35 research outputs found
Approximate Voronoi cells for lattices, revisited
We revisit the approximate Voronoi cells approach for solving the closest
vector problem with preprocessing (CVPP) on high-dimensional lattices, and
settle the open problem of Doulgerakis-Laarhoven-De Weger [PQCrypto, 2019] of
determining exact asymptotics on the volume of these Voronoi cells under the
Gaussian heuristic. As a result, we obtain improved upper bounds on the time
complexity of the randomized iterative slicer when using less than memory, and we show how to obtain time-memory trade-offs even when using
less than memory. We also settle the open problem of
obtaining a continuous trade-off between the size of the advice and the query
time complexity, as the time complexity with subexponential advice in our
approach scales as , matching worst-case enumeration bounds,
and achieving the same asymptotic scaling as average-case enumeration
algorithms for the closest vector problem.Comment: 18 pages, 1 figur
Quantum Algorithms for the Approximate <i>k</i>-List Problem and their Application to Lattice Sieving
The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a -dimensional lattice in 2^{\const d + \smallo(d)} time steps with 2^{\const' d + \smallo(d)} memory for constants . In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical -Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in time steps using memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in time steps and memory. In the QRAM model these algorithms can be implemented using \poly(d) width quantum circuits.Secondly, we frame the -Sieve as the problem of -clique listing in a graph and apply quantum -clique finding techniques to the -Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the -Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in time steps using quantum memory
Classical and quantum 3 and 4-sieves to solve SVP with low memory
The Shortest Vector Problem (SVP) is at the foundation of lattice-based cryptography.
The fastest known method to solve SVP in dimension is by lattice sieving, which runs in time with memory for constants .
Searching reduced vectors in the sieve is a problem reduced to the configuration problem, \ie searching vectors satisfying given constraints over their scalar products.
In this work, we present a framework for -sieve algorithms: we filter the input list of lattice vectors using a code structure modified from [BDGL16] to get lists centred around codewords summing to the null-vector. Then, we solve a simpler instance of the configuration problem in the filtered lists.
Based on this framework, we describe classical sieves for and that introduce new time-memory trade-offs.
We also use the -Lists algorithm [KMPM19] inside our framework, and this improves the time for and gives new trade-offs for
Lattice Reduction with Approximate Enumeration Oracles:Practical Algorithms and Concrete Performance
Quantum Algorithms for Attacking Hardness Assumptions in Classical and Post‐Quantum Cryptography
In this survey, the authors review the main quantum algorithms for solving the computational problems that serve as hardness assumptions for cryptosystem. To this end, the authors consider both the currently most widely used classically secure cryptosystems, and the most promising candidates for post-quantum secure cryptosystems. The authors provide details on the cost of the quantum algorithms presented in this survey. The authors furthermore discuss ongoing research directions that can impact quantum cryptanalysis in the future
Progressive lattice sieving
Most algorithms for hard lattice problems are based on the principle of rank reduction: to solve a problem in a -dimensional lattice, one first solves one or more problem instances in a sublattice of rank , and then uses this information to find a solution to the original problem. Existing lattice sieving methods, however, tackle lattice problems such as the shortest vector problem (SVP) directly, and work with the full-rank lattice from the start. Lattice sieving further seems to benefit less from starting with reduced bases than other methods, and finding an approximate solution almost takes as long as finding an exact solution. These properties currently set sieving apart from other methods.
In this work we consider a progressive approach to lattice sieving, where we gradually introduce new basis vectors only when the sieve has stabilized on the previous basis vectors. This leads to improved (heuristic) guarantees on finding approximate shortest vectors, a bigger practical impact of the quality of the basis on the run-time, better memory management, a smoother and more predictable behavior of the algorithm, and significantly faster convergence - compared to traditional approaches, we save between a factor to in the time complexity for SVP
The nearest-colattice algorithm
In this work, we exhibit a hierarchy of polynomial time algorithms solving
approximate variants of the Closest Vector Problem (CVP). Our first
contribution is a heuristic algorithm achieving the same distance tradeoff as
HSVP algorithms, namely for a random
lattice of rank . Compared to the so-called Kannan's embedding
technique, our algorithm allows using precomputations and can be used for
efficient batch CVP instances. This implies that some attacks on lattice-based
signatures lead to very cheap forgeries, after a precomputation. Our second
contribution is a proven reduction from approximating the closest vector with a
factor to the Shortest Vector
Problem (SVP) in dimension .Comment: 19 pages, presented at the Algorithmic Number Theory Symposium (ANTS
2020
Dissection-BKW
The slightly subexponential algorithm of Blum, Kalai and Wasserman (BKW) provides a basis for assessing LPN/LWE security. However, its huge memory consumption strongly limits its practical applicability, thereby preventing precise security estimates for cryptographic LPN/LWE instantiations.
We provide the first time-memory trade-offs for the BKW algorithm. For instance, we show how to solve LPN in dimension in time and memory . Using the Dissection technique due to Dinur et al. (Crypto ’12) and a novel, slight generalization thereof, we obtain fine-grained trade-offs for any available (subexponential) memory while the running time remains subexponential.
Reducing the memory consumption of BKW below its running time also allows us to propose a first quantum version QBKW for the BKW algorithm
The General Sieve Kernel and New Records in Lattice Reduction
textabstractWe propose the General Sieve Kernel (G6K, pronounced
/Ze.si.ka/), an abstract stateful machine supporting a wide variety of
lattice reduction strategies based on sieving algorithms. Using the basic
instruction set of this abstract stateful machine, we first give concise
formulations of previous sieving strategies from the literature and then
propose new ones. We then also give a light variant of BKZ exploiting
the features of our abstract stateful machine. This encapsulates several
recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano
at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP
oracle and to utilise strong lattice reduction as preprocessing for sieving.
Furthermore, we propose new tricks to minimise the sieving computation
required for a given reduction quality with mechanisms such as recycling
vectors between sieves, on-the-fly lifting and flexible insertions akin to
Deep LLL and recent variants of Random Sampling Reduction.
Moreover, we provide a highly optimised, multi-threaded and tweakable
implementation of this machine which we make open-source. We then
illustrate the performance of this implementation of our sieving strategies
by applying G6K to various lattice challenges. In particular, our approach
allows us to solve previously unsolved instances of the Darmstadt SVP
(151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the
SVP-151 challenge was found 400 times faster than the time reported for
the SVP-150 challenge, the previous record. For exact SVP, we observe
a performance crossover between G6K and FPLLL’s state of the art
implementation of enumeration at dimension 70