sieve enumerate slice and lift
play

Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP - PowerPoint PPT Presentation

Nov 30, 2023 •542 likes •1.25k views

Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP via CVPP Emmanouil Doulgerakis, Thijs Laarhoven, and Benne de Weger Technische Universiteit Eindhoven July 2020 AfricaCrypt 2020, Cairo, Egypt Outline Introduction 1

  1. Sieve, Enumerate, Slice, and Lift: Hybrid Lattice Algorithms for SVP via CVPP Emmanouil Doulgerakis, Thijs Laarhoven, and Benne de Weger Technische Universiteit Eindhoven July 2020 AfricaCrypt 2020, Cairo, Egypt

  2. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 1

  3. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 1

  4. What is a lattice? Definition A lattice L is a discrete additive subgroup of R n . AfricaCrypt 2020 2

  5. What is a lattice? Definition A lattice L is a discrete additive subgroup of R n . AfricaCrypt 2020 2

  6. What is a lattice? A lattice is an infinite grid of points in the n -dimensional space. AfricaCrypt 2020 3

  7. What is a lattice? A lattice: The set of all integer linear combinations of some basis B where B = { b 1 , . . . , b n } ⊂ R n . b 2 b 1 O AfricaCrypt 2020 3

  8. What is a lattice? A lattice: The set of all integer linear combinations of some basis B where B = { b 1 , . . . , b n } ⊂ R n . A lattice has many bases. b 2 b 4 b 3 b 1 O AfricaCrypt 2020 3

  9. The Shortest Vector Problem (SVP) Shortest Vector Problem (SVP) Given an arbitrary basis for L , find a shortest non-zero vector s in L i.e. � s � = min v ∈L\{ 0 } � v � . We denote λ 1 ( L ) = min v ∈L\{ 0 } � v � . b 2 b 1 s O AfricaCrypt 2020 4

  10. The Closest Vector Problem (CVP) Closest Vector Problem (CVP) Given an arbitrary basis for L and a target vector t , find the closest lattice vector v in L such that � t − v � = d ( t , L ). b 2 b 1 t AfricaCrypt 2020 5

  11. The Closest Vector Problem (CVP) Closest Vector Problem (CVP) Given an arbitrary basis for L and a target vector t , find the closest lattice vector v in L such that � t − v � = d ( t , L ). b 2 b 1 t v AfricaCrypt 2020 5

  12. The Approximate Closest Vector Problem (CVP κ ) Approximate Closest Vector Problem (CVP κ ) Given an arbitrary basis for L , a target vector t and an approximation factor κ ≥ 1, find a lattice vector v in L such that � t − v � ≤ κ d ( t , L ). b 2 b 1 t AfricaCrypt 2020 6

  13. The Closest Vector Problem with Pre-processing (CVPP) The CVPP variant Given an arbitrary basis for L , compute some pre-processing data such that when later given a target vector t , it will be ”easy” to solve the CVP for t . b 2 t v b 1 AfricaCrypt 2020 7

  14. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 8

  15. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). AfricaCrypt 2020 9

  16. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . AfricaCrypt 2020 9

  17. Solving SVP Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . We know that λ 1 ( L ) ≤ � b 1 � . Enumeration explores all the choices of the x i such that � x 1 b 1 + · · · + x n b n � ≤ � b 1 � . AfricaCrypt 2020 9

  18. Enumeration tree (example) root 0 b n − 1 0 1 ( − 1 , − 1)(0 , − 1) ( − 1 , 0) (0 , 0) (1 , 0) (0 , 1) (1 , 1) b n − 1 . ( − 1 , 1 , 0)(0 , 1 , 0) (1 , 1 , 0) . . . . . b 1 AfricaCrypt 2020 10

  19. Enumeration costs in small depth Lemma (Costs of enumeration HS07) Let B be a strongly reduced basis of a lattice. Then the number of nodes E k at depth k = o ( n ) , k = n 1 − o (1) , satisfies: E k = n k / 2+ o ( k ) . Enumerating all these nodes can be done in time T enum and space S enum , with: T enum = E k · n O (1) , S enum = n O (1) . AfricaCrypt 2020 11

  20. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 12

  21. Solving CVP(P) We have t ∈ t + L and t ′ = t − s so t ′ ∈ t + L as well... It suffices to find t ′ . b 2 t ′ b 1 t O s AfricaCrypt 2020 13

  22. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t ′ t r 6 r 4 O s r 5 AfricaCrypt 2020 14

  23. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t O − 4 r 1 AfricaCrypt 2020 15

  24. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 t O +3 r 2 AfricaCrypt 2020 15

  25. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 − 2 r 1 t O AfricaCrypt 2020 15

  26. The iterative slicer (ideal case) Create a list L ⊆ L . Keep reducing t by the vectors r in the list L until the result cannot be reduced any more. Then we have found t ′ . r 2 r 1 r 3 + r 3 t ′ t O AfricaCrypt 2020 15

  27. The iterative slicer (in practice) Computing t ′ correctly depends on the list L . Computing “the proper” list L is too costly. We can use approximations instead. r 1 r 2 r 3 r 4 t AfricaCrypt 2020 16

  28. The iterative slicer (in practice) Computing t ′ correctly depends on the list L . Computing “the proper” list L is too costly. We can use approximations instead. Disadvantage: We might get a wrong t ′ . r 1 r 2 r 3 r 4 t AfricaCrypt 2020 16

  29. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). r 1 r 2 r 3 r 4 t AfricaCrypt 2020 17

  30. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). Randomize t sufficiently many times (as t i ) and reduce it. t 3 t 2 r 1 r 2 t 4 r 3 r 4 t 1 t 5 AfricaCrypt 2020 17

  31. The randomized slicer Create a list L of lattice vectors (e.g. by running a sieving algorithm). Randomize t sufficiently many times (as t i ) and reduce it. Keep the shortest t ′ i found as t ′ . t 3 t 2 t 4 t 1 t 5 AfricaCrypt 2020 17

  32. The randomized slicer algorithm AfricaCrypt 2020 18

  33. Costs of preprocessing Lemma (Costs of lattice sieving BDGL16) Given a basis B of a lattice L , the LDSieve heuristically returns a list L ⊂ L containing the (4 / 3) n / 2+ o ( n ) shortest lattice vectors, in time T sieve and space S sieve with: T sieve = (3 / 2) n / 2+ o ( n ) , S sieve = (4 / 3) n / 2+ o ( n ) . With the LDSieve we can therefore solve SVP with the above complexities. AfricaCrypt 2020 19

  34. Costs of the randomized slicer Lemma (single target DLW20) Given a list of the (4 / 3) n / 2+ o ( n ) shortest vectors of a lattice L and a target t ∈ R n , the randomized slicer solves CVP for t in time T slice and space S slice , with: T slice = 2 ζ n + o ( n ) , S slice = (4 / 3) n / 2+ o ( n ) . In our case ζ = 0 . 2639 . . . AfricaCrypt 2020 20

  35. Costs of the randomized slicer Lemma (many targets DLW20) Given a list of the (4 / 3) n / 2+ o ( n ) shortest vectors of a lattice L and a batch of N ≥ (13 / 12) n / 2+ o ( n ) target vectors t 1 , . . . , t N ∈ R n , the batched randomized slicer solves CVP for all targets t i in total time T slice and space S slice , with: T slice = N · (18 / 13) n / 2+ o ( n ) , S slice = (4 / 3) n / 2+ o ( n ) . AfricaCrypt 2020 21

  36. Outline Introduction 1 Enumeration 2 The slicer algorithms 3 Hybrid algorithms 4 AfricaCrypt 2020 22

  37. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). AfricaCrypt 2020 23

  38. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . AfricaCrypt 2020 23

  39. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . This partitions the lattice as L = L bot ⊕ L top where L bot := L ( B bot ) and L top := L ( B top ). AfricaCrypt 2020 23

  40. Solving SVP via CVPP (Part 1) Let L be a lattice with basis B = { b 1 , . . . , b n } ⊂ R n . Question: Find s in L with � s � = λ 1 ( L ). Choose 0 ≤ k ≤ n and split B as B = B bot ∪ B top where B bot := { b 1 , . . . , b n − k } and B top := { b n − k +1 , . . . , b n } . This partitions the lattice as L = L bot ⊕ L top where L bot := L ( B bot ) and L top := L ( B top ). As s ∈ L then ∃ x 1 , . . . , x n ∈ Z such that s = x 1 b 1 + · · · + x n b n . AfricaCrypt 2020 23

Recommend

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice Informally What is a program slice? A program slice is a set of program statements that contributes to or affects the value of a variable at

517 views • 18 slides
Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis!

Outline'Talk'6' 1. Introduc*on:!Concepts!and!defini*ons!of!sieve!effects!/!sieve!analysis! Vaccine!efficacy!versus!par*cular!pathogen!strains! Sieve!effects!and!other!effects! Some!immunological!considera*ons!

383 views • 15 slides
The Time Slice Axiom in Perturbative Quantum Field Theory Klaus Fredenhagen 1 II. Institut f

The Time Slice Axiom in Perturbative Quantum Field Theory Klaus Fredenhagen 1 II. Institut f

Introduction Time slice axiom for a free scalar field The algebra of Wick polynomials Time slice axiom for Wick polynomials Time slice axiom for interacting field theories Conclusions and Outlook The Time Slice Axiom in Perturbative Quantum

228 views • 18 slides
1 Multi-Slice CT Multi-Slice CT Wider beam widths Thinner slices and more of them Z -

1 Multi-Slice CT Multi-Slice CT Wider beam widths Thinner slices and more of them Z -

Multi-Slice CT Image quality and capability increasing The impact of MDCT on optimisation and 2006 quality assurance of CT scanners < 0.4s rotation 64 x 0.5 mm slices Dose S. Edyvean Imaging Performance Assessment

605 views • 14 slides
Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift

Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift

Lift Introduction to Aeronautical Engineering Ir. Jos Sinke Cyron - CC - BY Lift equation Lift is given by: L J. Scavini - CC - BY - SA Lift equation Lift is given by: L What is the unit of C L ? J. Scavini - CC - BY - SA Lift

684 views • 16 slides
GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop

GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop

ASME/API/ISO Gas Lift Workshop Doha 2007 GAS LIFT IN NEW FIELDS John Martinez Gas Lift for New Fields ASME/API/ISO Gas Lift Workshop Doha 2007 GAS LIFT in NEW FIELDS NEW DESIGN FOR WELLS AND COMPRESSORS RESERVOIR AND

224 views • 9 slides
PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE SIEVE OF ERATOSTHENES

26 07 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm PARALLEL THINKING: THE SIEVE OF ERATOSTHENES 2 1 26 07 2015 THE

468 views • 11 slides
JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO

JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO

JBP V LIFT Radically New Approach for Anti Aging Treatment What is JBP V Lift ? PDO (Polydioxanone) Embedding therapy needle with absorbable suture (PDO) Injecting several dozen of needles on cheeks one by one. After pulling

859 views • 9 slides
Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of

Three algorithms related to the number-field sieve D. J. Bernstein Thanks to: University of Illinois at Chicago NSF DMS0140542 Alfred P. Sloan Foundation The number-field sieve Goal: Find

435 views • 25 slides
Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One

Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One

Lift: Primitives for Hybrid CPU + GPU Computing Nuno Subtil nuno.subtil@roche.com Lift in One Slide https://github.com/nsubtil/lift Lean and mean C++ parallel programming library Pass-by-value memory containers Parallel primitive

581 views • 36 slides
How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This

How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This

How Should I Slice My Network? Hailiang ZHAO @ ZJU-CS htp://hliangzhao.me December 22, 2019 This slide is a report on paper How Should I Slice My Network? A Multi-Service Empirical Evaluation of Resource Sharing Efficiency , published on

973 views • 44 slides
Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2

Sieve weights and their smoothings Dimitris Koukoulopoulos 1 Joint work with Andrew Granville 1,2 and James Maynard 3 1 Universit de Montral 2 University College London 3 University of Oxford Oberwolfach, 10 November 2016 Selbergs sieve 2

658 views • 65 slides
Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November

Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November

Autonomic Slice Networking draft-galis-anima-autonomic-slice-networking-01 V1.0 10 th November 2016 Prof. Alex Galis Kiran Makhijani Delei Yu a.gais@ucl.ac.uk; http://www.ee.ucl.ac.uk/~agalis/ yudelei@huawei.com kiran.makhijani@huawei.com

379 views • 13 slides
Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First

Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First

Vertical Lift Aviation Industry Day October 27, 2009 Vertical Lift Aviation Industry Day A First Step Towards the Future of Vertical Lift Aviation Tony Melita Office of Land Warfare and Munitions Office of the Secretary of Defense 3 Purpose

958 views • 67 slides
RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder

RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder

POWERFUL SOLUTIONS. GLOBAL FORCE. RC-Series Duo Cylinder Lift Your Expectations Lift Your Expectations RC-series Duo Cylinder LONGER LASTING. The unique GR2 bearing system protects the RC-Series Duo cylinder seal by surrounding it. This

421 views • 14 slides
Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi

Slice sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi (STAT615@ISU) Slice sampling November 14, 2017 1 / 26 Slice sampling Slice sampling Suppose the target distribution is p ( | y ) with scalar

1.13k views • 26 slides
Self-Tuning Algorithm for Intermittent Gas Lift Gustavo Moises Artificial Lift Engineer

Self-Tuning Algorithm for Intermittent Gas Lift Gustavo Moises Artificial Lift Engineer

Gas-Lift Workshop Qatar February 4 - 8, 2007 Self-Tuning Algorithm for Intermittent Gas Lift Gustavo Moises Artificial Lift Engineer Jaildo Silva Petroleum Technician Joseil Silva Petroleum Technician Nadilson Muniz Petroleum

409 views • 19 slides
A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam

A variant of the large sieve inequality with explicit constants Maciej Grzekowiak Adam Mickiewicz University Pozna, Poland Number Theoretic Methods in Cryptology Paris 2019 MG (UAM Pozna) Sieve NutMic 2019 1 / 25 Outline 1 The large

1.04k views • 90 slides
TAXY TAXY Gives your thumb a lift. Gives your thumb a lift. Julia Hafner L O G L I N E L O G

TAXY TAXY Gives your thumb a lift. Gives your thumb a lift. Julia Hafner L O G L I N E L O G

TAXY TAXY Gives your thumb a lift. Gives your thumb a lift. Julia Hafner L O G L I N E L O G L I N E TAXY is a reachability feature to facilitate one-handed interaction with smartphones. Once activated by a fl ick gesture, TAXY generates a

263 views • 14 slides
Using Binary Decision Diagrams to Enumerate Inductive Logic Programming Solutions 1 Key

Using Binary Decision Diagrams to Enumerate Inductive Logic Programming Solutions 1 Key

Hikaru Shindo*, Masaaki Nishino**, Akihiro Yamamoto* September 4, 2018 * Graduate School of Informatics, Kyoto University ** NTT Communication Science Laboratories Using Binary Decision Diagrams to Enumerate Inductive Logic Programming

438 views • 27 slides
Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and

Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and

Lift and Drag Lecture 7 ME EN 412 Andrew Ning aning@byu.edu Outline Definitions Lift and Drag in Potential Flow Definitions Flat Plate Example Munson 9.5. Assume the following average pressure and shear stress on the surface of the

347 views • 7 slides
The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois

The number-field sieve Finding small factors of integers D. J. Bernstein University of Illinois at Chicago The Q sieve factors n by combining enough y -smooth congruences i ( n + i ). Enough > = log y . y Plausible

347 views • 31 slides
COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on

COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on

COMP 204 Operations on containers: enumerate, zip, comprehension Mathieu Blanchette based on material from Yue Li, Carlos Oliver Gonzalez and Christopher Cameron 1 / 21 Quiz password 2 / 21 Side-track: a convenient way to format print

584 views • 21 slides
Pr Proto toDUNE-SP SP HV HVS Vertical Slice Test FRP Current Kevin Wood May 29, 2018 HV

Pr Proto toDUNE-SP SP HV HVS Vertical Slice Test FRP Current Kevin Wood May 29, 2018 HV

Pr Proto toDUNE-SP SP HV HVS Vertical Slice Test FRP Current Kevin Wood May 29, 2018 HV HV Deliv eliver ery Chain ain Tes est t (I) I) Vertical slice test before installing at 38.2 mm Cable NP04 Power supply, cables,

508 views • 5 slides

More recommend