Algorithmic Geometry of Numbers: LLL and BKZ

Size: px

Start display at page:

Download "Algorithmic Geometry of Numbers: LLL and BKZ"

Dinah Greer
5 years ago
Views:

1 Algorithmic Geometry of Numbers: LLL and BKZ Léo Ducas CWI, Amsterdam, The Netherlands HEAT Summer-School on FHE and MLM Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

2 A gift from Johannes Kepler to Matthäus Wacker von Wackenfels New year of 1611: Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

3 A gift from Johannes Kepler to Matthäus Wacker von Wackenfels New year of 1611: Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

4 A fruitful contemplation Figure : Strena, De Nive Sexangula (A new year gift: on the sexangular snow) Story told by J.C. Ameisen (Sur les Épaules de Darwin, Dec. 2013) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

5 A famous Conjecture Figure : The close packing conjecture conjecture Arrangement B is the most compact arrangement. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

6 A proof in dimension 2? Let us restrict our attention to regular arrangement : lattices. What do we mean by compact? Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

7 A proof in dimension 2? Let us restrict our attention to regular arrangement : lattices. What do we mean by compact? Definition (Packing density) Let Λ be a lattice lattice, F a fundamental domain of Λ, and λ 1 the length of the shortest non-zero vector. The packing density is defined by: ρ(λ) = Vol( λ 1 2 B). Vol(F) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

Figure : Fundamental domains Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 5 / 28 A proof in dimension 2? Let us restrict our attention to regular arrangement : lattices.

8 Figure : Fundamental domains Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28 A proof in dimension 2? Let us restrict our attention to regular arrangement : lattices. What do we mean by compact? Definition (Packing density) Let Λ be a lattice lattice, F a fundamental domain of Λ, and λ 1 the length of the shortest non-zero vector. The packing density is defined by: ρ(λ) = Vol( λ 1 2 B). Vol(F)

9 Basis reduction in dimension 2 Lemma Let Λ be a lattice. Assume, wlog. that v = (1, 0) is a shortest vector. Then, there exists a basis v, w that: w 1 w = (x, y) where x 1/2 Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

10 Basis reduction in dimension 2 Lemma Let Λ be a lattice. Assume, wlog. that v = (1, 0) is a shortest vector. Then, there exists a basis v, w that: w 1 w = (x, y) where x 1/2 Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

11 Packing bound in dimension 2 We had v = (1, 0), w = (x, y) with w 1, and x 1/2. Hence: y 3/4. A fundamental domain is given by the parallelepiped : Its volume is: This gives: ( ) [ v 1 w 2, 1 ] 2 2 ( ) ( ) v 1 0 det = det = y 3/4. w x y ρ(λ) π (1/2)2 3/4 = π Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

12 Optimal packing in dimension 2 This bound is reached by the hexagonal lattice packing: Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

[Bees, 2 10 9 BC] (proof by trial-and-error) Léo Ducas

13 Optimal packing in dimension 2 This bound is reached by the hexagonal lattice packing: This is well-known since [Bees, BC] (proof by trial-and-error) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

14 Overview 1 Introduction 2 Hermite reduction, and the LLL algorithm 3 BKZ, and security estimate for lattice based cryptography 4 Conclusion Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

15 Gram-Schmidt Orthogonalization Orthogonal projection on the direction of u: Gram Schmidt Process: π u (v) = u, v u, u u. b 1 = b 1 = π 0 (b 1 ) b 2 = b 2 π b 1 (b 2 ) = π 1 (b 2 ) b 3 = b 3 π b 1 (b 3 ) π b 2 (b 3 ) = π 2 (b 3 ). b k = b k 1 k π b j (b k ) = πk 1 (b k) j=1. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

16 Gram-Schmidt basis and Volume For any basis B of Λ, P(B) is a fundamental domain of Λ, and so is P(B ). The volume of the fundamental domain is independant of the choice of the basis: Vol(Λ) Vol(P(B )) = b i Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

17 Reduced basis of 2-dimensional lattice Let us re-express reduction in dimension 2 in Gram-Schmidt terms: Definition (Simplified) A basis (b 1, b 2 ) of Λ is said reduced if b 1 4 b 2 3 Such bases always exist. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

18 Reduced basis of n-dimensional lattice Definition (Hermite) Let B = (b 1, b 2,..., b n ) be a basis of Λ. Set Λ i = π i (L(b i, b i+1 )). The basis B is said reduced if, for all i, In particular : πi (b i ), πi (b i+1 ) is a reduced of Λ i. b i b i and b 0 ( ) 4 n/4 Vol(Λ) 1/n. 3 Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

19 Reduced basis of n-dimensional lattice Definition (Hermite) Let B = (b 1, b 2,..., b n ) be a basis of Λ. Set Λ i = π i (L(b i, b i+1 )). The basis B is said reduced if, for all i, In particular : πi (b i ), πi (b i+1 ) is a reduced of Λ i. b i b i and b 0 ( ) 4 n/4 Vol(Λ) 1/n. 3 Theorem Such bases always exist. Proof by animation. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

20 Existence of Hermite-reduced basis Define a potential P = (n i) log b i Prove that the potential strictly decrease at each step Prove that there are only finitely bases that can be visited during this process (discreteness of the lattice and bound on the norms) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

21 Existence of Hermite-reduced basis Define a potential P = (n i) log b i Prove that the potential strictly decrease at each step Prove that there are only finitely bases that can be visited during this process (discreteness of the lattice and bound on the norms) This proof is an algorithm! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

22 Existence of Hermite-reduced basis Define a potential P = (n i) log b i Prove that the potential strictly decrease at each step Prove that there are only finitely bases that can be visited during this process (discreteness of the lattice and bound on the norms) This proof is an algorithm! But it may require super-exponentially many step... Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

23 LLL : an efficient relaxation Idea: Relax the constraint so that each step improves the potential P by a non-negligible term ɛ > 0. Theorem (LenstraLenstraLovasz82) For any ɛ, there exists a deterministic polynomial time algorithm, the basis of a lattice can be reduced so that: b i 4 b i ɛ. Must-read : [The LLL Algorithm, NguyenVallée]. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

24 LLL in practice The analysis guarantee that: b i b i ɛ Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

25 LLL in practice The analysis guarantee that: b i b i ɛ In practice b i b i Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

26 LLL in practice The analysis guarantee that: In practice b i b i ɛ b i b i P. Nguyen: I hope I ll get to learn why before I die! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

27 Overview 1 Introduction 2 Hermite reduction, and the LLL algorithm 3 BKZ, and security estimate for lattice based cryptography 4 Conclusion Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

28 The BKZ algorithm Idea: [SchnorrEuchner,1994] find the shortest vector in projected sub-lattices of dimension b > 2 as a sub-routine. Theorem (HanrotPujolSthelé) The BKZ b algorithm runs in time poly(n) SVP(b). Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

29 The BKZ algorithm Idea: [SchnorrEuchner,1994] find the shortest vector in projected sub-lattices of dimension b > 2 as a sub-routine. Theorem (HanrotPujolSthelé) The BKZ b algorithm runs in time poly(n) SVP(b). How short of a vector does BKZ b finds? Theoretical upper-bounds involving Rankin s constant Heuristically and experimentally, BKZ behave much better Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

30 The root hermite factor (heuristic) In practice, BKZ b produces a vector of size: δb n Vol(Λ)1/n. The gaussian heuristic predicts that the root Hermite factor δ b is about: δ b = (b/2πe) 1/2b. Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

31 The root hermite factor (heuristic) In practice, BKZ b produces a vector of size: δb n Vol(Λ)1/n. The gaussian heuristic predicts that the root Hermite factor δ b is about: δ b = (b/2πe) 1/2b. Figure : Heuristic Root Hermit factor δ b Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

32 The root hermite factor (a better heuristic?) Figure : Heuristic Root Hermit factor δ b This heuristic seems accurate for b > 45, but below that, is completly absurd! Find out a better one! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

33 Run-time of BKZ No good close formula even abstracting out the cost of SVP(b). Very complete survey on the state of the art, and prediction scripts in [AlbrechtPlayerScott2015]. A gold mine: Thesis of [Chen2013] (a.k.a. full version of BKZ 2.0)! Reproducing and sharing code for some of those technique would be very valuble (and should be rewarded...) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

34 Run-time of SVP Enumeration [Kannan,FinckePost] with pruning [GamaNguyenRegev]: Super-exponential, ugly, hard to optimize, performance hard to predict, but still the best algorithm Sieving [MicciancioVoulgaris] with NNS techniques [Laarhoven,...]: neat, clean, exponential run-time with known constant... Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

35 Run-time of SVP Enumeration [Kannan,FinckePost] with pruning [GamaNguyenRegev]: Super-exponential, ugly, hard to optimize, performance hard to predict, but still the best algorithm Sieving [MicciancioVoulgaris] with NNS techniques [Laarhoven,...]: neat, clean, exponential run-time with known constant... and catching up! Time complexity n n n n NV '08 MV '10 (this work) Laa '15 (this work) BGJ '15 WLTB '11 LdW '15 / BL '15 ZPH '13 BGJ '14 LdW '15 / BL '15 (this work) BGJ '14 Laa '15 Time = Space Hot topic: Get sieving to beat enumeration in practice n n n n n Space complexity Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

36 Lower bounds for the designer My grain of salt: Simplify all hard to predict terms to the advantage of the attacker (he could come up with heuristic tricks) Make a clear distinction between best-known attack and security claim (help the cryptanalyst getting there hard work published) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

37 Lower bounds for the designer My grain of salt: Simplify all hard to predict terms to the advantage of the attacker (he could come up with heuristic tricks) Make a clear distinction between best-known attack and security claim (help the cryptanalyst getting there hard work published) Sieve-BKZ cost (using [BeckerD.GamaLaarhoven] for sieving): poly(n) b+o(b) Lower bound for the designer: b (paranoïacs may use b ). Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

38 Lower bounds for the designer My grain of salt: Simplify all hard to predict terms to the advantage of the attacker (he could come up with heuristic tricks) Make a clear distinction between best-known attack and security claim (help the cryptanalyst getting there hard work published) Sieve-BKZ cost (using [BeckerD.GamaLaarhoven] for sieving): poly(n) b+o(b) Lower bound for the designer: b (paranoïacs may use b ). This lower bounds also applies to enumeration with sieving for b > 150! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

39 Overview 1 Introduction 2 Hermite reduction, and the LLL algorithm 3 BKZ, and security estimate for lattice based cryptography 4 Conclusion Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

40 The killer instinct? Figure : Cryptanalysis (according to certain view) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

41 The killer instinct? Figure : Cryptanalysis (according to certain view) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

42 A game (a very serious one!) Figure : Cryptanalysis (according my view) Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

43 The cat and mouse game The cat and mouse game is essential in determining what is secure and what is not, and is an amazing catalyst for crypto, math, and algorithmic. The rules: ouse: Meaningful and compact problems, or the cat may not even bother Cat: Reproducible claims, code-sharing, work as a community toward a unified lattice cryptanalysis playground Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

44 The cat and mouse game The cat and mouse game is essential in determining what is secure and what is not, and is an amazing catalyst for crypto, math, and algorithmic. The rules: ouse: Meaningful and compact problems, or the cat may not even bother Cat: Reproducible claims, code-sharing, work as a community toward a unified lattice cryptanalysis playground Problem: In lattice-based crypto, we don t have enough cats! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

45 The cat and mouse game The cat and mouse game is essential in determining what is secure and what is not, and is an amazing catalyst for crypto, math, and algorithmic. The rules: ouse: Meaningful and compact problems, or the cat may not even bother Cat: Reproducible claims, code-sharing, work as a community toward a unified lattice cryptanalysis playground Problem: In lattice-based crypto, we don t have enough cats! Solution: Feed your cats (achievable concrete targets)! Solution: Become a cat! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

46 Thank you! Léo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October / 28

Tuple Lattice Sieving

Tuple Lattice Sieving Shi Bai, Thijs Laarhoven and Damien Stehlé IBM Research Zurich and ENS de Lyon August 29th 2016 S. Bai, T. Laarhoven & D. Stehlé Tuple Lattice Sieving 29/08/2016 1/25 Main result