Skip to main content
SpringerLink
Log in
Book cover

International Conference on Post-Quantum Cryptography

PQCrypto 2019: Post-Quantum Cryptography pp 3–22Cite as

Finding Closest Lattice Vectors Using Approximate Voronoi Cells

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11505))

Abstract

The two traditional hard problems underlying the security of lattice-based cryptography are the shortest vector problem (SVP) and the closest vector problem (CVP). For a long time, lattice enumeration was considered the fastest method for solving these problems in high dimensions, but recent work on memory-intensive methods has resulted in lattice sieving overtaking enumeration both in theory and in practice. Some of the recent improvements [Ducas, Eurocrypt 2018; Laarhoven–Mariano, PQCrypto 2018; Albrecht–Ducas–Herold–Kirshanova–Postlethwaite–Stevens, 2018] are based on the fact that these methods find more than just one short lattice vector, and this additional data can be reused effectively later on to solve other, closely related problems faster. Similarly, results for the preprocessing version of CVP (CVPP) have demonstrated that once this initial data has been generated, instances of CVP can be solved faster than when solving them directly, albeit with worse memory complexities [Laarhoven, SAC 2016].

In this work we study CVPP in terms of approximate Voronoi cells, and obtain better time and space complexities using randomized slicing, which is similar in spirit to using randomized bases in lattice enumeration [Gama–Nguyen–Regev, Eurocrypt 2010]. With this approach, we improve upon the state-of-the-art complexities for CVPP, both theoretically and experimentally, with a practical speedup of several orders of magnitude compared to non-preprocessed SVP or CVP. Such a fast CVPP solver may give rise to faster enumeration methods, where the CVPP solver is used to replace the bottom part of the enumeration tree, consisting of a batch of CVP instances in the same lattice.

Asymptotically, we further show that we can solve an exponential number of instances of CVP in a lattice in essentially the same amount of time and space as the fastest method for solving just one CVP instance. This is in line with various recent results, showing that perhaps the biggest strength of memory-intensive methods lies in being able to reuse the generated data several times. Similar to [Ducas, Eurocrypt 2018], this further means that we can achieve a “few dimensions for free” for sieving for SVP or CVP, by doing \(\varTheta (d/\log d)\) levels of enumeration on top of a CVPP solver based on approximate Voronoi cells.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Heuristically, finding a large fraction of all lattice vectors below a given norm will suffice – one does not necessarily need to run a deterministic preprocessing algorithm to ensure all short lattice vectors are found.

  2. 2.

    As detailed in [52], by modifying sieve algorithms for SVP, one can also solve CVP with essentially equivalent heuristic time and space complexities as for SVP.

  3. 3.

    As the success prob. q for m trials scales as \(q = 1 - (1 - p)^m\) if each trial independently has success prob. p, we computed the success prob. per trial as \(p = 1 - (1 - q)^{1/m}\).

  4. 4.

    The full version of this paper including all appendices will be made available online at https://eprint.iacr.org/2016/888.

References

  1. SVP challenge (2018). http://latticechallenge.org/svp-challenge/

  2. Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: STOC, pp. 733–742 (2015)

    Google Scholar 

  3. Aggarwal, D., Dadush, D., Stephens-Davidowitz, N.: Solving the closest vector problem in \(2^n\) time - the discrete Gaussian strikes again! In: FOCS, pp. 563–582 (2015)

    Google Scholar 

  4. Agrell, E., Eriksson, T., Vardy, A., Zeger, K.: Closest point search in lattices. IEEE Transact. Inf. Theor. 48(8), 2201–2214 (2002)

    Article  MathSciNet  Google Scholar 

  5. Aharonov, D., Regev, O.: Lattice problems in \({\sf NP} \cap {\sf coNP}\). In: FOCS, pp. 362–371 (2004)

    Google Scholar 

  6. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)

    Google Scholar 

  7. Albrecht, M., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E., Stevens, M.: The general sieve kernel and new records in lattice reduction. Preprint, 2018

    Google Scholar 

  8. Alekhnovich, M., Khot, S., Kindler, G., Vishnoi, N.: Hardness of approximating the closest vector problem with pre-processing. In: FOCS, pp. 216–225 (2005)

    Google Scholar 

  9. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)

    Google Scholar 

  10. Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)

    Google Scholar 

  11. Andoni, A., Indyk, P., Laarhoven, T., Razenshteyn, I., Schmidt, L.: Practical and optimal LSH for angular distance. In: NIPS, pp. 1225–1233 (2015)

    Google Scholar 

  12. Andoni, A., Laarhoven, T., Razenshteyn, I., Waingarten, E.: Optimal hashing-based time-space trade-offs for approximate near neighbors. In: SODA, pp. 47–66 (2017)

    Google Scholar 

  13. Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC, pp. 793–801 (2015)

    Google Scholar 

  14. Aono, Y., Nguyen, P.Q.: Random sampling revisited: lattice enumeration with discrete pruning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 65–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_3

    Chapter  Google Scholar 

  15. Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 405–434. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_14

    Chapter  Google Scholar 

  16. Babai, L.: On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MathSciNet  Google Scholar 

  17. Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. In: ANTS, pp. 146–162 (2016)

    Google Scholar 

  18. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24 (2016)

    Google Scholar 

  19. Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. In: ANTS, pp. 49–70 (2014)

    Article  MathSciNet  Google Scholar 

  20. Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522, pp. 1–14 (2015)

    Google Scholar 

  21. Becker, A., Laarhoven, T.: Efficient (ideal) lattice sieving using cross-polytope LSH. In: AFRICACRYPT, pp. 3–23 (2016)

    Chapter  Google Scholar 

  22. Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum Cryptography. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7

    Book  MATH  Google Scholar 

  23. Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_12

    Chapter  Google Scholar 

  24. Bhattacharya, S., et al.: Round5: Compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2018/725 (2018)

    Google Scholar 

  25. Bonifas, N., Dadush, D.: Short paths on the Voronoi graph and the closest vector problem with preprocessing. In: SODA, pp. 295–314 (2015)

    Google Scholar 

  26. Bos, J., et al.: Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In: CCS, pp. 1006–1018 (2016)

    Google Scholar 

  27. Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: Euro S&P, pp. 353–367 (2018)

    Google Scholar 

  28. Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Int. J. Appl. Crypt. 3(4), 313–329 (2016)

    Article  MathSciNet  Google Scholar 

  29. Charikar, M.S.: Similarity estimation techniques from rounding algorithms. In: STOC, pp. 380–388 (2002)

    Google Scholar 

  30. Christiani, T.: A framework for similarity search with space-time tradeoffs using locality-sensitive filtering. In: SODA, pp. 31–46 (2017)

    Google Scholar 

  31. Conway, J.H., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Springer, Heidelberg (1999). https://doi.org/10.1007/978-1-4757-6568-7

    Book  MATH  Google Scholar 

  32. Correia, F., Mariano, A., Proenca, A., Bischof, C., Agrell, E.: Parallel improved Schnorr-Euchner enumeration SE++ for the CVP and SVP. In: PDP, pp. 596–603 (2016)

    Google Scholar 

  33. Dadush, D., Regev, O., Stephens-Davidowitz, N.: On the closest vector problem with a distance guarantee. In: CCC, pp. 98–109 (2014)

    Google Scholar 

  34. The FPLLL development team. FPLLL, a lattice reduction library (2016). https://github.com/fplll/fplll

  35. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  36. Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - Dilithium: Digital signatures from module lattices. CHES 2018, 238–268 (2018)

    Google Scholar 

  37. Feige, U., Micciancio, D.: The inapproximability of lattice and coding problems with preprocessing. In: CCC, pp. 32–40 (2002)

    Google Scholar 

  38. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)

    Article  Google Scholar 

  39. Fitzpatrick, R., et al.: Tuning gausssieve for speed. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 288–305. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_16

    Chapter  Google Scholar 

  40. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    Chapter  Google Scholar 

  41. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  42. Hermans, J., Schneider, M., Buchmann, J., Vercauteren, F., Preneel, B.: Parallel shortest lattice vector enumeration on graphics cards. In: AFRICACRYPT, pp. 52–68 (2010)

    Chapter  Google Scholar 

  43. Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_2

    Chapter  Google Scholar 

  44. Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_14

    Chapter  Google Scholar 

  45. Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: STOC, pp. 604–613 (1998)

    Google Scholar 

  46. Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel gauss sieve algorithm: solving the SVP challenge over a 128-dimensional ideal lattice. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 411–428. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_24

    Chapter  Google Scholar 

  47. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)

    Google Scholar 

  48. Kirchner, P., Fouque, P.-A.: Time-memory trade-off for lattice enumeration in a ball. Cryptology ePrint Archive, Report 2016/222 (2016)

    Google Scholar 

  49. Klein, P.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)

    Google Scholar 

  50. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1

    Chapter  MATH  Google Scholar 

  51. Laarhoven, T.: Tradeoffs for nearest neighbors on the sphere. arXiv:1511.07527 [cs.DS], pp. 1–16 (2015)

  52. Laarhoven, T.: Sieving for closest lattice vectors (with preprocessing). In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 523–542. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_28

    Chapter  Google Scholar 

  53. Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_6

    Chapter  Google Scholar 

  54. Laarhoven, T., Mariano, A.: Progressive lattice sieving. In: PQCrypto, pp. 292–311 (2018)

    Google Scholar 

  55. Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2), 375–400 (2015)

    Article  MathSciNet  Google Scholar 

  56. Lagarias, J.C., Lenstra, H.W., Schnorr, C.-P.: Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatorica 10(4), 333–348 (1990)

    Article  MathSciNet  Google Scholar 

  57. Mariano, A., Bischof, C.: Enhancing the scalability and memory usage of HashSieve on multi-core CPUs. In: PDP, pp. 545–552 (2016)

    Google Scholar 

  58. Mariano, A., Laarhoven, T., Bischof, C.: Parallel (probable) lock-free HashSieve: a practical sieving algorithm for the SVP. In: ICPP, pp. 590–599 (2015)

    Google Scholar 

  59. Mariano, A., Laarhoven, T., Bischof, C.: A parallel variant of LDSieve for the SVP on lattices. In: PDP, pp. 23–30 (2017)

    Google Scholar 

  60. Mariano, A., Dagdelen, Ö., Bischof, C.: A comprehensive empirical comparison of parallel listsieve and gausssieve. In: Lopes, L., et al. (eds.) Euro-Par 2014. LNCS, vol. 8805, pp. 48–59. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-14325-5_5

    Chapter  Google Scholar 

  61. Mariano, A., Timnat, S., Bischof, C.: Lock-free GaussSieve for linear speedups in parallel high performance SVP calculation. In: SBAC-PAD, pp. 278–285 (2014)

    Google Scholar 

  62. Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Transact. Inf. Theory 47(3), 1212–1215 (2001)

    Article  MathSciNet  Google Scholar 

  63. Micciancio, D.: Efficient reductions among lattice problems. In: SODA, pp. 84–93 (2008)

    Google Scholar 

  64. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)

    Google Scholar 

  65. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)

    Google Scholar 

  66. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA, pp. 276–294 (2015)

    Google Scholar 

  67. Milde, B., Schneider, M.: A parallel implementation of gausssieve for the shortest vector problem in lattices. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 452–458. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23178-0_40

    Chapter  MATH  Google Scholar 

  68. Nguyên, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)

    Article  MathSciNet  Google Scholar 

  69. Dagdelen, Ö., Schneider, M.: Parallel enumeration of shortest lattice vectors. In: D’Ambra, P., Guarracino, M., Talia, D. (eds.) Euro-Par 2010. LNCS, vol. 6272, pp. 211–222. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15291-7_21

    Chapter  Google Scholar 

  70. Regev, O.: Improved inapproximability of lattice and coding problems with preprocessing. IEEE Transact. Inf. Theory 50(9), 2031–2037 (2004)

    Article  MathSciNet  Google Scholar 

  71. Schneider, M.: Analysis of Gauss-Sieve for solving the shortest vector problem in lattices. In: Katoh, N., Kumar, A. (eds.) WALCOM 2011. LNCS, vol. 6552, pp. 89–97. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19094-0_11

    Chapter  Google Scholar 

  72. Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_22

    Chapter  Google Scholar 

  73. Sommer, N., Feder, M., Shalvi, O.: Finding the closest lattice point by iterative slicing. SIAM J. Discret. Math. 23(2), 715–731 (2009)

    Article  MathSciNet  Google Scholar 

  74. Stephens-Davidowitz, N.: Dimension-preserving reductions between lattice problems, pp. 1–6 (2016). http://noahsd.com/latticeproblems.pdf

  75. van de Pol, J.: Lattice-based cryptography. Master’s thesis, Eindhoven University of Technology (2011)

    Google Scholar 

  76. Viterbo, E., Biglieri, E.: Computing the voronoi cell of a lattice: the diamond-cutting algorithm. IEEE Transact. Inf. Theory 42(1), 161–171 (1996)

    Article  MathSciNet  Google Scholar 

  77. Wang, J., Shen, H.T., Song, J., Ji, J.: Hashing for similarity search: a survey. arXiv:1408.2927 [cs.DS], pp. 1–29 (2014)

  78. Wang, X., Liu, M., Tian, C., Bi, J.: Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem. In: ASIACCS, pp. 1–9 (2011)

    Google Scholar 

  79. Yang, S.-Y., Kuo, P.-C., Yang, B.-Y., Cheng, C.-M.: Gauss sieve algorithm on GPUs. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 39–57. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_3

    Chapter  Google Scholar 

  80. Zhang, F., Pan, Y., Hu, G.: A three-level sieve algorithm for the shortest vector problem. In: SAC, pp. 29–47 (2013)

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors are indebted to Léo Ducas, whose ideas and suggestions on this topic motivated work on this paper. The authors are further grateful to the reviewers, whose thorough study of the contents (with one review even exceeding the page limit for the conference) significantly helped improve the contents of the paper, as well as improve the presentation of the results. Emmanouil Doulgerakis is supported by the NWO under grant 628.001.028 (FASOR). At the time of writing a preliminary version of this paper, Thijs Laarhoven was supported by the SNSF ERC Transfer Grant CRETP2-166734 FELICITY. At the time of publishing, Thijs Laarhoven is supported by a Veni Innovational Research Grant from NWO under project number 016.Veni.192.005.

Author information

Authors and Affiliations

  1. Eindhoven University of Technology, Eindhoven, The Netherlands

    Emmanouil Doulgerakis, Thijs Laarhoven & Benne de Weger

Authors
  1. Emmanouil Doulgerakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thijs Laarhoven
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benne de Weger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thijs Laarhoven .

Editor information

Editors and Affiliations

  1. University of Cincinnati, Cincinnati, OH, USA

    Jintai Ding

  2. Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL, USA

    Rainer Steinwandt

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Doulgerakis, E., Laarhoven, T., de Weger, B. (2019). Finding Closest Lattice Vectors Using Approximate Voronoi Cells. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25510-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25509-1

  • Online ISBN: 978-3-030-25510-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation