Skip to main content
SpringerLink
Log in

Lower Bounds on Lattice Sieving and Information Set Decoding

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2021 (CRYPTO 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12826))

Included in the following conference series:

Abstract

In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May–Ozerov, Eurocrypt’15; Becker–Ducas–Gama–Laarhoven, SODA’16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines.

We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker–Ducas–Gama–Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of \(2^{0.292d + o(d)}\) is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the \(2^{0.265d + o(d)}\) complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold–Kirshanova–Laarhoven, PKC 2018]. For the Hamming metric we derive new lower bounds for nearest neighbor searching which almost match the best upper bounds from the literature [May–Ozerov, Eurocrypt 2015]. As a consequence we derive conditional lower bounds on decoding attacks, showing that also here one should search for improvements elsewhere to significantly undermine security estimates from the literature.

Elena Kirshanova is supported by the “5-100” Russian academic excellence project and by the Young Russian Mathematics scholarship. Thijs Laarhoven is supported by an NWO Veni grant (016.Veni.192.005). Part of this work was done while both authors were visiting the Simons Institute for the Theory of Computing at UC Berkeley for the Spring 2020 program “Lattices: Algorithms, Complexity, and Cryptography”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The literature on lattice algorithms is divided into two classes: algorithms with provable guarantees on the worst-case complexity for any input lattice [PS09, MV10a, ADRS15]; and algorithms making some heuristic assumptions about the “behavior” of random lattices, to obtain tighter average-case complexity estimates [NV08, GNR10, MV10b, Laa15a, ANSS18].

  2. 2.

    We choose d to denote the length of the code rather than its minimum distance here, to be consistent with lattice and near neighbor literature.

  3. 3.

    The term “almost all” can intuitively be interpreted as finding at least \(90\%\) of all such pairs (or, if only one such pair exists, making sure it is found with probability at least 0.90). Although this minimum success rate is not a hard limit, and the high-level ideas would still work if only e.g. \(50\%\) or \(10\%\) of all pairs are found, the complexities of these underlying algorithms are usually inversely proportional to the ratio of good pairs that are found in the closest pairs subroutine: finding a smaller ratio of good pairs commonly means having to use bigger lists, which in turn translates to a higher space complexity and a higher overall runtime due to having to search bigger lists.

  4. 4.

    This further illustrates the need for good spherical codes for determining where to place these vectors \(\mathbf {v}_i\) to obtain the best performance in practice [AI06, TT07, AIL+15, Laa20].

References

  1. Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC, pp. 284–293 (1997)

    Google Scholar 

  2. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  MATH  Google Scholar 

  3. Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: STOC, pp. 733–742 (2015)

    Google Scholar 

  4. Albrecht, M.R., Gheorghiu, V., Postlethwaite, E.W., Schanck, J.M.: Estimating quantum speedups for lattice sieves. Cryptology ePrint Archive 2019/1161 (2019)

    Google Scholar 

  5. Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. In: FOCS, pp. 459–468 (2006)

    Google Scholar 

  6. Andoni, A., Indyk, P., Laarhoven, T., Razenshteyn, I., Schmidt, L.: Practical and optimal LSH for angular distance. In: NIPS, pp. 1225–1233 (2015)

    Google Scholar 

  7. Andoni, A., Indyk, P., Nguyên, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)

    Google Scholar 

  8. Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)

    Google Scholar 

  9. Andoni, A., Laarhoven, T., Razenshteyn, I., Waingarten, E.: Optimal hashing-based time-space trade-offs for approximate near neighbors. In: SODA, pp. 47–66 (2017)

    Google Scholar 

  10. Aono, Y., Nguyen, P.Q., Seito, T., Shikata, J.: Lower bounds on lattice enumeration with extreme pruning. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 608–637. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_21

    Chapter  Google Scholar 

  11. Andoni, A., Razenshteyn, I.: Optimal data-dependent hashing for approximate near neighbors. In: STOC, pp. 793–801 (2015)

    Google Scholar 

  12. Andoni, A., Razenshteyn, I.: Tight lower bounds for data-dependent locality-sensitive hashing. In: SOCG, pp. 1–15 (2016)

    Google Scholar 

  13. Bos, J., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: CCS, pp. 1006–1018 (2016)

    Google Scholar 

  14. Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography (2019)

    Google Scholar 

  15. Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA, pp. 10–24 (2016)

    Google Scholar 

  16. Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: Euro S&P, pp. 353–367 (2018)

    Google Scholar 

  17. Becker, A., Gama, N., Joux, A.: Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search. Cryptology ePrint Archive, Report 2015/522, pp. 1–14 (2015)

    Google Scholar 

  18. Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2018/725 (2018)

    Google Scholar 

  19. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): how \(1+1=0\) improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31

    Chapter  MATH  Google Scholar 

  20. Becker, A., Laarhoven, T.: Efficient (ideal) lattice sieving using cross-polytope LSH. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 3–23. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_1

    Chapter  Google Scholar 

  21. Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. In: ANTS, pp. 146–162 (2016)

    Google Scholar 

  22. Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_2

    Chapter  Google Scholar 

  23. Baernstein, A., Taylor, B.A.: Spherical rearrangements, subharmonic functions, and \(\ast \)-functions in \(n\)-space. Duke Math. J. 43(2), 245–268 (1976)

    Google Scholar 

  24. Christiani, T.: A framework for similarity search with space-time tradeoffs using locality-sensitive filtering. In: SODA, pp. 31–46 (2017)

    Google Scholar 

  25. Torres, R.C., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10

    Chapter  Google Scholar 

  26. Doulgerakis, E., Laarhoven, T., de Weger, B.: Sieve, enumerate, slice, and lift: hybrid lattice algorithms for SVP via CVPP. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 301–320. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_15

    Chapter  Google Scholar 

  27. Ducas, L., Laarhoven, T., van Woerden, W.: The randomized slicer for CVPP: sharper, faster, smaller, batchier. In: PKC, pp. 3–36 (2020)

    Google Scholar 

  28. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  29. Esser, A., Kübler, R., Zweydinger, F.: A faster algorithm for finding closest pairs in hamming metric (2021)

    Google Scholar 

  30. Fincke, U., Pohst, M.: Improved methods for calculating vectors of short length in a lattice. Math. Comput. 44(170), 463–471 (1985)

    Article  Google Scholar 

  31. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)

    Google Scholar 

  32. Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1

    Chapter  Google Scholar 

  33. Gama, N., Nguyen, P.Q., Regev, O.: Lattice enumeration using extreme pruning. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 257–278. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_13

    Chapter  Google Scholar 

  34. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  35. Herold, G., Kirshanova, E.: Improved algorithms for the approximate k-list problem in Euclidean norm. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 16–40. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_2

    Chapter  Google Scholar 

  36. Herold, G., Kirshanova, E., Laarhoven, T.: Speed-ups and time–memory trade-offs for tuple lattice sieving. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 407–436. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_14

    Chapter  Google Scholar 

  37. Johnson, W.B., Lindenstrauss, J.: Extensions of Lipschitz mappings into a Hilbert space. Contemp. Math. 26(1), 189–206 (1984)

    Article  MathSciNet  Google Scholar 

  38. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC, pp. 193–206 (1983)

    Google Scholar 

  39. Klein, P.: Finding the closest lattice vector when it’s unusually close. In: SODA, pp. 937–941 (2000)

    Google Scholar 

  40. Kirshanova, E., Mårtensson, E., Postlethwaite, E.W., Moulik, S.R.: Quantum algorithms for the approximate k-list problem and their application to lattice sieving. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 521–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_19

    Chapter  Google Scholar 

  41. Khot, S.A., Vishnoi, N.K.: The unique games conjecture, integrality gap for cut problems and embeddability of negative-type metrics into \(\ell _1\). J. ACM 62(1), 1–39 (2015)

    Google Scholar 

  42. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_1

    Chapter  MATH  Google Scholar 

  43. Laarhoven, T.: Tradeoffs for nearest neighbors on the sphere. arXiv:1511.07527 [cs.DS], pp. 1–16 (2015)

  44. Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology (2016)

    Google Scholar 

  45. Laarhoven, T.: Faster tuple lattice sieving using spherical locality-sensitive filters. arXiv:1705.02828 [cs.DS], pp. 1–14 (2017)

  46. Laarhoven, T.: Polytopes, lattices, and spherical codes for the nearest neighbor problem. In: ICALP (2020)

    Google Scholar 

  47. Laarhoven, T.: Approximate Voronoi cells for lattices, revisited. J. Math. Cryptol. 15, 1–21 (2021)

    MathSciNet  MATH  Google Scholar 

  48. Lange, T.: Overview of code-based crypto assumptions. Talk at Quantum Cryptanalysis of Post-Quantum Cryptography (2020)

    Google Scholar 

  49. Laarhoven, T., de Weger, B.: Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 101–118. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_6

    Chapter  Google Scholar 

  50. Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2), 375–400 (2015)

    Article  MathSciNet  Google Scholar 

  51. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1

    Chapter  Google Scholar 

  52. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. The Deep Space Network Progress Report, pp. 114–116 (1978)

    Google Scholar 

  53. May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6

    Chapter  MATH  Google Scholar 

  54. Motwani, R., Naor, A., Panigrahy, R.: Lower bounds on locality sensitive hashing. SIAM J. Discret. Math. 21(4), 930–935 (2007)

    Article  MathSciNet  Google Scholar 

  55. May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9

    Chapter  Google Scholar 

  56. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)

    Article  MathSciNet  Google Scholar 

  57. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)

    Google Scholar 

  58. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)

    Google Scholar 

  59. Nguyên, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)

    Article  MathSciNet  Google Scholar 

  60. O’Donnell, R., Wu, Y., Zhou, Y.: Optimal lower bounds for locality-sensitive hashing (except when \(q\) is tiny). ACM Trans. Comput. Theory 6(1), 5:1–5:13 (2014)

    Google Scholar 

  61. Panigrahy, R.: Entropy based nearest neighbor search in high dimensions. In: SODA, pp. 1186–1195 (2006)

    Google Scholar 

  62. Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8, 5–9 (1962)

    Article  MathSciNet  Google Scholar 

  63. Pujol, X., Stehlé, D.: Solving the shortest lattice vector problem in time \(2^{2.465n}\). Cryptology ePrint Archive, Report 2009/605, pp. 1–7 (2009)

    Google Scholar 

  64. Panigrahy, R., Talwar, K., Wieder, U.: Lower bounds on near neighbor search via metric expansion. In: FOCS, pp. 805–814, October 2010

    Google Scholar 

  65. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)

    Google Scholar 

  66. Regev, O.: The learning with errors problem (invited survey). In: CCC, pp. 191–204 (2010)

    Google Scholar 

  67. Riesz, F.: Sur une inégalité intégrale. J. London Math. Soc. s1-5(3), 162–168 (1930)

    Google Scholar 

  68. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  Google Scholar 

  69. Schanck, J.: Sieve tables (2019)

    Google Scholar 

  70. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS, pp. 124–134 (1994)

    Google Scholar 

  71. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    Chapter  Google Scholar 

  72. Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850

    Chapter  Google Scholar 

  73. SVP challenge (2020). http://latticechallenge.org/svp-challenge/

  74. Terasawa, K., Tanaka, Y.: Spherical LSH for approximate nearest neighbor search on unit hypersphere. In: Dehne, F., Sack, J.-R., Zeh, N. (eds.) WADS 2007. LNCS, vol. 4619, pp. 27–38. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73951-7_4

    Chapter  Google Scholar 

  75. Terasawa, K., Tanaka, Y.: Approximate nearest neighbor search for a dataset of normalized vectors. IEICE Trans. Inf. Syst. 92(9), 1609–1619 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Immanuel Kant Baltic Federal University, Kaliningrad, Russia

    Elena Kirshanova

  2. Horst Görtz Institute for IT-Security, Ruhr University Bochum, Bochum, Germany

    Elena Kirshanova

  3. Eindhoven University of Technology, Eindhoven, The Netherlands

    Thijs Laarhoven

Authors
  1. Elena Kirshanova
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thijs Laarhoven
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Columbia University, New York City, NY, USA

    Tal Malkin

  2. University of Michigan, Ann Arbor, MI, USA

    Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kirshanova, E., Laarhoven, T. (2021). Lower Bounds on Lattice Sieving and Information Set Decoding. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12826. Springer, Cham. https://doi.org/10.1007/978-3-030-84245-1_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-84245-1_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-84244-4

  • Online ISBN: 978-3-030-84245-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation