blockwise Lattice Algorithms using Dynamical Systems 6/16

  25. BKZ Algorithm (BKZ β , modified version) Input: B of dimension n . Repeat ... times For i from 1 to n − β + 1 do Size-reduce B . HKZ-reduce a projection of the block ( b i , . . . , b i + β − 1 ) . Report the transformation on B . Termination? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

  26. BKZ Algorithm (BKZ β , modified version) Input: B of dimension n . Repeat ... times For i from 1 to n − β + 1 do Size-reduce B . HKZ-reduce a projection of the block ( b i , . . . , b i + β − 1 ) . Report the transformation on B . Termination? Analyzing Blockwise Lattice Algorithms using Dynamical Systems 7/16

Recommend


More recommend