46 research outputs found
Faster tuple lattice sieving using spherical locality-sensitive filters
To overcome the large memory requirement of classical lattice sieving
algorithms for solving hard lattice problems, Bai-Laarhoven-Stehl\'{e} [ANTS
2016] studied tuple lattice sieving, where tuples instead of pairs of lattice
vectors are combined to form shorter vectors. Herold-Kirshanova [PKC 2017]
recently improved upon their results for arbitrary tuple sizes, for example
showing that a triple sieve can solve the shortest vector problem (SVP) in
dimension in time , using a technique similar to
locality-sensitive hashing for finding nearest neighbors.
In this work, we generalize the spherical locality-sensitive filters of
Becker-Ducas-Gama-Laarhoven [SODA 2016] to obtain space-time tradeoffs for near
neighbor searching on dense data sets, and we apply these techniques to tuple
lattice sieving to obtain even better time complexities. For instance, our
triple sieve heuristically solves SVP in time . For
practical sieves based on Micciancio-Voulgaris' GaussSieve [SODA 2010], this
shows that a triple sieve uses less space and less time than the current best
near-linear space double sieve.Comment: 12 pages + references, 2 figures. Subsumed/merged into Cryptology
ePrint Archive 2017/228, available at https://ia.cr/2017/122
Tradeoffs for nearest neighbors on the sphere
We consider tradeoffs between the query and update complexities for the
(approximate) nearest neighbor problem on the sphere, extending the recent
spherical filters to sparse regimes and generalizing the scheme and analysis to
account for different tradeoffs. In a nutshell, for the sparse regime the
tradeoff between the query complexity and update complexity
for data sets of size is given by the following equation in
terms of the approximation factor and the exponents and :
For small , minimizing the time for updates leads to a linear
space complexity at the cost of a query time complexity .
Balancing the query and update costs leads to optimal complexities
, matching bounds from [Andoni-Razenshteyn, 2015] and [Dubiner,
IEEE-TIT'10] and matching the asymptotic complexities of [Andoni-Razenshteyn,
STOC'15] and [Andoni-Indyk-Laarhoven-Razenshteyn-Schmidt, NIPS'15]. A
subpolynomial query time complexity can be achieved at the cost of a
space complexity of the order , matching the bound
of [Andoni-Indyk-Patrascu, FOCS'06] and
[Panigrahy-Talwar-Wieder, FOCS'10] and improving upon results of
[Indyk-Motwani, STOC'98] and [Kushilevitz-Ostrovsky-Rabani, STOC'98].
For large , minimizing the update complexity results in a query complexity
of , improving upon the related exponent for large of
[Kapralov, PODS'15] by a factor , and matching the bound
of [Panigrahy-Talwar-Wieder, FOCS'08]. Balancing the costs leads to optimal
complexities , while a minimum query time complexity can be
achieved with update complexity , improving upon the
previous best exponents of Kapralov by a factor .Comment: 16 pages, 1 table, 2 figures. Mostly subsumed by arXiv:1608.03580
[cs.DS] (along with arXiv:1605.02701 [cs.DS]
Approximate Voronoi cells for lattices, revisited
We revisit the approximate Voronoi cells approach for solving the closest
vector problem with preprocessing (CVPP) on high-dimensional lattices, and
settle the open problem of Doulgerakis-Laarhoven-De Weger [PQCrypto, 2019] of
determining exact asymptotics on the volume of these Voronoi cells under the
Gaussian heuristic. As a result, we obtain improved upper bounds on the time
complexity of the randomized iterative slicer when using less than memory, and we show how to obtain time-memory trade-offs even when using
less than memory. We also settle the open problem of
obtaining a continuous trade-off between the size of the advice and the query
time complexity, as the time complexity with subexponential advice in our
approach scales as , matching worst-case enumeration bounds,
and achieving the same asymptotic scaling as average-case enumeration
algorithms for the closest vector problem.Comment: 18 pages, 1 figur
Approximate Algorithms on Lattices with Small Determinant
In this paper, we propose approximate lattice algorithms for
solving the shortest vector problem (SVP) and the closest vector
problem (CVP) on an -dimensional Euclidean integral lattice
L. Our algorithms run in polynomial time of the dimension and
determinant of lattices and improve on the LLL algorithm when the
determinant of a lattice is less than 2^{n^2/4}. More precisely,
our approximate SVP algorithm gives a lattice vector of size \le
2^{\sqrt{\log\det L}} and our approximate CVP algorithm gives a
lattice vector, the distance of which to a target vector is
2^{\sqrt{\log\det L}} times the distance from the target vector
to the lattice. One interesting feature of our algorithms is that
their output sizes are independent of dimension and become smaller
as the determinant of L becomes smaller. For example, if \det
L=2^{n \sqrt n}, a short vector outputted from our approximate
SVP algorithm is of size 2^{n^{3/4}}, which is asymptotically
smaller than the size 2^{n/4+\sqrt n} of the outputted short
vectors of the LLL algorithm. It is similar to our approximate CVP
algorithm
New Public-Key Crypto-System EHT
In this note, an LWE problem with a hidden trapdoor is introduced. It is used to construct an efficient public-key crypto-system EHT. The new system is significantly different from LWE based NIST candidates like FrodoKEM. The performance of EHT compares favorably with FrodoKEM
Quantum NV Sieve on Grover for Solving Shortest Vector Problem
Quantum computers can efficiently model and solve several challenging problems for classical computers, raising concerns about potential security reductions in cryptography. NIST is already considering potential quantum attacks in the development of post-quantum cryptography by estimating the quantum resources required for such quantum attacks. In this paper, we present quantum circuits for the NV sieve algorithm to solve the Shortest Vector Problem (SVP), which serves as the security foundation for lattice-based cryptography, achieving a quantum speedup of the square root. Although there has been extensive research on the application of quantum algorithms for lattice-based problems at the theoretical level, specific quantum circuit implementations for them have not been presented yet.
Notably, this work demonstrates that the required quantum complexity for the SVP in the lattice of rank 70 and dimension 70 is (a product of the total gate count and the total depth) with our optimized quantum implementation of the NV sieve algorithm.
This complexity is significantly lower than the NIST post-quantum security standard, where level 1 is , corresponding to the complexity of Grover\u27s key search for AES-128
Finding Shortest Vector Using Quantum NV Sieve on Grover
Quantum computers, especially those with over 10,000 qubits, pose a potential threat to current public key cryptography systems like RSA and ECC due to Shor\u27s algorithms. Grover\u27s search algorithm is another quantum algorithm that could significantly impact current cryptography, offering a quantum advantage in searching unsorted data. Therefore, with the advancement of quantum computers, it is crucial to analyze potential quantum threats.
While many works focus on Grover’s attacks in symmetric key cryptography, there has been no research on the practical implementation of the quantum approach for lattice-based cryptography. Currently, only theoretical analyses involve the application of Grover\u27s search to various Sieve algorithms.
In this work, for the first time, we present a quantum NV Sieve implementation to solve SVP, posing a threat to lattice-based cryptography. Additionally, we implement the extended version of the quantum NV Sieve (i.e., the dimension and rank of the lattice vector). Our extended implementation could be instrumental in extending the upper limit of SVP (currently, determining the upper limit of SVP is a vital factor). Lastly, we estimate the quantum resources required for each specific implementation and the application of Grover\u27s search.
In conclusion, our research lays the groundwork for the quantum NV Sieve to challenge lattice-based cryptography. In the future, we aim to conduct various experiments concerning the extended implementation and Grover\u27s search