Lattice Reduction Algorithms: Theory and Practice

Similar documents
BKZ 2.0: Better Lattice Security Estimates

Predicting Lattice Reduction

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

Predicting Lattice Reduction

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

On estimating the lattice security of NTRU

Lattice Reduction for Modular Knapsack

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract)

Lattice reduction for modular knapsack

Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Solving All Lattice Problems in Deterministic Single Exponential Time

Lattice-based Cryptography

Isodual Reduction of Lattices

Solving the Shortest Lattice Vector Problem in Time n

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

Analyzing Blockwise Lattice Algorithms using Dynamical Systems

Rankin s Constant and Blockwise Lattice Reduction

Adapting Density Attacks to Low-Weight Knapsacks

Analyzing Blockwise Lattice Algorithms Using Dynamical Systems

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Computers and Mathematics with Applications

arxiv: v1 [cs.cr] 25 Jan 2013

Sieving for Shortest Vectors in Ideal Lattices

Dimension-Preserving Reductions Between Lattice Problems

Finding shortest lattice vectors faster using quantum search

Some Sieving Algorithms for Lattice Problems

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

Solving shortest and closest vector problems: The decomposition approach

Short generators without quantum computers: the case of multiquadratics

Low-Density Attack Revisited

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures

Cryptanalysis of two knapsack public-key cryptosystems

Finding shortest lattice vectors faster using quantum search

Solving BDD by Enumeration: An Update

New attacks on RSA with Moduli N = p r q

Cryptanalysis of the Quadratic Generator

Quantum-resistant cryptography

Short Stickelberger Class Relations and application to Ideal-SVP

BALANCED INTEGER SOLUTIONS OF LINEAR EQUATIONS

Identifying Ideal Lattices

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Improving BDD cryptosystems in general lattices

Extended Lattice Reduction Experiments using the BKZ Algorithm

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search

2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ

A new attack on RSA with a composed decryption exponent

On the smallest ratio problem of lattice bases

Creating a Challenge for Ideal Lattices

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Hard Instances of Lattice Problems

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Looking back at lattice-based cryptanalysis

Open problems in lattice-based cryptography

PAPER On the Hardness of Subset Sum Problem from Different Intervals

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices

The Shortest Vector Problem (Lattice Reduction Algorithms)

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Enumeration. Phong Nguyễn

New Partial Key Exposure Attacks on RSA

Short generators without quantum computers: the case of multiquadratics

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Block Korkin{Zolotarev Bases. and Successive Minima. C.P. Schnorr TR September Abstract

Reduction of Smith Normal Form Transformation Matrices

Lattice-Based Cryptography

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences

Réduction de réseau et cryptologie.

and the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that

Solving LWE with BKW

New Practical Algorithms for the Approximate Shortest Lattice Vector

The Simple 7-(33,8,10)-Designs with Automorphism Group PΓL(2,32)

Worst case complexity of the optimal LLL algorithm

Inapproximability Results for the Closest Vector Problem with Preprocessing over l Norm

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Lattice preconditioning for the real relaxation branch-and-bound approach for integer least squares problems

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

Floating-Point LLL Revisited

Hardness of the Covering Radius Problem on Lattices

COS 598D - Lattices. scribe: Srdjan Krstic

Practical, Predictable Lattice Basis Reduction

Closest Point Search in Lattices

Ideal Lattices and NTRU

New Partial Key Exposure Attacks on RSA

The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications

Sieving for shortest vectors in lattices using angular locality-sensitive hashing

Time-Memory Trade-Off for Lattice Enumeration in a Ball

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

CS Topics in Cryptography January 28, Lecture 5

Sieving for Shortest Vectors in Ideal Lattices:

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

Transcription:

Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction algorithms have surprisingly many applications in mathematics and computer science, notably in cryptology. On the one hand, lattice reduction algorithms are widely used in publickey cryptanalysis, for instance to attack special settings of RSA and DSA/ECDSA. On the other hand, there are more and more cryptographic schemes whose security require that certain lattice problems are hard. In this talk, we survey lattice reduction algorithms, present their performances, and discuss the differences between theory and practice. Intuitively, a lattice is an infinite arrangement of points in R m spaced with sufficient regularity that one can shift any point onto any other point by some symmetry of the arrangement. The simplest non-trivial lattice is the hypercubic lattice Z n formed by all points with integral coordinates. The branch of number theory dealing with lattices (and especially their connection with convex sets) is known as geometry of numbers [24,41,12,5], and its origins go back to two historical problems: higher-dimensional generalizations of Euclid s gcd algorithm and sphere packings. More formally, a lattice L is a discrete subgroup of R m, or equivalently, the set of all integer combinations of n linearly independent vectors b 1,...,b n in R n : L = {a 1 b 1 + + a n b n,a i Z}. Such a set (b 1,...,b n ) is called a basis of the lattice. The goal of lattice reduction is to find reduced bases, that is bases consisting of reasonably short and nearly orthogonal vectors. This is related to the reduction theory of quadratic forms developed by Lagrange [19], Gauss [11] and Hermite [14]. Lattice reduction algorithms have proved invaluable in many fields of computer science and mathematics (see the book [30]), notably public-key cryptanalysis where they have been used to break knapsack cryptosystems [32] and special cases of RSA and DSA, among others (see [26,21] and references therein). Reduced bases allow to solve the following important lattice problems, either exactly or approximately: The most basic computational problem involving lattices is the shortest vector problem (SVP), which asks to find a nonzero lattice vector of smallest norm, given a lattice basis as input. SVP can be viewed as a geometric generalization of gcd computations: Euclid s algorithm actually computes the K.G. Paterson (Ed.): Eurocrypt 2011, LNCS 6632, pp. 2 6, 2011. c International Association for Cryptologic Research 2011

Lattice Reduction Algorithms: Theory and Practice 3 smallest (in absolute value) non-zero linear combination of two integers, since gcd(a, b)z = az+ bz, which means that we are replacing the integers a and b by an arbitrary number of vectors b 1,...,b n with integer coordinates. Since SVP is NP-hard under randomized reductions [3] (see [17,34] for surveys on the hardness of lattice problems), one is also interested in approximating SVP, i.e. to output a nonzero lattice vector of norm not much larger than the smallest norm. The inhomogeneous version of SVP is called the closest vector problem (CVP); here we are given an arbitrary target vector in addition to the lattice basis and asked to find the lattice point closest to that vector. A popular particular case of CVP is Bounded Distance Decoding (BDD), where the target vector is known to be somewhat close to the lattice. The first SVP algorithm was Lagrange s reduction algorithm [19], which solves SVP exactly in dimension two, in quadratic time. In arbitrary dimension, there are two types of SVP algorithms: 1. Exact algorithms. These algorithms provably find a shortest vector, but they are expensive, with a running time at least exponential in the dimension. Intuitively, these algorithms perform an exhaustive search of all extremely short lattice vectors, whose number is exponential in the dimension (in the worst case): in fact, there are lattices for which the number of shortest lattice vectors is already exponential. Exact algorithms can be split in two categories: (a) Polynomial-space exact algorithms.they are based on enumeration which dates back to the early 1980s with work by Pohst [33], Kannan [16], and Fincke-Pohst [6]. In its simplest form, enumeration is simply an exhaustive search for the best integer combination of the basis vectors. The best deterministic enumeration algorithm is Kannan s algorithm [16], with super-exponential worst-case complexity, namely n n/(2e)+o(n) polynomialtime operations (see [13]), where n denotes the lattice dimension. The enumeration algorithms used in practice (such as that of Schnorr-Euchner [37]) have a weaker preprocessing than Kannan s algorithm [16], and their worstcase complexity is 2 O(n2) polynomial-time operations. But it is possible to obtain substantial speedups using pruning techniques: pruning was introduced by Schnorr-Euchner [37] and Schnorr-Hörner [38] in the 90s,and recently revisited by Gama, Nguyen and Regev [10], where it was shown that one can reach a 2 n/2 heuristic speedup over basic enumeration. (b) Exponential-space exact algorithms. Thesealgorithmshaveabetter asymptotic running time, but they all require exponential space 2 Θ(n). The first algorithm of this kind is the randomized sieve algorithm of Ajtai, Kumar and Sivakumar (AKS) [4], with exponential worst-case complexity of 2 O(n) polynomial-time operations. Micciancio and Voulgaris [22] recently presented an alternative deterministic algorithm, which solves both CVP and SVP within 2 2n+o(n) polynomial-time operations. Interestingly, there are several heuristic variants [31,23,43] of AKS with running time 2 O(n),wheretheO() constant is much less than that of the best provable

4 P.Q. Nguyen algorithms known. For instance, the recent algorithm of Wang et al. [43] has time complexity 2 0.3836n polynomial-time operations. 2. Approximation algorithms. These algorithms are much faster than exact algorithms, but they only output short lattice vectors, not necessarily the shortest one: they typically output a whole reduced basis, and are therefore lattice reduction algorithms. The first algorithm of this kind is the celebrated algorithm of Lenstra, Lenstra and Lovász (LLL) [20,30], which can approximate SVP to within a factor O((2/ 3) n ) in polynomial time: it can be viewed as an algorithmic version of Hermite s inequality. Since the appearance of LLL, research in this area has focused on two topics: (a) Faster LLL. Here, one is interested in obtaining reduced bases of similar quality than LLL, possibly slightly worse, but with a smaller running time. This is achieved by a divide-and-conquer strategy (such as in [39,18]) or by using floating-point arithmetic (such as in [36,29,25]). The most popular implementations of LLL are typically heuristic floatingpoint variants, such as that of Schnorr-Euchner [37]: see the survey [42] on floating-point LLL. (b) Stronger LLL. Here, one is interested in obtaining better approximation factors than LLL, at the expense of the running time. Intuitively, LLL repeatedly uses two-dimensional reduction to find short lattice vectors in dimension n. Blockwise reduction algorithms [35,7,8] obtain better approximation factors by replacing this two-dimensional reduction subroutine by a higher-dimensional one, using exact SVP algorithms in low dimension. The best polynomial-time blockwise algorithm known [8] achieves a subexponential approximation factor 2 O((n log log n)/ log n) :it is an algorithmic version of Mordell s inequality. In practice, a popular choice is the BKZ algorithm of Schnorr-Euchner [37] implemented in the NTL library [40], which is a heuristic variant of Schnorr s blockwise algorithm [35]. The article [9] provides an experimental assessment of BKZ. Both categories are in fact complementary: all exact algorithms known first apply an approximation algorithm (typically at least LLL) as a preprocessing, while all blockwise algorithms call many times an exact algorithm in low dimension as a subroutine. Most of the SVP algorithms we mentioned can be adapted to CVP (see for instance [1]). The provable SVP algorithms are surveyed in [27]. The heuristic algorithms which we mentioned are such that their running time may no longer be proved, and/or there may not be any guarantee on the output (should the algorithm ever terminate). Heuristic algorithms can typically outperform provable algorithms in practice, for reasons still not well understood. Finally, it is folklore that lattice reduction algorithms behave better than their proved worst-case theoretical bounds. In the 80s, the early success of lattice reduction algorithms in cryptanalysis led to the belief that the strongest lattice reduction algorithms behaved as perfect oracles, at least in small dimension. But this belief showed its limits in the 90s with NP-hardness results and the development of lattice-based cryptography, following Ajtai s worst-case/average-case

Lattice Reduction Algorithms: Theory and Practice 5 reduction [2] and the NTRU cryptosystem [15]. The articles [28,9] clarify what can be expected in practice, based on experimental results. Such assessments are important to better understand the gap between theory and practice, but also to evaluate the concrete security of lattice-based cryptography. References 1. Agrell, E., Eriksson, T., Vardy, A., Zeger, K.: Closest point search in lattices. IEEE Trans. on Info. Theory 48(8), 2201 2214 (2002) 2. Ajtai, M.: Generating hard instances of lattice problems. In: Proc. STOC 1996, pp. 99 108. ACM, New York (1996) 3. Ajtai, M.: The shortest vector problem in L 2 is NP-hard for randomized reductions. In: Proc. of 30th STOC. ACM, New York (1998) 4. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proc. 33rd STOC, pp. 601 610 (2001) 5. Cassels, J.: An Introduction to the Geometry of Numbers (1997) 6. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Mathematics of Computation 44(170), 463 471 (1985) 7. Gama, N., Howgrave-Graham, N., Koy, H., Nguyên, P.Q.: Rankin s constant and blockwise lattice reduction. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 112 130. Springer, Heidelberg (2006) 8. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell s inequality. In: Proc. 40th ACM Symp. on Theory of Computing (STOC) (2008) 9. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31 51. Springer, Heidelberg (2008) 10. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257 278. Springer, Heidelberg (2010) 11. Gauss, C.: Disquisitiones Arithmeticæ, Leipzig (1801) 12. Gruber, M., Lekkerkerker, C.G.: Geometry of Numbers. North-Holland, Amsterdam (1987) 13. Hanrot, G., Stehlé, D.: Improved analysis of Kannan s shortest lattice vector algorithm (extended abstract). In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170 186. Springer, Heidelberg (2007) 14. Hermite, C.: Extraits de lettres de M. Hermite à M. Jacobi sur différents objets de la théorie des nombres. J. Reine Angew. Math. 40, 261 315 (1850) 15. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS III 1998. LNCS, vol. 1423, pp. 267 288. Springer, Heidelberg (1998) 16. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: Proc. 15th ACM Symp. on Theory of Computing (STOC), pp. 193 206 (1983) 17. Khot, S.: Inapproximability results for computational problems on lattices. In: [30] (2010) 18. Koy, H., Schnorr, C.-P.: Segment LLL-reduction of lattice bases. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 67 80. Springer, Heidelberg (2001) 19. Lagrange, L.: Recherches d arithmétique. Nouv. Mém. Acad. (1773)

6 P.Q. Nguyen 20. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Ann. 261, 513 534 (1982) 21. May, A.: Using LLL-reduction for solving RSA and factorization problems: A survey. In: [30] (2010) 22. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: Proc. STOC 2010, pp. 351 358. ACM, New York (2010) 23. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Proc. ACM-SIAM Symp. on Discrete Algorithms (SODA), pp. 1468 1480 (2010) 24. Minkowski, H.: Geometrie der Zahlen. Teubner-Verlag, Leipzig (1896) 25. Morel, I., Stehlé, D., Villard, G.: H-LLL: using householder inside LLL. In: Proc. ISSAC 2009, pp. 271 278. ACM, New York (2009) 26. Nguyen, P.Q.: Public-key cryptanalysis. In: Luengo, I. (ed.) Recent Trends in Cryptography. Contemporary Mathematics, vol. 477. AMS RSME (2009) 27. Nguyen, P.Q.: Hermite s constant and lattice algorithms. In: [30] (2010) 28. Nguyên, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS VII 2006. LNCS, vol. 4076, pp. 238 256. Springer, Heidelberg (2006) 29. Nguyen, P.Q., Stehlé, D.: An LLL algorithm with quadratic complexity. SIAM J. Comput. 39(3), 874 903 (2009) 30. Nguyen, P.Q., Vallée, B. (eds.): The LLL Algorithm: Survey and Applications. Information Security and Cryptography. Springer, Heidelberg (2010) 31. Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology 2(2), 181 207 (2008) 32. Odlyzko, A.M.: The rise and fall of knapsack cryptosystems. In: Cryptology and Computational Number Theory. Proc. of Symposia in Applied Mathematics, vol. 42, pp. 75 88. AMS, Providence (1990) 33. Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15(1), 37 44 (1981) 34. Regev, O.: On the Complexity of Lattice Problems with Polynomial Approximation Factors. In: [30] (2010) 35. Schnorr, C.-P.: A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science 53(2-3), 201 224 (1987) 36. Schnorr, C.-P.: A more efficient algorithm for lattice basis reduction. J. Algorithms 9(1), 47 62 (1988) 37. Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Programming 66, 181 199 (1994) 38. Schnorr, C.-P., Hörner, H.H.: Attacking the chor-rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1 12. Springer, Heidelberg (1995) 39. Schönhage, A.: Factorization of univariate integer polynomials by diophantine aproximation and an improved basis reduction algorithm. In: Paredaens, J. (ed.) ICALP 1984. LNCS, vol. 172, pp. 436 447. Springer, Heidelberg (1984) 40. Shoup, V.: Number Theory C++ Library (NTL) version 5.4.1, http://www.shoup.net/ntl/ 41. Siegel, C.L.: Lectures on the Geometry of Numbers. Springer, Heidelberg (1989) 42. Stehlé, D.: Floating-point LLL: theoretical and practical aspects. In: [30] (2010) 43. Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. Cryptology eprint Archive, Report 2010/647 (2010), http://eprint.iacr.org/

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback