shortest vector from lattice sieving a few dimensions for
play

Shortest Vector from Lattice Sieving: a Few Dimensions for Free eo - PowerPoint PPT Presentation

Feb 24, 2024 •497 likes •905 views

Shortest Vector from Lattice Sieving: a Few Dimensions for Free eo Ducas 1 L Cryptology Group, CWI, Amsterdam, The Netherlands EUROCRYPT 2018 Tel Aviv, April 30th 1 Supported by a Veni Innovational Research Grant from NWO (639.021.645). L

  1. Shortest Vector from Lattice Sieving: a Few Dimensions for Free eo Ducas 1 L´ Cryptology Group, CWI, Amsterdam, The Netherlands EUROCRYPT 2018 Tel Aviv, April 30th 1 Supported by a Veni Innovational Research Grant from NWO (639.021.645). L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 1 / 23

  2. Two class of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 2 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite slower. 2 Given complexity are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 2 / 23

  3. Two class of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 2 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite slower. 2 Given complexity are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 2 / 23

  4. Two class of Algorithms for SVP The Shortest Vector Problem I : The basis B of an n -dimensional lattice L O: A shortest non-zero vector v ∈ L Algorithm Running time Memory n n / 2 e · 2 O ( n ) Enumeration poly( n ) Sieving 2 [2 . 292 n + o ( n ) , 2 . 415 n + o ( n ) ] [2 . 2075 n + o ( n ) , 2 . 292 n + o ( n ) ] The paradox In theory, Sieving is faster. In pratice it is quite slower. 2 Given complexity are heuristic, heavily supported by experiments. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 2 / 23

  5. Many trade-offs 2 0.45 n 8 0 0 ' 1 V ' N V M 1 1 ' 2 0.40 n B 3 4 T 1 1 L ' ' H W J P G Z B Time complexity Laa '15 ◮ Our main contribution can also 2 0.35 n LdW '15 / BL '15 be applied to other sieving BDGL16 algorithms. e c BGJ '15 a p 2 0.30 n ◮ Implementation limited to the S = e version of m i T [Micciancio Voulgaris 2010] . 2 0.25 n 2 0.20 n 2 0.25 n 2 0.30 n 2 0.35 n Space complexity L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 3 / 23

  6. Many trade-offs 2 0.45 n 8 0 In this 0 ' 1 V ' N V work M 1 1 ' 2 0.40 n B 3 4 T 1 1 L ' ' H W J P G Z B Time complexity Laa '15 ◮ Our main contribution can also 2 0.35 n LdW '15 / BL '15 be applied to other sieving BDGL16 algorithms. e c BGJ '15 a p 2 0.30 n ◮ Implementation limited to the S = e version of m i T [Micciancio Voulgaris 2010] . 2 0.25 n 2 0.20 n 2 0.25 n 2 0.30 n 2 0.35 n Space complexity L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 3 / 23

  7. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 1 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), with still much room for improvements. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 4 / 23

  8. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 1 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), with still much room for improvements. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 4 / 23

  9. Results Heuristic claim, asymptotic One can solve SVP in dimension n with a call to Sieve in dimension n − d where d = Θ( n / log n ) . Heuristic claim, concrete One can solve SVP in dimension n making a call to Sieve in dimension i for each i = 1 . . . n − d for d ≈ n · ln(4 / 3) ( d ≈ 15 for n = 80) ln( n / 2 π e ) Experimental claim: A bogey A Sieve implem. almost on par with enumeration (within a factor 4 in dims 70–80), with still much room for improvements. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 4 / 23

  10. Table of Contents 1 Dimensions for free 2 Implementation and performances L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 5 / 23

  11. Table of Contents 1 Dimensions for free 2 Implementation and performances L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 6 / 23

  12. Sieving Algorithm 1 Sieve ( L ) L ← a set of N random vectors from L where N ≈ (4 / 3) n / 2 . while ∃ ( v , w ) ∈ L 2 such that � v − w � < � v � do v ← v − w end while return L The above runs in heuristic time (4 / 3) n + o ( n ) . Many concrete and asymptotic improvements: [Nguyen Vidick 2008, Micciancio Voulgaris 2010, Laarhoven 2015, Becker Gamma Joux 2015, Becker D. Gamma Laarhoven 2015, . . . ] . L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 7 / 23

  13. Sieving Algorithm 2 Sieve ( L ) L ← a set of N random vectors from L where N ≈ (4 / 3) n / 2 . while ∃ ( v , w ) ∈ L 2 such that � v − w � < � v � do v ← v − w end while return L The above runs in heuristic time (4 / 3) n + o ( n ) . Many concrete and asymptotic improvements: [Nguyen Vidick 2008, Micciancio Voulgaris 2010, Laarhoven 2015, Becker Gamma Joux 2015, Becker D. Gamma Laarhoven 2015, . . . ] . L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 7 / 23

  14. More than SVP Note that Sieve returns N ≈ (4 / 3) n short vectors, not just a shortest vector. Definition (Gaussian Heuristic: Expected length of the shortest vector) � n / 2 π e · vol( L ) 1 / n . gh( L ) = Observation (heuristic & experimental) � The output of Sieve contains almost all vectors of length ≤ 4 / 3 · gh ( L ): � � � L := Sieve ( L ) = x ∈ L s.t. � x � ≤ 4 / 3 · gh( L ) . L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 8 / 23

  15. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � · gh( L ) ≤ 4 / 3 · gh( L d ) . gh( L ) ≤ 4 / 3 · gh( L d ) . n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 9 / 23

  16. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � · gh( L ) ≤ 4 / 3 · gh( L d ) . gh( L ) ≤ 4 / 3 · gh( L d ) . n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 9 / 23

  17. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � · gh( L ) ≤ 4 / 3 · gh( L d ) . gh( L ) ≤ 4 / 3 · gh( L d ) . n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 9 / 23

  18. Sieve then Lift Main idea: Sieve in a projected sub-lattice, and lift all candidate solutions. SubSieve ( L , d ) ◮ Set L ′ = L ( b 1 , . . . , b d ) “left part of L ”, dim= d ◮ Set L ′′ = π ⊥ L ′ ( L ) “right part of L ”, dim= n − d ◮ Compute L = Sieve ( L ′′ ) ◮ Hope that π ⊥ L ′ ( s ) ∈ L (1) ◮ Lift all v ∈ L from L ′′ to L and take the shortest (Babai alg.) Pessimistic prediction for (1) Optimistic prediction for (1) � n − d � � · gh( L ) ≤ 4 / 3 · gh( L d ) . gh( L ) ≤ 4 / 3 · gh( L d ) . n Similar to linear pruning for enum. L´ eo Ducas (CWI, Amsterdam) SVP from Sieving: a Few Dims for Free 30 April 2018 9 / 23

Recommend

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm in R 2 - Lower bound via

295 views • 13 slides
Progressive lattice sieving Thijs Laarhoven and Artur Mariano

Progressive lattice sieving Thijs Laarhoven and Artur Mariano

Progressive lattice sieving Thijs Laarhoven and Artur Mariano ts ttts PQCrypto 2018, Fort Lauderdale (FL), USA (April 10, 2018) Lattices What is a lattice?

1.05k views • 60 slides
Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving

Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving

Dihedral Sieving Phenomena Sujit Rao, Joe Suk 31 July 2017 1/14 Outline Cyclic sieving Sieving for general groups Sieving for dihedral groups Examples of dihedral sieving Future work 2/14 Cyclic Sieving Phenomenon (CSP) Definition X be a

156 views • 15 slides
Online Computation of Euclidean Shortest Paths in Two Dimensions ICAPS 2020 Ryan Hechenberger,

Online Computation of Euclidean Shortest Paths in Two Dimensions ICAPS 2020 Ryan Hechenberger,

References Online Computation of Euclidean Shortest Paths in Two Dimensions ICAPS 2020 Ryan Hechenberger, Peter J Stuckey, Daniel Harabor, Pierre Le Bodic, Muhammad Aamir Cheema Monash University 1 / 21 References Euclidean Shortest Path

814 views • 69 slides
( x ik x i )( x jk x j ) N Expected value of a vector x is by component. k = 1 T

( x ik x i )( x jk x j ) N Expected value of a vector x is by component. k = 1 T

Up To Higher Dimensions Our previous Kalman Filter discussion was Lecture 10: of a simple one-dimensional model. Extended Kalman Filters Now we go up to higher dimensions: n State vector: x CS 344R/393R: Robotics m

431 views • 3 slides
Minimization of lattice energies From old to new results in dimensions 2 and 3 Laurent B

Minimization of lattice energies From old to new results in dimensions 2 and 3 Laurent B

Minimization of lattice energies From old to new results in dimensions 2 and 3 Laurent B etermin Institute for Applied Mathematics, University of Heidelberg Joint works with P. Zhang and M. Petrache OPCOP 2017 19th April 2017, CIEM, Castro

863 views • 20 slides
Lattice-valued bornological vector spaces and systems Jan Paseka 1 Sergejs Solovjovs 1 k 2 , 3

Lattice-valued bornological vector spaces and systems Jan Paseka 1 Sergejs Solovjovs 1 k 2 , 3

Introduction Bornological vector spaces Bornological vector systems Future work References Lattice-valued bornological vector spaces and systems Jan Paseka 1 Sergejs Solovjovs 1 k 2 , 3 Milan Stehl 1 Masaryk University, Brno, Czech

458 views • 41 slides
Torus sieving of finite Grassmannians Andrew Berget (joint with Jia Huang, UMN) Department of

Torus sieving of finite Grassmannians Andrew Berget (joint with Jia Huang, UMN) Department of

Torus sieving of finite Grassmannians Andrew Berget (joint with Jia Huang, UMN) Department of Mathematics University of California, Davis March 12, 2011 Cyclic sieving phenomenon (CSP) See the recent survey by Sagan! Cyclic sieving

685 views • 21 slides
Filter convergence and decompositions for vector lattice-valued measures Domenico Candeloro, Anna

Filter convergence and decompositions for vector lattice-valued measures Domenico Candeloro, Anna

Filter convergence and decompositions for vector lattice-valued measures Domenico Candeloro, Anna Rita Sambucini Department of Mathematics and Computer Science - University of Perugia Integration, Vector Measures and Related Topics VI, Be

447 views • 43 slides
Good, low degree, Rank-1 Lattice rules in High Dimensions Tor Srevik 1 1 joint work with James

Good, low degree, Rank-1 Lattice rules in High Dimensions Tor Srevik 1 1 joint work with James

Good, low degree, Rank-1 Lattice rules in High Dimensions Tor Srevik 1 1 joint work with James N. Lyness MCQCM 2012, Sydney Tor Srevik (UoB) Delta sequences MCQCM-12 1 / 20 Basic definitions An s dimensional simple rank 1 lattice

225 views • 20 slides
The Euler characteristic of a (monodimensional) polyhedron as a valuation on a vector lattice

The Euler characteristic of a (monodimensional) polyhedron as a valuation on a vector lattice

The Euler-Poincar e characteristic Vector lattices The Main Result The Euler characteristic of a (monodimensional) polyhedron as a valuation on a vector lattice Andrea Pedrini andrea.pedrini@unimi.it Universit` a degli Studi di Milano

838 views • 44 slides
A Survey of Complex Dimensions, Measurability, and Lattice/Nonlattice Dichotomies John A. Rock

A Survey of Complex Dimensions, Measurability, and Lattice/Nonlattice Dichotomies John A. Rock

A Survey of Complex Dimensions, Measurability, and Lattice/Nonlattice Dichotomies John A. Rock Cal Poly Pomona jarock@cpp.edu Featuring various collaborative efforts of: M. L. Lapidus and M. van Frankenhuijsen as well as H. Maier, D.

1.08k views • 79 slides
Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations

Matrix and Vector Operations Matrix and Vector Operations 1 / 21 Matrix and Vector Operations Dimensions length and size functions length - returns the number of elements in a vector size - returns the number of rows and columns in a vector or

588 views • 22 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

1 2 Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much easier the ring strikes back than the general problem. As an application, we solved four out Daniel J. Bernstein of the five numerical

1.07k views • 70 slides
Motion in more than one dimension Vector equations of motion Different components (dimensions)

Motion in more than one dimension Vector equations of motion Different components (dimensions)

Motion in more than one dimension Vector equations of motion Different components (dimensions) coupled through F Example: Planetary motion (in a 2D plane) Gravitational force: Two-body problem; can be reduced to one-body problem for effective

681 views • 14 slides
Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings

Graphs II - Shortest paths Single Source Shortest Paths All Sources Shortest Paths some drawings and notes from prof. Tom Cormen Single Source SP Context: directed graph G=(V ,E,w), weighted edges The shortest path (SP) between

881 views • 69 slides
A Combinatorial Proof of the Cyclic Sieving Phenomenon for Faces of Coxeterhedra Tung-Shan Fu

A Combinatorial Proof of the Cyclic Sieving Phenomenon for Faces of Coxeterhedra Tung-Shan Fu

A Combinatorial Proof of the Cyclic Sieving Phenomenon for Faces of Coxeterhedra Tung-Shan Fu Pingtung Institute of Commerce Based on joint work with S.-P. Eu and Y.-J. Pan Cyclic sieving phenomenon X : a finite set X ( q ) : a

932 views • 74 slides
4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house

4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house

4.4 Shortest Paths in a Graph shortest path from Princeton CS department to Einstein's house Shortest Path Problem Shortest path network. Directed graph G = (V, E). Source s, destination t. Length e = length of edge e. Shortest

226 views • 6 slides
Chern-Simons vector models and duality in 3 dimensions 19. Aug. 2013 @ YITP String theory and

Chern-Simons vector models and duality in 3 dimensions 19. Aug. 2013 @ YITP String theory and

Chern-Simons vector models and duality in 3 dimensions 19. Aug. 2013 @ YITP String theory and quantum field theory Shuichi Yokoyama Tata Institute of Fundamental Research (TIFR) Chern-Simons theory (Condensed matter physics) Quantum hole

457 views • 26 slides
Support Vector Machine (Part 2) OUTLINE Multi-class classification Nonlinear mapping

Support Vector Machine (Part 2) OUTLINE Multi-class classification Nonlinear mapping

Support Vector Machine (Part 2) OUTLINE Multi-class classification Nonlinear mapping Kernel The Solution of Quiz-2 The maximum margin weight vector will be parallel to the shortest line connecting points of the two classes, that

1.53k views • 34 slides
Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest

Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest

Outline and Reading Weighted graphs (7.1) Shortest Paths Shortest path problem Shortest path properties Dijkstras algorithm (7.1.1) 0 A 4 8 Algorithm 2 8 2 3 Edge relaxation 7 1 B C D The Bellman-Ford

348 views • 4 slides
Lattice algorithms for the closest vector problem with preprocessing Thijs Laarhoven

Lattice algorithms for the closest vector problem with preprocessing Thijs Laarhoven

Lattice algorithms for the closest vector problem with preprocessing Thijs Laarhoven mail@thijs.com http://www.thijs.com/ RISC seminar, Amsterdam, The Netherlands (May 3, 2019) Lattices Basics Lattices Basics O Lattices Basics b 2 b 1

1.68k views • 113 slides

More recommend