Measuring, simulating and exploiting the head concavity phenomenon - PowerPoint PPT Presentation

Measuring, simulating and exploiting the head concavity phenomenon in BKZ Shi Bai 1 e 2 Weiqiang Wen 3 Damien Stehl´ 1 Florida Atlantic University. USA. 2 ´ Ecole Normale Sup´ erieure de Lyon. France. 3 IRISA, Universit´ e Rennes 1. France. Asiacrypt 2018, Brisbane, Australia. 1 / 21

Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 2 / 21

Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2 / 21

Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2. A more accurate simulator for BKZ. 2 / 21

Outline The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography. 1. Explain and quantify the shorter-than-expected phenomenon in the head region in BKZ. 2. A more accurate simulator for BKZ. 3. A new BKZ variant that exploits the shorter-than-expected phenomenon. 2 / 21

Lattice b 1 b 2 0 � � b 2 b 2 Definition Given a set of linearly independent vectors { b 1 , · · · , b n } ⊆ Q m , the lattice L spanned by the b i ’s is n � � � L ( { b 1 , · · · , b n } ) = z i b i | z i ∈ Z . i =1 Let B be the column matrix of { b 1 , · · · , b n } and denote the lattice by L ( B ). 3 / 21

Lattice b 1 b 2 0 λ 1 � � b 2 b 2 Lattice minimum Given a lattice L , the minimum λ 1 ( L ) is the norm of a shortest non-zero vector in L . 3 / 21

Lattice b 1 b 2 0 � b 1 � � b 2 b 2 Bases of a lattice Given B 1 , B 2 ∈ Q m × n , then L ( B 1 ) = L ( B 2 ) iff B 2 = B 1 U for some unimodular matrix U ∈ Z n × n . 3 / 21

Lattice b 1 b 2 0 � b 1 � � b 2 b 2 The BKZ lattice reduction algorithm helps to find bases like ( b 1 , b 2 ). Bases of a lattice Given B 1 , B 2 ∈ Q m × n , then L ( B 1 ) = L ( B 2 ) iff B 2 = B 1 U for some unimodular matrix U ∈ Z n × n . 3 / 21

Lattice b 1 ( b ∗ 1 ) b 2 b ∗ 2 0 ∗ � ∗ b 1 ( � � b 1 ) b 2 � � � b 2 b 2 b 2 Gram-Schmidt orthogonalization Let B ∗ = ( b ∗ 1 , · · · , b ∗ n ) denote the Gram–Schmidt orthogonalization of B . i � b ∗ The determinant of a lattice L is det( L ) = � i � . 3 / 21

BKZ- β reduced Given B = ( b 1 , · · · , b n ), let b ( j ) denote the orthogonal projection of b i i onto the subspace ( b 1 , · · · , b j − 1 ) ⊥ . For i < j ≤ n , let B [ i , j ] denote the (matrix) local block ( b ( i ) i , · · · , b ( i ) j ) and L [ i , j ] denote the lattice generated by B [ i , j ] . Definition A basis B is BKZ- β reduced for block size β ≥ 2 if it is size-reduced ∗ and satisfies: � b ∗ i � = λ 1 ( L [ i , min( i + β − 1 , n )] ) , ∀ i ≤ n . � b i , b ∗ j � * A basis B is size-reduced, if it satisfies | µ i , j |≤ 1 / 2 for j < i ≤ n where µ i , j = j � 2 . � b ∗ 4 / 21

The BKZ algorithm The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously. Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = ( b 1 , · · · , b n ), a block size β . Output: A BKZ- β reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > λ 1 ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then 5: LLL-reduce( b 1 , · · · , b i − 1 , b , b i , · · · , b min( n , i + β ) ). 6: else 7: LLL-reduce( b 1 , · · · , b min( n , i + β ) ). 8: end if 9: end for 10: until no change occurs. C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In FCT’91. 5 / 21

The BKZ algorithm The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously. Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = ( b 1 , · · · , b n ), a block size β . Output: A BKZ- β reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > λ 1 ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then 5: LLL-reduce( b 1 , · · · , b i − 1 , b , b i , · · · , b min( n , i + β ) ). 6: else 7: LLL-reduce( b 1 , · · · , b min( n , i + β ) ). 8: end if 9: end for 10: until no change occurs. • [Line 3] In practice, SVP solver can be pruned enumeration or sieving. SVP Challenge. https://www.latticechallenge.org/svp-challenge/. 5 / 21

Quality of BKZ- β reduced basis A concrete cryptanalysis relies on the BKZ simulator of Chen and Nguyen (ASIACRYPT’11). It uses the Gaussian heuristic on local blocks, with a modification for the tail blocks. Gaussian heuristic For any random n -dimensional lattice L , we have 1 · det ( L ) 1 / n λ 1 ( L ) ≈ GH ( L ) = v 1 / n n where v n is the volume of a unit n -ball. Y. Chen and P.Q. Nguyen. BKZ 2.0: Better lattice security estimates. In ASIACRYPT’11. 6 / 21

(Simplified) Chen-Nguyen simulator Algorithm 2 (Simplified) Chen-Nguyen simulator. Input: G-S norms ( � b ∗ 1 � , · · · , � b ∗ n � ), a block size β . Output: Simulated G-S norms of BKZ β -reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do find b such that � b ( i ) � = λ 1 ( L ( b ( i ) i , · · · , b ( i ) 3: min( n , i + β − 1) )) . SVP β : i � > GH ( L (( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β ) ))) then i � = GH ( L (( b ( i ) i , · · · , b ( i ) Update � b ∗ 5: min( n , i + β ) ))) . 6: else Keep � b ∗ 7: i � unchanged. 8: end if 9: end for 10: until no change occurs. 7 / 21

Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in 8 / 21

Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in ◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11); 8 / 21

Practical behavior of Chen-Nguyen’s simulator Experimental log � b ∗ i � Experimental log � b ∗ i � 1 . 2 1 . 00 Chen–Nguyen simulator Chen–Nguyen simulator 0 . 50 1 . 1 i � i � log � b ∗ log � b ∗ 0 . 00 1 − 0 . 50 − 1 . 00 0 . 9 1 20 40 60 80 100 1 2 4 6 8 10 Index i Index i Gram–S. log-norms of BKZ 45 at tour 50. Same as left hand side, but zoomed in. Such “head concavity” phenomenon has been reported in ◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11); ◮ and modeled by Yu and Ducas (SAC’17). Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17. 8 / 21

A better simulator using the distribution of λ 1 in random lattices. 9 / 21

Tools Let Γ n = {L ∈ R n | vol ( L ) = 1 } be the set of all full rank- n lattices with unit volume. Chen [Cor. 3.1.4] and S¨ odergren [Thm. 1]: Distribution of minimum in random lattices Sample L uniformly in Γ n . The distribution of v n · λ 1 ( L ) n converges in distribution to Expo (1 / 2) as n → ∞ . Take λ 1 ( L ) as a random variable Y , then Y = X 1 / n · GH ( L ) for X sampled from Expo (1 / 2). Y. Chen. R´ eduction de r´ eseau et s´ ecurit´ e concr` ete du chiffrement compl` etement homomorphe. PhD thesis, Universit´ e Paris Diderot, 2013. A. S¨ odergren. On the poisson distribution of lengths of lattice vectors in a random lattice. Mathematische Zeitschrift, 2011. 10 / 21

A probabilistic BKZ simulator Algorithm 3 The new BKZ simulator (simplified) Input: G-S norms ( � b ∗ 1 � , · · · , � b ∗ n � ), a block size β . Output: Simulated G-S norms of BKZ- β -reduced basis of L ( B ). 1: repeat 2: for i = 1 to n − 1 do 3: Sample X from Expo[1/2]. i � > X 1 /β · GH ( L ( b ( i ) i , · · · , b ( i ) if � b ∗ 4: min( n , i + β − 1) )) then i � = X 1 /β · GH ( L ( b ( i ) i , · · · , b ( i ) Update � b ∗ 5: min( n , i + β ) )) . 6: else Keep � b ∗ 7: i � unchanged. 8: end if 9: end for 10: until no change occurs. 11 / 21