35 research outputs found

    Approximate Voronoi cells for lattices, revisited

    Get PDF
    We revisit the approximate Voronoi cells approach for solving the closest vector problem with preprocessing (CVPP) on high-dimensional lattices, and settle the open problem of Doulgerakis-Laarhoven-De Weger [PQCrypto, 2019] of determining exact asymptotics on the volume of these Voronoi cells under the Gaussian heuristic. As a result, we obtain improved upper bounds on the time complexity of the randomized iterative slicer when using less than 20.076d+o(d)2^{0.076d + o(d)} memory, and we show how to obtain time-memory trade-offs even when using less than 20.048d+o(d)2^{0.048d + o(d)} memory. We also settle the open problem of obtaining a continuous trade-off between the size of the advice and the query time complexity, as the time complexity with subexponential advice in our approach scales as dd/2+o(d)d^{d/2 + o(d)}, matching worst-case enumeration bounds, and achieving the same asymptotic scaling as average-case enumeration algorithms for the closest vector problem.Comment: 18 pages, 1 figur

    Quantum Algorithms for the Approximate <i>k</i>-List Problem and their Application to Lattice Sieving

    Get PDF
    The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a dd-dimensional lattice in 2^{\const d + \smallo(d)} time steps with 2^{\const' d + \smallo(d)} memory for constants c,cc, c'. In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical kk-Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in 20.2989d+o(d)2^{0.2989d + o(d)} time steps using 20.1395d+o(d)2^{0.1395d + o(d)} memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in 20.2653d+o(d)2^{0.2653d + o(d)} time steps and memory. In the QRAM model these algorithms can be implemented using \poly(d) width quantum circuits.Secondly, we frame the kk-Sieve as the problem of kk-clique listing in a graph and apply quantum kk-clique finding techniques to the kk-Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the 22-Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in 20.1037d+o(d)2^{0.1037d + o(d)} time steps using 20.2075d+o(d)2^{0.2075d + o(d)} quantum memory

    Classical and quantum 3 and 4-sieves to solve SVP with low memory

    Get PDF
    The Shortest Vector Problem (SVP) is at the foundation of lattice-based cryptography. The fastest known method to solve SVP in dimension dd is by lattice sieving, which runs in time 2td+o(d)2^{td+o(d)} with 2md+o(d)2^{md+o(d)} memory for constants t,mΘ(1)t,m \in \Theta(1). Searching reduced vectors in the sieve is a problem reduced to the configuration problem, \ie searching kk vectors satisfying given constraints over their scalar products. In this work, we present a framework for kk-sieve algorithms: we filter the input list of lattice vectors using a code structure modified from [BDGL16] to get lists centred around kk codewords summing to the null-vector. Then, we solve a simpler instance of the configuration problem in the kk filtered lists. Based on this framework, we describe classical sieves for k=3k=3 and 44 that introduce new time-memory trade-offs. We also use the kk-Lists algorithm [KMPM19] inside our framework, and this improves the time for k=3k=3 and gives new trade-offs for k=4k=4

    Quantum Algorithms for Attacking Hardness Assumptions in Classical and Post‐Quantum Cryptography

    Get PDF
    In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future

    Progressive lattice sieving

    Get PDF
    Most algorithms for hard lattice problems are based on the principle of rank reduction: to solve a problem in a dd-dimensional lattice, one first solves one or more problem instances in a sublattice of rank d1d - 1, and then uses this information to find a solution to the original problem. Existing lattice sieving methods, however, tackle lattice problems such as the shortest vector problem (SVP) directly, and work with the full-rank lattice from the start. Lattice sieving further seems to benefit less from starting with reduced bases than other methods, and finding an approximate solution almost takes as long as finding an exact solution. These properties currently set sieving apart from other methods. In this work we consider a progressive approach to lattice sieving, where we gradually introduce new basis vectors only when the sieve has stabilized on the previous basis vectors. This leads to improved (heuristic) guarantees on finding approximate shortest vectors, a bigger practical impact of the quality of the basis on the run-time, better memory management, a smoother and more predictable behavior of the algorithm, and significantly faster convergence - compared to traditional approaches, we save between a factor 2020 to 4040 in the time complexity for SVP

    The nearest-colattice algorithm

    Get PDF
    In this work, we exhibit a hierarchy of polynomial time algorithms solving approximate variants of the Closest Vector Problem (CVP). Our first contribution is a heuristic algorithm achieving the same distance tradeoff as HSVP algorithms, namely βn2βcovol(Λ)1n\approx \beta^{\frac{n}{2\beta}}\textrm{covol}(\Lambda)^{\frac{1}{n}} for a random lattice Λ\Lambda of rank nn. Compared to the so-called Kannan's embedding technique, our algorithm allows using precomputations and can be used for efficient batch CVP instances. This implies that some attacks on lattice-based signatures lead to very cheap forgeries, after a precomputation. Our second contribution is a proven reduction from approximating the closest vector with a factor n32β3n2β\approx n^{\frac32}\beta^{\frac{3n}{2\beta}} to the Shortest Vector Problem (SVP) in dimension β\beta.Comment: 19 pages, presented at the Algorithmic Number Theory Symposium (ANTS 2020

    Dissection-BKW

    Get PDF
    The slightly subexponential algorithm of Blum, Kalai and Wasserman (BKW) provides a basis for assessing LPN/LWE security. However, its huge memory consumption strongly limits its practical applicability, thereby preventing precise security estimates for cryptographic LPN/LWE instantiations. We provide the first time-memory trade-offs for the BKW algorithm. For instance, we show how to solve LPN in dimension kk in time 243klogk2^{\frac 43\frac k{\log k}} and memory 223klogk2^{\frac 23\frac k{\log k}}. Using the Dissection technique due to Dinur et al. (Crypto ’12) and a novel, slight generalization thereof, we obtain fine-grained trade-offs for any available (subexponential) memory while the running time remains subexponential. Reducing the memory consumption of BKW below its running time also allows us to propose a first quantum version QBKW for the BKW algorithm

    The General Sieve Kernel and New Records in Lattice Reduction

    Get PDF
    textabstractWe propose the General Sieve Kernel (G6K, pronounced /Ze.si.ka/), an abstract stateful machine supporting a wide variety of lattice reduction strategies based on sieving algorithms. Using the basic instruction set of this abstract stateful machine, we first give concise formulations of previous sieving strategies from the literature and then propose new ones. We then also give a light variant of BKZ exploiting the features of our abstract stateful machine. This encapsulates several recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP oracle and to utilise strong lattice reduction as preprocessing for sieving. Furthermore, we propose new tricks to minimise the sieving computation required for a given reduction quality with mechanisms such as recycling vectors between sieves, on-the-fly lifting and flexible insertions akin to Deep LLL and recent variants of Random Sampling Reduction. Moreover, we provide a highly optimised, multi-threaded and tweakable implementation of this machine which we make open-source. We then illustrate the performance of this implementation of our sieving strategies by applying G6K to various lattice challenges. In particular, our approach allows us to solve previously unsolved instances of the Darmstadt SVP (151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the SVP-151 challenge was found 400 times faster than the time reported for the SVP-150 challenge, the previous record. For exact SVP, we observe a performance crossover between G6K and FPLLL’s state of the art implementation of enumeration at dimension 70
    corecore