Solving shortest and closest vector problems: The decomposition approach

Transcription

1 Solving shortest and closest vector problems: The decomposition approach Anja Becker 1, Nicolas Gama 2, and Antoine Joux 3 1 EPFL, École Polytechnique Fédérale de Lausanne, Switzerland 2 UVSQ, Université de Versailles, France 3 UPMC, Université Paris 6, France Abstract. In this paper, we present a heuristic algorithm for solving exact, as well as approximate, SVP and CVP for lattices. This algorithm is based on a new approach which is very different from and complementary to the sieving technique. This new approach frees us from the kissing number bound and allows us to solve SVP and CVP in lattices of dimension n in time n using memory n. The key idea is to no longer work with a single lattice but to move the problems around in a tower of related lattices. We initiate the algorithm by sampling very short vectors in a dense overlattice of the original lattice that admits a quasi-orthonormal basis and hence an efficient enumeration of vectors of bounded norm. Taking sums of vectors in the sample, we construct short vectors in the next lattice of our tower. Repeating this, we climb all the way to the top of the tower and finally obtain solution vector(s) in the initial lattice as a sum of vectors of the overlattice just below it. The complexity analysis relies on the Gaussian heuristic. This heuristic is backed by experiments in low and high dimensions that closely reflect these estimates when solving hard lattice problems in the average case. 1 Introduction Hard lattice problems, such as the shortest vector problem (SVP) and the closest vector problem (CVP), have a long standing relationship to cryptology. For a long time, they were used as cryptanalytic tools, first through a direct approach as in [17] and then more indirectly using Coppersmith s small roots algorithms [7, 8]. More recently, these hard problems have also been used constructively. Lattice-based cryptography is also a promising area due to the simple additive, parallelizable structure of a lattice. The two basic hard problems SVP and CVP are known to be NP-hard 4 to solve exactly [1, 19] and also NP-hard to approximate [9, 24] within at least constant factors. The time complexity of known algorithms that find the exact solution are at least exponential in the dimension of the lattice. These algorithms also serve as subroutines for strong polynomial time approximation algorithms. Algorithms for the exact problem hence enable us to choose appropriate parameters. A shortest vector can be found by enumeration [29, 18], sieving [2, 27, 26, 31] or the Voronoicell algorithm [25]. Enumeration uses a negligible amount of memory and its running time is between n O(n) and 2 O(n2) depending on the amount and quality of preprocessing. Probabilistic sieving algorithms, as well as the deterministic Voronoi-cell algorithm are simple exponential in time and memory. A closest vector can be found by enumeration and by the Voronoi-cell algorithm, however, state-of-the-art sieving techniques cannot be directly applied to solve CVP instances. Table 1 presents a summary of the complexities of currently known SVP and CVP algorithms including our new algorithm. A long standing open question was to find ways to decrease the complexity of enumerationbased algorithms for CVP and SVP to a single exponential time complexity. On an LLL- 4 Under randomized reductions in the case of SVP.

2 2 Algorithm Time Memory CVP SVP proven/heuristic Kannan-Enumeration n n/(2e)+o(n) poly(n) proven Voronoi-cell 2 3 n 2 n proven List-Sieve n+o(n) n+o(n) proven GaussSieve n+o(n)? heuristic Nguyen-Vidick sieve n+o(n) n+o(n) heuristic WLTB sieve n+o(n) n+o(n) heuristic Our algorithm from n n heuristic to n n Table 1. Complexity of currently known SVP/CVP algorithms. or BKZ-reduced basis [21, 29] the running time of Schnorr-Euchner s enumeration is double exponential in the dimension. If we further reduce the basis to a dual-hkz-reduced basis [20], the complexity becomes 2 O(n log n) [18, 16]. Enumeration would become simply exponential if a quasi-orthonormal basis, as defined in Sect. 2, could be found. Unfortunately, most lattices do not possess such a favorable quasi-orthonormal basis. Also for random lattices the lower bound on the Rankin invariant is of size 2 Θ(n log n) and determines the minimal complexity for enumeration that operates only on the original lattice. We provide a more detailed discussion in Section 2. The method we propose here circumvents this problem by making use of overlattices that admit a quasi-orthonormal basis and which are found in polynomial time by a special case of structural reduction [12]. Once we have an overlattice and its quasi-orthonormal basis, our main task is to find a solution vector in the initial lattice given a sample of short vectors in the overlattice. This is similar to hardness results frequently found in worst-case to average-case proofs. Usually, a short overlattice basis is used to sample a pool of short Gaussian overlattice vectors, which are then combined by a SIS or GSIS oracle into polynomially longer vectors of the original lattice. In our setting, the overlattice basis is quasi-orthonormal, which allows an efficient enumeration of the shortest overlattice vectors. These vectors are then combined to the shortest vectors of the original lattice by a concrete, albeit exponential-time, algorithm. Our new algorithmic technique solves SVP and CVP for random lattices and follows a novel approach to tackle them. Its basic idea stems from recently developed algorithms [3, 4] providing exponential speed-up in the context of the subset-sum and the decoding problem. However, due to the richer structure of lattices, the adaptation is far from straightforward. Our contribution. We present a new heuristic algorithm for the exact SVP and CVP for n-dimensional lattices using a tower of k overlattices L i, where L = L 0.. L k. In this tower, we choose the lattice L k at the bottom of the tower in a way that ensures that we can efficiently compute a sufficiently large pool of very short vectors in L k. Starting from this pool of short vectors, we move from each lattice of our tower to the one above using summation of vectors while controlling the norms growth. For random lattices and under heuristic assumptions, two L i -vectors sum up to an L i 1 -vector of moderately larger norm with probability 1 α, where vol (L n i 1 ) /vol (L i ) = α n > 1. We allow the norm to increase by a factor α in each step, in order to preserve the size of our pool of available vectors per lattice in our tower.

3 Our method can be used to find vectors of bounded norm in a lattice L or, alternatively, in a coset x + L, x / L. Thus, in contrast to classical sieving techniques, it allows us to solve both SVP or CVP, and more generally, to enumerate all lattice points within a ball of fixed radius. Furthermore, the time and memory complexity are no longer linked to the kissing number: this also allows us to obtain a better running time compared to sieving. The average running time in the asymptotic case is n, requiring a memory of n. It is also possible to choose different time-memory tradeoffs and devise slower algorithms that use less memory. We report our experiments on random lattices of dimension 40 to 80, whose results confirm our theoretical analysis and show that the algorithm works well in practice. Organization of the paper. Section 2 introduces our notation and presents a brief background on lattices. We present our new generic algorithm in Sect. 3 and provide results from our experiments in Sect Background and notation Lattices and cosets. A lattice L of dimension n is a discrete subgroup of R n. A lattice can be described as the set of all integer combinations { n i=1 α ib i α i Z} of n linearly independent vectors b i of R m. In this case the vectors b 1,.., b n are called a basis of L. The volume of the lattice L is the volume of span(l)/l, and can be easily computed as det(bb t ), for any basis B. Any lattice has a shortest non-zero vector of Euclidean length λ 1 (L) which can be upper bounded by Minkowski s theorem as λ 1 (L) n vol (L) 1/n. We call a coset of a lattice a translation x + L = {x + v v L} of L by a vector x span(l). Overlattice and index. A lattice L of dimension n such that L L is called on overlattice of L. The quotient group L /L is a finite abelian group of order vol(l)/vol(l ) = [L : L]. Hyperballs. Let Ball n (R) denote the ball of radius R in dimension n where we omit n if it is implied from the context. The volume V n of the n-dimensional ball of radius 1 and the radius r n of the n-dimensional ball of volume 1 are V n = π n Γ ( n 2 + 1) and r n = Vn 1/n = n (1 + o(1)), respectively. 2πe Gaussian heuristic. The Gaussian heuristic states that given a lattice L and a suitable set S, the number of points in S L can be approximated by vol (S) /vol (L). When S is a ball of radius at least n 1/2+ɛ vol(l) 1/n for some fixed ɛ > 0, we can prove that this estimate holds for almost all real lattices, and almost all integer lattices of large volume. It is also known that for random integer cocyclic lattices of large volume, this estimates also holds when S is a smaller ball of radius close to n vol(l) 1/n. This allows to estimate the length of the shortest vector of a random lattice as the radius of a ball of volume vol (L): λ 1 (L) r n vol (L) 1/n. It also indicates that for all β > 0, a ball of radius β r n vol (L) 1/n should asymptotically contain about β n lattice points. However, this heuristic cannot be used as a theorem for specific lattices, and for example, in Z n, the number of lattice points differs by an exponential factor in n depending on the center of the ball [23]. In all other cases, this heuristic requires an experimental validation.

4 4 Gram-Schmidt orthogonalization (GSO). The GSO of a non-singular square matrix B is the unique decomposition as B = µ B, where µ is a lower triangular matrix with unit diagonal and B consist of mutually orthogonal rows. For each i [1, n], we call π i the orthogonal projection of over span(b 1,.., b i 1 ). In particular, one has π i (b i ) = b i, which is the i-th row of B. We use the notation B [i,j] for the projected block [π i (b i ),..., π i (b j )]. Rankin factor and quasi-orthonormal basis. Let B be an n dimensional basis, and j n. We call the ratio γ n,j (B) = vol(b [1,j]) vol(l) j/n = vol(l)(n j)/n vol(π j+1 (L)) the Rankin factor of B with index j. The well known Rankin invariants of the lattice, γ n,j (L), introduced by Rankin [28] are simply the squares of the minimal Rankin factors of index j over all bases of L. This allows to define a quasi-orthonormal basis. Definition 1 (quasi-orthonormal basis). A basis B is quasi-orthonormal if and only if its Rankin factors satisfy 1 γ n,j (B) n for all j [1, n]. For example, any real triangular matrix with identical diagonal coefficients forms a quasiorthogonal basis. More generally, any basis whose b i are almost equal is quasi-orthogonal. This is a very strong notion of reduction, since average LLL-reduced or BKZ-reduced bases only achieve a 2 O(n2) Rankin factor and HKZ-reduced bases of random lattices have a 2O(n log n) Rankin factor. Finally, Rankin s invariants are lower-bounded [5, 30, 11] by 2 Θ(n log n) for almost all lattices 5, which means that only a tiny subclass of lattices posses a quasi-orthonormal basis. Schnorr-Euchner enumeration Given a basis B of an integer lattice L R m, Schnorr- Euchner s enumeration algorithm [29] allows to enumerate all vectors of Euclidean norm R in the coset C = z + L where z R m. The running time of this algorithm is n T SE = (π n+1 i (z + L) Ball i (R)), (1) which is equivalent to i=1 T SE n i=1 vol(ball i (R)) vol(π n+1 i (L)) under the Gaussian heuristic. The last term in the sums (1) and (2) denotes the number of solutions C. Thus, the complexity of enumeration is approximately T SE Õ ( C ) max γ n,j(b). j [1,n] This is why a reduced basis of smallest Rankin factor is favorable. The lower bound on Rankin s invariant of γ n,n/2 (L) = 2 Θ(n log n) for most lattices therefore determines the minimal complexity of enumeration that is achievable while working with the original lattice, provided that one can actually compute a basis of L minimizing the Rankin factors, which is also NP-Hard. If the input basis is quasi-orthonormal, the upper-bound γ n,j (B) n from Definition 1 implies that the enumeration algorithm runs in time Õ ( C ), which is optimal. Without knowl- 5 γ 2n,n(L) (n/12) n with probability 1 on random real lattices of volume 1 drawn from the Haar distribution. (2)

5 edge of a good basis one can aim to decompose the problem into more favorable cases that finally allow to apply Schnorr-Euchner s algorithm as we describe in the following. 5 3 Enumeration of short vectors by intersection of hyperballs The section presents the new algorithm that enumerates β n shortest vectors in any coset t + L of a lattice L for a constant β 3/2. It can be used to solve the NP-hard problems SVP, CVP, ApproxSVP β and ApproxCVP β : Given a lattice L, the SVP can be reduced to enumerating vectors of Euclidean norm O(λ 1 (L)) in the coset 0 + L while a CVP instance can be solved by enumerating vectors of norm at most dist(t, L) in the coset t + L. These bounded cosets, (t + L) Ball n (R) for suitable radius R, can be constructed in an iterative way by use of overlattices. The searched vectors are expressed as a sum of short vectors of suitable translated overlattices of smaller volume. The search for a unique element in a lattice as required in the SVP or CVP is delegated to the problem of enumerating bounded cosets. Any non-trivial element found by our algorithm is naturally a solution to the corresponding ApproxSVP β or ApproxCVP β. We present the new algorithm solving lattice problems based on intersections of hyperballs in Sect. 3.1 and application to co-cyclic lattices and q-ary lattices as an example in Sect These examples motivate the generic initialization of our algorithm as described in Sect General description of the algorithm Assume that we are given a tower of k = O(n) lattices L i R n of dimension n where L i L i+1 and the volume of any two consecutive lattices differs by a factor α n N >1. We also assume that the bottom lattice L k permits an efficient enumeration of the β n shortest vectors in any coset t + L k for 1 < β < 3/2. The ultimate goal is to find the β n shortest vectors in some coset t 0 + L 0 of L 0. We postpone how to find suitable lattices L i, i 1, to the following two sections. We also assume in this section, that the Gaussian heuristic holds. Under this assumption, the problem of finding the β n shortest elements in some coset t + L is roughly equivalent to enumerating all lattice vectors of L in the ball of radius β r n n vol (L) centered at t R n. For each i [0, k], we define a real vector t i = t 0 /2 i R n, and a bounded coset C i that contains the β n shortest vectors of the coset t i + L i. More formally, let us define such that R i = β r n n vol(l i ) and C i = (t i + L i ) Ball(0, R i ) C i vol(ball(r i)) vol(l i ) = β n, which follows from the Gaussian heuristic. In addition, we require that L i L i+1 where vol(l i ) vol(l i+1 ) = αn. The goal of our algorithm is to enumerate C 0, and to do that, it successively enumerates subsets S i C i, starting from i = k down to zero, containing a majority of all elements which means that S i C i. Figure 1 illustrates the sequence of enumerated lists.

6 6 S 0 C 0 + check (3),(4) S i C i + check (3),(4) x I z x z Enumerate S k = C k Fig. 1. Iterative creation of lists. Fig. 2. Vector z C i 1 found as sum between x C i and z x C i I (t i + L i). During the construction of the tower of lattices, which is studied in the next sections, we already ensure that S k = C k is easy to obtain. We now explain how we can compute S i 1 from S i. To do this, we compute all sums x + y of vector pairs of S i S i which satisfy the conditions x + y t i 1 + L i 1 and (3) x + y β r n n vol (L i ). (4) This means that we collect the β n shortest vectors of the coset C i 1 = t i 1 + L i 1 by going through the list S i of short elements belonging to C i = t i + L i. In practice, an equivalent way to check if condition (3) holds, is to use an efficient computation for the map ϕ i 1 : C i L i /L i 1, z z t i mod L i 1 and to verify that ϕ i 1 (x) + ϕ i 1 (y) = 0. Section 3.2 shows concrete examples for ϕ i which are easy to implement. Alg. 1 summarizes our approach. Algorithm 1: Coset enumeration Constants: α 4/3, β 3/2 Parameters: k Input: A LLL-reduced basis B of L 0 and a center t R n Output: Almost all the β n shortest elements of t + L 0 Choose a random initial target t 0 t + L 0 (using the discrete Gaussian distribution of parameter 2 n vol(l 0) 1/n ), and define t i = t 0/2 i R n for i [1, k]. Compute a tower of lattices L 0,.., L k by use of Alg. 3 such that - L 0 L 1... L k - lattice enumeration is easy on L k - vol(l i 1)/vol(L i) = α n - elements of t i + L i have a compact representation and - testing-morphisms ϕ i 1 are efficient to evaluate. S k Enumerate bottom coset C k for i = k 1 downto 0 do S i Merge(S i+1, t i, ϕ i, R i) (Alg. 2) return S 0 Merge by collision. A naive implementation of the merge routine that creates S i 1 from S i would just run through the β 2n pairs of vectors from S i S i, and eliminate those that do not satisfy the constraints (3) and (4). By regrouping the elements of S i into α n buckets, according to their value modulo L i 1, condition (3) implies that each element of S i only needs to be paired with the elements of a single bucket, see Alg. 2. The Gaussian heuristic implies

7 7 that each bucket contains (β/α) n elements, therefore the merge operation can then be performed in time ( β 2 /α ) n. Algorithm 2: Merge by collision /* Efficiently find pairs of vectors of C i+1 s.t. their sum is in C i*/ /* C i denotes (t i + L i) Ball(R i)*/ Input: S i+1 C i+1, t i, ϕ i, R i Output: S i, elements of C i Set S i = Reorganize S i+1 into buckets indexed by the values of ϕ i foreach v S i+1 do foreach u in the bucket of index ϕ i(v) do if u + v R i then S i = S i {u + v} return S i Complexity and constraints for parameters α and β. It is clear that at each level, conditions (3) and (4) imply that S i is a subset of C i. We now need to prove that there exist constants α and β such that a constructed list S i contains all or at least a vast majority of C i. If, by decreasing induction on i, S i is close to C i, the main requirement is that almost all points of C i 1 can be expressed as the sum of two points in C i, see Fig. 2 for an illustration. This geometric constraint can be simply rephrased as follows: a vector z C i 1 is found if and only if there exists at least one vector x of the coset t i + L i in the intersection of two balls of radius R i, the first one centered in 0, and the second one in z. It is clear that z x C i = t i + L i since 2 t i = t i 1 and L i 1 L i. So if there is a point x C i in the intersection I = Ball(0, R i ) Ball(z, R i ), we obtain z C i 1 as a sum between x C i and z x C i. Under the Gaussian heuristic this occurs with high probability as soon as the intersection I of the two balls has a larger volume than L i. We thus require that vol (I) / vol (L i ) K for some constant K > 1. From Lemma 1 and its corollary we derive that the intersection of two balls of radius R i at distance at most R i+1 = αr i is larger than vol(ball(r i 1 (α/2) 2 ))/ n. A sufficient condition on α and β is then ( β 1 (α/2) 2 ) n K n or alternatively (5) β 1 (α/2) 2 (1 + ε n ) (6) where ε n = (K n) 1/n 1 decreases towards 0 when n grows. Of course, for optimization reasons, we want to minimize the size of the lists β n, and the number of steps (β 2 /α) n in the merge. Therefore we want to minimize β and maximize α under the above constraint. For optimal parameters, inequality (6) is in fact an equality. Asymptotically, the optimal running time occur for α = 4/3 and β = 3/2, and the total running time of Alg. 1 is then given by B + poly(n) ( β 2 /α ) n where B represents the

8 8 running time of the initial enumeration at level k (details in Sect. 3.3). For the above choice of parameters, we calculate (β 2 /α) n n and need to store two lists of size β n n. Time-memory trade-off. Other choices of α and β that satisfy (6) provide a trade-off between running time and required memory. Figure 3 shows the logarithmic size of the lists the algorithm needs to store depending on the time one is willing to spend. If one has access to only β n n in memory, the time complexity increases to (β 2 /α) n n n n n α 1, β = 43 time vs. memory ( ) β 2 n α time = 2 0.4n n n n n α = 43, β = n 2 0.2n n n n n n n n n n 2 0.3n memory = β n Fig. 3. Trade-off between memory and time for varying choices of α and β. 3.2 Example for co-cyclic lattices or q-ary lattices. We show here how to apply the described method to co-cyclic lattices and q-ary lattices to give an intuition how the overlattices and the coset testing function ϕ i can be found. The tower of lattices remains implicit in the sense that we do not need to find a basis for each of the k + 1 lattices L i. We only need a description of the initial and the bottom lattice as we test membership to a coset by evaluating ϕ i. These examples show that the cost in the worst case may rise related to deviations from the Gaussian heuristic. Section 3.3 presents a generic method to create the overlattices that performs well in practice and ensures estimated complexity as denoted in Sect. 3.1 based on the Gaussian heuristic. Let L Z n be a co-cyclic lattice given as L = {x Z n, n i=1 a ix i = 0 mod M} for large M = α nk N and random integers a 1,.., a n [0, M 1]. The task is to enumerate C = (t + L) Ball n (R) where R = β r n vol(l) 1/n for a given β > 1. For k = O(n), the connection with random subset sum instances, as well as newer adaptations of worst-case to average case proofs (see [12]) support the claim that random instances are hard. Define N = α n. We can naturally define the tower consisting of lattices n L i = {y Z n, a i y i = 0 mod N k i }. i=1 At the level k, we have L k = Z n such that we can efficiently enumerate any coset C by use of the Schnorr-Euchner algorithm [29] in time poly(n) C. The coset testing function ϕ i, which represents x t i mod L i 1, can be implemented as a, x t i /N k i mod N.

9 A second example is the class of q-ary lattices. Let L be the lattice of dimension n and volume q k such that for x Z n, x L [(a 1,1 x a 1,n x n = 0 mod q)... (a k,1 x a k,n x n = 0 mod q)] (7) where a i,j are uniform in Z/qZ. For q = α n classical worst-case to average-case reductions prove that these lattices provide difficult lattice problems on average [1]. Here, a lattice L i could be defined as the lattice satisfying the last i equations of (7). Again, L k is Z n, L i 1 L i and vol (L i 1 ) /vol (L i ) = q. The coset testing function ϕ i can be computed as a i, x t i mod q. The main problem of the Z n lattice is that the Gaussian heuristic does not apply to its coset C k, whose radius R k is too close to n. Indeed, the number of points of Z n in a ball of radius R 0 n varies by exponential factors depending on the center of the ball [23]. If the target is very close to 0, like in a SVP-setting, the coset C k = Z n Ball n (R 0 ) then contains around n vectors 6, which differs considerably from β n n that we could expect of a random lattice. The initial coset would be impossible to store. More generally, the Gaussian heuristic is also used during the merge by collision on intersections of balls of radius R k centered in an exponential number of different points. Unfortunately, balls of radius R k centered in random points contain an exponentially smaller number of integer vectors than β n, and their intersection contain in general no integer point at all. Thus the collision by merge would fail to recover C k 1. The above examples represent a worst case where the Gaussian heuristic does not apply. We propose a different construction of the overlattices that is generic, which avoids the Z n lattice and uses quasi-orthonormal bases instead, and which works experimentally in the average i.e., for random lattices Generic creation of the tower Here, we present a generic method of computing the tower of L i that overcomes the problems we have shown in the previous section and that works well in practice for high dimensions as we have verified in our experiments. We take as input a randomized LLL- or BKZ-30-reduced basis B of an n-dimensional lattice L. We choose constants α > 1 and β satisfying equation (6) with the additional constraint that N = α n is an integer. The Gram Schmidt coefficients of B usually decrease geometrically, and we can safely assume that min i b i max i b i / 4/3 n. Otherwise, the LLL-reduced basis would immediately reveal a sublattice of dimension < n containing the shortest vectors of L. This means that there exists a smallest integer k = O(n) such that σ = vol(l) 1/n /α k min i [1,n] b i. The integer k determines the number of levels in our tower and σ is the n-th root of the volume of the last overlattice L k. Finally, we use a slightly modified version of the unbalanced reduction algorithm from [12] to compute a basis ˆB of L such that [ˆb 1 /N k, ˆb 2,..., ˆb n ] is quasi-orthogonal. This naturally defines the tower of k + 1 overlattices L i, where L i is generated by the corresponding basis B (i) = [ ˆb 1, ˆb N i 2,..., ˆb n ] for i = 0,.., k. The modified unbalanced reduction algorithm, Alg. 3 in the appendix, can be viewed as a reversed LLL-reduction algorithm: in each 2 2 dimensional projected block B [i,i+1], the 6 Computation based on saddle point method as in [23] for a radius β 2 /(2πe) n n.

10 10 LLL algorithm would shorten the first vector as much as possible. The unbalanced reduction focuses on decreasing the second projection b i+1 just below σ. By conservation of the volume, it suffices to replace b i by a sufficiently large combination b i+1 + γ b i. What is not trivial, is to prove that each block can be visited only once, and that tight choices of the combination coefficients γ effectively leads to a quasi-orthonormal basis, and therefore to an efficient enumeration for L k. More precisely, the cost of a full enumeration of any bounded coset (z+l k ) vol (Ball n (r n βσ)) at level k is: n vol(ball i (r n βσ)) n T SE = i=1 vol(b (k) [n+1 i,n] ) n V i (r n β) i = Õ ( n) (8) i=1 where the maximal term in the sum is of size Õ ( n). Experiments show that the above estimate is close to what we observe in practice as we present in Sect. 4. This number of steps in the full enumeration is an exponential factor < n larger than the complexity of the merge. In large dimensions, classical pruning techniques [13, 10] can be used to cancel this exponential factor as small as n, as soon as we are willing to miss a small fraction of C 0. This renders the time complexity of the initial pruned enumeration negligible compared to the complexity of the merge by collision. In the non-asymptotic case, i.e., for dimensions 100, the actual running time of the full enumeration is already smaller than the time for the merge by collision in the consecutive steps, as elementary operations in the enumeration are faster than memory access and vectors additions in the merge. 4 Experimental evidence In this section we present our experimental results of a C++-implementation of the algorithm presented in Sect. 3. We make use of newntl [14] and fplll [6] libraries. We tested the algorithm on random lattices of dimensions up to n = 80 as input. Relatively small dimensions allow us to enumerate the coset C 0 by Schnorr-Euchner and we can then benchmark the percentage of elements found by our probabilistic algorithm to show its effectiveness. Tests in smaller and larger dimensions confirm the choice of parameters that we computed for the asymptotic case. The memory requirement and running time in the course of execution match closely our estimates and the intermediate helper lattices L i behave as predicted. Furthermore, we observe that while enumerating elements in a coset, short elements, i.e., either a short vector or a close vector, are particularly easy to find. More precisely, even though we might miss some elements of the target coset, we almost always solve the SVP (or CVP). How to choose ε n. For design reasons we have described an algorithm that in each iteration produces the same number of elements per list, C 0 (β(1 + ε n )) n on average, in order to find all of C 0. We tested different values ε n 0.08 for each dimension. The larger the dimension, the smaller ε n can be chosen, see (6). Figure 4 shows the relation between varying ε n and the fraction of found vectors of C 0 for dimension n {40, 45, 50, 55, 60}. The optimal choice for ε n depends on the aimed success ratio, i.e., the fraction of elements of C 0 found.

11 number of distinct elements fraction of found vectors 11 n=60 n=55 n=50 n=45 n= C experiment C0 C0 *(1-(1-p)r) ε Fig. 4. Fraction of vectors in C0 found for varying εn number of repetitions Fig. 5. Success probability after repetition, n = e e+07 number of vectors tested occurence of vector for 100 bases Probability of success for randomized repetitions - small dimension. Suppose that we want to enumerate 100% of a coset C0 in dimension 50. According to Fig. 4, we need to choose εn at least of size 0.07, which results in lists of size (1 + εn )50 β β 50 and running time (1 + εn )100 (β 2 /α) (β 2 /α)50. An alternative which is less memory consuming is to choose a smaller εn, and to run the algorithm on randomized input bases. For instance, if one chooses ε = , one should expect to recover p = 6% of C0 per iteration on average. Then, assuming that the recovered vectors are uniformly and independently distributed in C0, we expect to find a fraction of 1 (1 p)r after r repetitions. As an example, we tested repeated execution for SVP instances with parameters n = 50, p p β (1 + ε) = 3/ , α = 4/3. Figure 5 shows the average number of distinct vectors of C0 recovered as a function of the number of repetitions (and the standard deviation). For a random lattice of dimension n = 50 and ε = , the size of the coset C0 is roughly In our experiments, we found vectors (48%) after 10 repetitions in which we randomized the basis. After 20 trials, we found elements which corresponds to 70%, and after 70 trials, we found elements (99% of C0 ). We obtained analogue results in larger dimension n = 55. After 10 trials with ε = 0.054, we obtain 96.5% of the vectors of C experiment heuristic 1e+07 8e+06 6e+06 4e+06 2e norm of the vector Fig. 6. Correlation of occurrence of vectors and its length projection i = 1 to Fig. 7. Comparison between the actual number of nodes during enumeration and the Gaussian heuristic predictions for dimension 55. Shorter or closer vectors are easier to find. During the merge operations, we can find a vector v if there exists vectors in the intersection between two balls of the same radius, centered at the end points of v. As the intersection is larger when v is shorter, see Fig. 8, we can deduce that short vectors of a coset are easier to find than longer ones.

12 12 R i z R i z Fig. 8. Volume of intersection varies for vectors z of different length. As we work with cosets, this means that vectors which are closer to the target (i.e., short lattice vectors when the target is 0) should appear more often if we randomize the input basis. We verified this experimentally by comparing the norm of a vector with the number of appearances during 100 repetitions in dimension 50, with ε = , see Fig. 6. In particular, if we wish to solve an exact SVP or CVP, one can choose an ε that permits to recover only 50% of C 0. This is sufficient since the target solution is a short element compared to the search radius and will be recovered with high probability for most bases. Larger dimensions n = 70, 80. For larger dimensions, we used a more powerful machine based on the Opteron 6176 processor, containing 48 cores at 2.3 Ghz, and 256 GB of RAM. We set α = 4/3 and β = 3/2. In dimension 80, we chose aborted BKZ-30 [15] as a preprocessing. The algorithm has 8 levels and we chose ε = to obtain 97% of C 0 after a single run. The initial enumeration on one core took a very short time of 6h30 while a level of the merge took between 40 to 50 CPU days which corresponds to less than 24h in parallel on the 48 cores. Tab. 2 presents the observed size of the lists S i C i for each level as well as for dimension 70. Table 2. Experimental results for α = 4/3 and β = 3/2. level = i n = 80 S i in millions ε = % of Gauss. heuristic n = 70 S i in millions ε = % of Gauss. heuristic n = 70 S i in millions ε = % of Gauss. heuristic The number of elements in lower levels lies below the heuristic estimate and we keep loosing elements during the merge for the deepest levels. For example, in dimension 80 we start with 73% of C 8 and recover only 43% of C 7 after one step. Towards higher levels, we slowly begin to recover more and more elements. In dimension 80, the size of the lists starts to increase from level 5 on as S 5, S 4 and S 3 cover 41%, 47% and 56 % of the vectors, respectively. This continues until the final step where we find 97% of the elements of C 0. This seems to be the general trend whenever we recover a non-negligible subset of C 0. We discuss these observations in the following paragraphs. Our quasi-orthogonal lattices at the bottom level behave randomly and follow the Gaussian heuristic. The most basic method to fill the bottom list L k is to run Schnorr-Euchner

13 enumeration (see Sect. 2). Following the Gaussian heuristic, the expected number of nodes in the enumeration tree is given by (8). Previous research have established that this estimate is accurate for random BKZ-reduced bases of random lattices in high dimension. Here, since we work with quasi-orthogonal bases, which are very specific, we redo the experiment, and see that the heuristic also holds. Already for small dimensions (40, 50, 55), experiments show that the actual number of steps is very close to the expected value, as shown in Fig. 7. Notes on the Gaussian heuristic for intermediate levels. We also make use of the Gaussian heuristic when we estimate the number of coset vectors in the intersection of two balls during the merge by collision. The fact that the size of the lists in our experiments decreases within the deepest levels indicates that the Gaussian heuristic is not accurate for balls intersections. However, since we still obtain a considerable fraction of elements, the deviation remains small. The results can be explained by the fact that the lower lattices are not random enough. Beside the geometry of lattices, the deviation depends on the center of the balls or the center of the intersection. Randomly centered cosets of quasi-orthonormal lattices contain experimentally an average number of points a constant factor below (β(1+ε)) n. Zero-centered cosets contain more points, and should be avoided. The randomization of the initial target used in Alg. 1 ensures that the centers are random modulo L k, even in a SVP setting. The number of vectors stays hence below, but close to the estimate β n (1 + ε n ) n after the first collision steps. Following steps can only improve the situation. The lattices in higher levels are more and more random and we observe that the algorithm recovers the expected number of vectors while performing collision merge. This is a sign that our algorithm is stable even when the input pools S i are incomplete. Finally, experiments support the claim that the number of elements per bucket during the merge by collision corresponds to the average value (β/α) n. For example, in dimension n = 80, for parameters α = 4/3, β = 3/2, ε = 0.044, we observe that the largest bucket contains only 10% more elements than the average value, and that 60% of the buckets are within ±2% of the average value Conclusion We have presented an alternative approach to solve the hard lattice problems SVP and CVP for random lattices. It makes use of a new technique that is different from the ones used so far in enumeration or sieving algorithms and works by moving short vectors along a tower of nested lattices. Our experiments show that the method works well in practice. More testing and analysis is required to assess the impact of this new method when used as a subroutine for strong lattice reduction algorithms such as BKZ. References 1. M. Ajtai. The shortest vector problem in L 2 is NP-hard for randomized reductions (extended abstract). In STOC 98, pages 10 19, M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd STOC, pages , A. Becker, J.-S. Coron, and A. Joux. Improved generic algorithms for hard knapsacks. In Proc. of Eurocrypt 2011, LNCS 6632, pages Springer-Verlag, 2011.

14 14 4. A. Becker, A. Joux, A. May, and A. Meurer. Decoding random binary linear codes in 2 n/20 : How = 0 improves information set decoding. In EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages Springer, M. I. Boguslavsky. Radon transforms and packings. Discrete Applied Mathematics, 111(1-2):3 22, X. Cadé, D. Pujol and D. Stehlé. fplll 4.0.4, May D. Coppersmith. Finding a small root of a bivariate integer equation; factoring with high bits known. In Maurer [22], pages D. Coppersmith. Finding a small root of a univariate modular equation. In Maurer [22], pages I. Dinur, G. Kindler, and S. Safra. Approximating-cvp to within almost-polynomial factors is np-hard. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS 98, pages 99, Washington, DC, USA, IEEE Computer Society. 10. M. Fukase and K. Yamaguchi. Finding a very short lattice vector in the extended search space. JIP, 20(3): , N. Gama, N. Howgrave-Graham, H. Koy, and P. Q. Nguyen. Rankin s constant and blockwise lattice reduction. In CRYPTO, pages , N. Gama, M. Izabachene, and P. Q. Nguyen. Worst-case to average-case reduction for almost all lattices. To appear, N. Gama, P. Q. Nguyen, and O. Regev. Lattice enumeration using extreme pruning. In EUROCRYPT, pages , N. Gama, J. van de Pol, and J. M. Schanck. Fork of V. Shoup s number theory library NTL, with improved lattice funtionnalities. gama/newntl.html, February G. Hanrot, X. Pujol, and D. Stehlé. Analyzing blockwise lattice algorithms using dynamical systems. In CRYPTO, pages , G. Hanrot and D. Stehlé. Improved analysis of Kannan s shortest lattice vector algorithm (extended abstract). In Proceedings of Crypto 2007, volume 4622 of LNCS, pages Springer-Verlag, A. Joux and J. Stern. Lattice reduction: A toolbox for the cryptanalyst. J. Cryptology, 11(3): , R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the fifteenth annual ACM symposium on Theory of computing, STOC 83, pages , New York, NY, USA, ACM. 19. R. M. Karp. Reducibility among combinatorial problems. In R. E. Miller and J. W. Thatcher, editors, Complexity of Computer Computations, The IBM Research Symposia Series, pages Plenum Press, New York, A. Korkine and G. Zolotarev. Sur les formes quadratiques. Mathematische Annalen 6, pages , A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261: , U. M. Maurer, editor. Advances in Cryptology - EUROCRYPT 96, International Conference on the Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12-16, 1996, Proceeding, volume 1070 of Lecture Notes in Computer Science. Springer, J. E. Mazo and A. M. Odlyzko. Lattice points in high-dimensional spheres. Monatshefte für Mathematik, 110:47 62, D. Micciancio. The shortest vector in a lattice is hard to approximate to within some constant. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science, FOCS 98, pages 92, Washington, DC, USA, IEEE Computer Society. 25. D. Micciancio and P. Voulgaris. A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In Proceedings of the 42nd ACM symposium on Theory of computing, STOC 10, pages , New York, NY, USA, ACM. 26. D. Micciancio and P. Voulgaris. Faster exponential time algorithms for the shortest vector problem. In SODA, pages ACM/SIAM, P. Q. Nguyen and T. Vidick. Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology, R. Rankin. On positive definite quadratic forms. J. Lond. Math. Soc., 28: , K.-P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Math. Program., 66: , J. L. Thunder. Higher-dimensional analogs of Hermite s constant. Michigan Math. J., 45(2): , X. Wang, M. Liu, C. Tian, and J. Bi. Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 11, pages 1 9, New York, NY, USA, ACM.

15 15 A Intersection of hyperballs The volume of the intersection, vol I (d), of two n-dimensional hyperballs of radius 1 at distance d [0.817; 2] can be approximated for large n by the volume of the n- dimensional ball of radius D = 1 ( d 2, 2) see Lemma 1 below. If we consider the intersection of two balls of radius R, the volume gets multiplied by a factor R n as stated in Corollary 1. Lemma 1. The volume of the intersection of two n-dimensional hyperballs of radius 1 at distance d [0.817; 2] is ( ) 2V n 1 d vol I (d) arccos (n + 1)V n 2 vol(ball n (D)) 2V ( ) n 1 d ( n 2 + 1)V arccos n 2 where D = 1 ( d 2. 2) Proof: The intersection of two balls of radius 1 whose centers are at distance d [0, 2] of each other can be expressed as vol I (d) = 2 1 d 2 ( ) n 1 arccos(d/2) V n 1 1 x 2 dx = 2 Vn 1 sin n (θ) dθ where V n 1 equals the volume of the n 1-dimensional ball of radius 1. For d [0.817; 2] one can bound the sinus term in the integral: D arccos(d/2) θ sin(θ) D arccos(d/2) θ. 0 Therefore, we obtain bounds for the volume of the intersection: vol I (d) 2V ( ) n 1 d n arccos D n 2 and which proves the lemma. vol I (d) 2V ( ) n 1 d n + 1 arccos D n 2 We can use the lower-bound of Lemma 1 and obtain a numerical lowerbound on the volume of the intersection of balls of radius R at distance at most 4/3R used in our algorithm: Corollary 1 For all dimensions n 10, the volume of the intersection of two n-dimensional hyperballs of radius R at distance dr where d 4/3 is lower-bounded by: R n vol I (d) ( ) R n vol Ball n d 2 1. n 2 B Unbalanced reduction Let B be a basis of a lattice L. We wish to construct a basis C such that ( c 1 N k, c 2,..., c n ) is quasi-orthogonal basis, and such that the corresponding lattice L k still satisfies the Gaussian

16 16 Heuristic for randomly centered hyperballs. The idea is to ensure that the Gram schmidt coefficients of the new basis are almost equal to the n-th root of the volume, which is σ. This algorithm is a particular case of the structural reduction presented in [12]. The theorem proves that the output basis is a quasi-orthonormal basis. Algorithm 3: Unbalanced Reduction Input: A LLL-reduced basis B of an integer lattice L such that max b i / min b i 4/3 n, and a target length σ min b i Output: A basis C of L satisfying c i σ and σ n+1 i /vol(c [i,n] ) n + 1 i for all i [2, n]. C B Compute the Gram-Schmidt matrices µ and C if i c i σ then return C Let k be the largest index such that c k > σ for i = k 1,..., 1 do ( ) γ µ i+1,i + c i+1 c i 2 c i σ 1 (c i, c i+1) (c i+1 + γ c i, c i) Update the Gram-Schmidt matrices µ and C. return C Theorem 1 states the requirements for which Alg. 3 is of polynomial time. Theorem 1 (Unbalanced reduction). Let L(B) be an n-dimensional integer lattice with a LLL-reduced basis B = [b 1,.., b n ]. Let σ be a target length min b i. Algorithm 3 outputs in polynomial time a basis C of L satisfying c i σ for all i [2, n] (9) c 1 σn vol(l)/σ n (10) σ n+1 i n + 1 i for all i [2, n] (11) vol(c [i,n] ) Proof of Theorem 1 and Algorithm 3: We use the suffix old and new to denote the values of the variables at the beginning and at the end of the for loop of Alg. 3, respectively. Furthermore, we call x i the value b new i during iteration i. Note that x i is also b old i during the next iteration (of index i 1 since i goes backwards). For i [1, n], let a i = b i /σ. Note that a i is always 1. We show by induction over i that the following invariant holds at the end of each iteration of Alg. 3): a i x i+1 x i a i x i+1 + σa i. (12) At the first iteration (i = k 1), it is clear that x k = b old k = σa k. At the beginning of iteration i, we always have b old i > σ, and by induction, b old i+1 > σ. We transform the block so that the norm of the first vector satisfies R b new i R + b old i (13) where R = b old i+1 b old i /σ.

17 This condition can always be fulfilled with a primitive vector of the form b new i = b old i+1 + γbold i for some γ Z. Since the volume is invariant, the new b new i+1 is upper-bounded by σ. And by construction, Equation (13) is equivalent to the invariant (12) since b old i = a i σ, b new i = x i and b old i+1 = x i+1. By developping (12), we derive a bound on x 1 : x 1 σ k k a 1... a i σn a i nσvol(l)/σ n i=1 which proves (10). Similarly, one obtains that x i (n + 1 i)σvol(b [i,n] )/σ n+1 i, which is equivalent to (11). Note that the transformation matrix of the unbalanced reduction algorithm is γ 1 γ k where γ i is µ i+1,i + x i+1 σ 1 1 a 2 i n j=i+1 i= Since each x i+1 is bounded by a j = n j=i+1 max(1, b j 2 /σ), all coefficients have a size polynomial in the input basis. This proves that Alg. 3 has polynomial running time. 17