761 research outputs found
Sieve algorithms for the shortest vector problem are practical
The most famous lattice problem is the Shortest Vector Problem (SVP), which has many applications in cryptology. The best approximation algorithms known for SVP in high dimension rely on a subroutine for exact SVP in low dimension. In this paper, we assess the practicality of the best (theoretical) algorithm known for exact SVP in low dimension: the sieve algorithm proposed by Ajtai, Kumar and Sivakumar (AKS) in 2001. AKS is a randomized algorithm of time and space complexity 2^(O(n)), which is theoretically much lower than the super-exponential complexity of all alternative SVP algorithms. Surprisingly, no implementation and no practical analysis of AKS has ever been reported. It was in fact widely believed that AKS was impractical: for instance, Schnorr claimed in 2003 that the constant hidden in the 2^(O(n)) complexity was at least 30. In this paper, we show that AKS can actually be made practical: we present a heuristic variant of AKS whose running time is (4/3+Ļµ)^n polynomial-time operations, and whose space requirement is (4/3+ Ļµ)^(n/2) polynomially many bits. Our implementation can experimentally find shortest lattice vectors up to dimension 50, but is slower than classical alternative SVP algorithms in these dimensions
Sieve algorithms for the shortest vector problem are practical
The most famous lattice problem is the Shortest Vector Problem (SVP), which has many applications in cryptology. The best approximation algorithms known for SVP in high dimension rely on a subroutine for exact SVP in low dimension. In this paper, we assess the practicality of the best (theoretical) algorithm known for exact SVP in low dimension: the sieve algorithm proposed by Ajtai, Kumar and Sivakumar (AKS) in 2001. AKS is a randomized algorithm of time and space complexity 2^(O(n)), which is theoretically much lower than the super-exponential complexity of all alternative SVP algorithms. Surprisingly, no implementation and no practical analysis of AKS has ever been reported. It was in fact widely believed that AKS was impractical: for instance, Schnorr claimed in 2003 that the constant hidden in the 2^(O(n)) complexity was at least 30. In this paper, we show that AKS can actually be made practical: we present a heuristic variant of AKS whose running time is (4/3+Ļµ)^n polynomial-time operations, and whose space requirement is (4/3+ Ļµ)^(n/2) polynomially many bits. Our implementation can experimentally find shortest lattice vectors up to dimension 50, but is slower than classical alternative SVP algorithms in these dimensions
Solving the Closest Vector Problem in Time--- The Discrete Gaussian Strikes Again!
We give a -time and space randomized algorithm for solving the
exact Closest Vector Problem (CVP) on -dimensional Euclidean lattices. This
improves on the previous fastest algorithm, the deterministic
-time and -space algorithm of
Micciancio and Voulgaris.
We achieve our main result in three steps. First, we show how to modify the
sampling algorithm from [ADRS15] to solve the problem of discrete Gaussian
sampling over lattice shifts, , with very low parameters. While the
actual algorithm is a natural generalization of [ADRS15], the analysis uses
substantial new ideas. This yields a -time algorithm for
approximate CVP for any approximation factor .
Second, we show that the approximate closest vectors to a target vector can
be grouped into "lower-dimensional clusters," and we use this to obtain a
recursive reduction from exact CVP to a variant of approximate CVP that
"behaves well with these clusters." Third, we show that our discrete Gaussian
sampling algorithm can be used to solve this variant of approximate CVP.
The analysis depends crucially on some new properties of the discrete
Gaussian distribution and approximate closest vectors, which might be of
independent interest
Quantum Lattice Sieving
Lattices are very important objects in the effort to construct cryptographic
primitives that are secure against quantum attacks. A central problem in the
study of lattices is that of finding the shortest non-zero vector in the
lattice. Asymptotically, sieving is the best known technique for solving the
shortest vector problem, however, sieving requires memory exponential in the
dimension of the lattice. As a consequence, enumeration algorithms are often
used in place of sieving due to their linear memory complexity, despite their
super-exponential runtime. In this work, we present a heuristic quantum sieving
algorithm that has memory complexity polynomial in the size of the length of
the sampled vectors at the initial step of the sieve. In other words, unlike
most sieving algorithms, the memory complexity of our algorithm does not depend
on the number of sampled vectors at the initial step of the sieve.Comment: A reviewer pointed out an error in the amplitude amplification step
in the analysis of Theorem 6. While we believe this error can be resolved, we
are not sure how to do it at the moment and are taking down this submissio
Lattice sparsification and the Approximate Closest Vector Problem
We give a deterministic algorithm for solving the
(1+\eps)-approximate Closest Vector Problem (CVP) on any
-dimensional lattice and in any near-symmetric norm in
2^{O(n)}(1+1/\eps)^n time and 2^n\poly(n) space. Our algorithm
builds on the lattice point enumeration techniques of Micciancio and
Voulgaris (STOC 2010, SICOMP 2013) and Dadush, Peikert and Vempala
(FOCS 2011), and gives an elegant, deterministic alternative to the
"AKS Sieve"-based algorithms for (1+\eps)-CVP (Ajtai, Kumar, and
Sivakumar; STOC 2001 and CCC 2002). Furthermore, assuming the
existence of a \poly(n)-space and -time algorithm for
exact CVP in the norm, the space complexity of our algorithm
can be reduced to polynomial.
Our main technical contribution is a method for "sparsifying" any
input lattice while approximately maintaining its metric structure. To
this end, we employ the idea of random sublattice restrictions, which
was first employed by Khot (FOCS 2003, J. Comp. Syst. Sci. 2006) for
the purpose of proving hardness for the Shortest Vector Problem (SVP)
under norms.
A preliminary version of this paper appeared in the Proc. 24th Annual
ACM-SIAM Symp. on Discrete Algorithms (SODA'13)
(http://dx.doi.org/10.1137/1.9781611973105.78)
Quantum Algorithms for Attacking Hardness Assumptions in Classical and PostāQuantum Cryptography
In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future
- ā¦