Skip to main content
SpringerLink
Log in

Lattice Reduction with Approximate Enumeration Oracles

Practical Algorithms and Concrete Performance

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12826))

Included in the following conference series:

Abstract

This work provides a systematic investigation of the use of approximate enumeration oracles in BKZ, building on recent technical progress on speeding-up lattice enumeration: relaxing (the search radius of) enumeration and extended preprocessing which preprocesses in a larger rank than the enumeration rank. First, we heuristically justify that relaxing enumeration with certain extreme pruning asymptotically achieves an exponential speed-up for reaching the same root Hermite factor (RHF). Second, we perform simulations/experiments to validate this and the performance for relaxed enumeration with numerically optimised pruning for both regular and extended preprocessing.

Upgrading BKZ with such approximate enumeration oracles gives rise to our main result, namely a practical and faster (wrt. previous work) polynomial-space lattice reduction algorithm for reaching the same RHF in practical and cryptographic parameter ranges. We assess its concrete time/quality performance with extensive simulations and experiments.

J. Rowell—This work was supported in part by EPSRC grants EP/S020330/1, EP/S02087X/1, EP/P009301/1, by European Union Horizon 2020 Research and Innovation Program Grant 780701, by Innovate UK grant AQuaSec, by NIST award 60NANB18D216 and by National Science Foundation under Grant No. 2044855. Part of this work was done while MA visited the Simons Institute for the Theory of Computing. The full version of this work is available as [5].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The normalisation by the \((n\,-\,1)\)-th root is justified by that the algorithms considered here achieve RHFs that are bounded independently of the lattice rank \(n\).

  2. 2.

    We also observed a small speed-up of \(c=0.15\) over \(c=0.25\) (claimed to be the “optimal” in [4]) and verified it using the original simulation code from [4] in the full version of this work.

  3. 3.

    To put this into perspective, [55] reports solving 1.05-HSVP in rank 150 using a distributed implementation of an enumeration algorithm. As a result, we expect the speedups demonstrated in this work to be practical.

  4. 4.

    We discuss the (apparent lack of) applicability of our approach to the sieving setting in the full version of this work.

  5. 5.

    This does not imply, though, that those works endorse this mode of comparison, e.g. [15] explicates its objections to it.

  6. 6.

    The reader may consult [4, Fig. 4] for the case \(c=0.00, \alpha =1.00\).

References

  1. Aggarwal, D., Li, J., Nguyen, P.Q., Stephens-Davidowitz, N.: Slide reduction, revisited—filling the gaps in SVP approximation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 274–295. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_10

    Chapter  Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press (May 1996)

    Google Scholar 

  3. Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract). In: 30th ACM STOC, pp. 10–19. ACM Press (May 1998)

    Google Scholar 

  4. Albrecht, M.R., Bai, S., Fouque, P.A., Kirchner, P., Stehlé, D., Wen, W.: Faster enumeration-based lattice reduction: root Hermite factor \(k^{1/(2k)}\) Time \(k^{k/8+o(k)}\). In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 186–212. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_7

  5. Albrecht, M.R., Bai, S., Li, J., Rowell, J.: Lattice reduction with approximate enumeration oracles: practical algorithms and concrete performance. Cryptology ePrint Archive, Report 2020/1260 (2020). https://eprint.iacr.org/2020/1260

  6. Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19

    Chapter  Google Scholar 

  7. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  8. Albrecht, M.R., Gheorghiu, V., Postlethwaite, E.W., Schanck, J.M.: Estimating quantum speedups for lattice sieves. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 583–613. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_20

    Chapter  Google Scholar 

  9. Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11

    Chapter  Google Scholar 

  10. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association (August 2016)

    Google Scholar 

  11. Aono, Y., Nguyen, P.Q., Shen, Y.: Quantum lattice enumeration and tweaking discrete pruning. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 405–434. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_14

    Chapter  Google Scholar 

  12. Aono, Y., Wang, Y., Hayashi, T., Takagi, T.: Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 789–819. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_30

  13. Bai, S., Stehlé, D., Wen, W.: Measuring, simulating and exploiting the head concavity phenomenon in BKZ. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part I. LNCS, vol. 11272, pp. 369–404. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_13

    Chapter  Google Scholar 

  14. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: Krauthgamer, R. (ed.) 27th SODA, pp. 10–24. ACM-SIAM (January 2016)

    Google Scholar 

  15. Bernstein, D.J., et al.: NTRU prime. Tech. rep., National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  16. Blichfeldt, H.F.: A new principle in the geometry of numbers, with some applications. Trans. Am. Math. Soc. 16, 227–235 (1914)

    Article  MathSciNet  Google Scholar 

  17. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1

    Chapter  Google Scholar 

  18. Conway, J.H., Sloane, N.J.A.: Sphere-Packings, Lattices, and Groups. Springer, Heidelberg (1987). https://doi.org/10.1007/978-1-4757-6568-7

  19. Ducas, L., Stevens, M., van Woerden, W.: Advanced lattice sieving on GPUs, with tensor cores (2021). to appear in Eurocrypt 2021. https://eprint.iacr.org/2021/141

  20. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 44(170), 463–471 (1985)

    Article  MathSciNet  Google Scholar 

  21. FPLLL development team: FPLLL, a lattice reduction library (2019). https://github.com/fplll/fplll

  22. FPyLLL development team: FPyLLL, a Python interface to FPLLL (2020). https://github.com/fplll/fpylll

  23. Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 207–216. ACM Press (May 2008)

    Google Scholar 

  24. Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_3

  25. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    Chapter  Google Scholar 

  26. Garcia-Morchon, O., et al.: Round5. Tech. rep., National Institute of Standards and Technology (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions

  27. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (May 2008)

    Google Scholar 

  28. Hanrot, G., Pujol, X., Stehlé, D.: Analyzing blockwise lattice algorithms using dynamical systems. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 447–464. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_25

    Chapter  Google Scholar 

  29. Hanrot, G., Stehlé, D.: Improved analysis of Kannan’s shortest lattice vector algorithm. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 170–186. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_10

    Chapter  Google Scholar 

  30. Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. Theory Comput. 8(1), 513–531 (2012). preliminary version in Proceedings of STOC ’07

    Google Scholar 

  31. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: 15th ACM STOC, pp. 193–206. ACM Press (April 1983)

    Google Scholar 

  32. Khot, S.: Hardness of approximating the shortest vector problem in lattices. J. ACM 52(5), 789–808 (2005). preliminary version in Proceedings of FOCS ’04

    Google Scholar 

  33. Laarhoven, T.: Search problems in crpytography. Ph.D. thesis, Eindhoven University of Technology (2015)

    Google Scholar 

  34. Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 366–389 (1982)

    Article  MathSciNet  Google Scholar 

  35. Li, J., Nguyen, P.Q.: A complete analysis of the BKZ lattice reduction algorithm (2020). https://eprint.iacr.org/2020/1237.pdf

  36. Lovász, L.: An algorithmic theory of numbers, graphs and convexity. Society for Industrial and Applied Mathematics (1986)

    Google Scholar 

  37. Micciancio, D.: The shortest vector in a lattice is hard to approximate to within some constant. SIAM J. Comput. 30(6), 2008–2035 (2001). preliminary version in Proceedings of FOCS ’98

    Google Scholar 

  38. Micciancio, D.: Inapproximability of the shortest vector problem: toward a deterministic reduction. Theory Comput. 8(22), 487–512 (2012). http://www.theoryofcomputing.org/articles/v008a022

  39. Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: Indyk, P. (ed.) 26th SODA, pp. 276–294. ACM-SIAM (January 2015)

    Google Scholar 

  40. Micciancio, D., Walter, M.: Practical, predictable lattice basis reduction. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 820–849. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_31

  41. Milnor, J., Husemoller, D.: Symmetric Bilinear Forms. Springer, Heidelberg (1973). https://doi.org/10.1007/978-3-642-88330-9

  42. Nguên, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_13

    Chapter  Google Scholar 

  43. Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) 41st ACM STOC, pp. 333–342. ACM Press (May/June 2009)

    Google Scholar 

  44. Pohst, M.: On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications. SIGSAM Bull. 15, 37–44 (1981)

    Article  Google Scholar 

  45. Poppelmann, T., et al.: NewHope. Tech. rep., National Institute of Standards and Technology (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions

  46. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (May 2005)

    Google Scholar 

  47. Rogers, C.A.: The number of lattice points in a set. Proc. Lond. Math. Soc. 3, 305–320 (1956)

    Google Scholar 

  48. Schneider, M., Gama, N.: Darmstadt SVP challenges (2010). https://www.latticechallenge.org/svp-challenge/index.php. Accessed 17 Aug 2018

  49. Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)

    Google Scholar 

  50. Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14

    Chapter  Google Scholar 

  51. Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)

    Article  MathSciNet  Google Scholar 

  52. Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Guillou, L.C., Quisquater, J.J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 1–12. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_1

  53. Shoup, V.: NTL 11.4.3: number theory c++ library (2020). http://www.shoup.net/ntl/

  54. Siegel, C.L.: Lectures on the Geometry of Numbers. Springer, New York (1989). https://doi.org/10.1007/978-3-662-08287-4

    Book  MATH  Google Scholar 

  55. Teruya, T., Kashiwabara, K., Hanaoka, G.: Fast lattice basis reduction suitable for massive parallelization and its application to the shortest vector problem. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 437–460. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_15

    Chapter  Google Scholar 

  56. Virtanen, P., et al.: SciPy 1.0: fundamental algorithms for scientific computing in Python. Nat. Methods 17, 261–272 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security Group, Royal Holloway, University of London, Egham, UK

    Martin R. Albrecht, Jianwei Li & Joe Rowell

  2. Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, USA

    Shi Bai

Authors
  1. Martin R. Albrecht
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shi Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianwei Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joe Rowell
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin R. Albrecht .

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Albrecht, M.R., Bai, S., Li, J., Rowell, J. (2021). Lattice Reduction with Approximate Enumeration Oracles. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12826. Springer, Cham. https://doi.org/10.1007/978-3-030-84245-1_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84245-1_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84244-4

  • Online ISBN: 978-3-030-84245-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation