8 research outputs found
Approximating the densest sublattice from Rankin's inequality
Proceedings of Algorithmic Number Theory Symposium XI, GyeongJu, Korea, 6-11 August 2014International audienceWe present a higher-dimensional generalization of the Gama{Nguyen algorithm (STOC '08) for approximating the shortest vector problem in a lattice. This generalization approximates the densest sublattice by using a subroutine solving the exact problem in low dimension, such as the Dadush{Micciancio algorithm (SODA '13). Our approximation factor corresponds to a natural inequality on Rankin's constant derived from Rankin's inequality
On the Smallest Ratio Problem of Lattice Bases
Let be a lattice basis with Gram-Schmidt orthogonalization , the quantities
for
play important roles in
analyzing lattice reduction algorithms and lattice enumeration algorithms.
In this paper, we study the problem of minimizing the quantity over all bases of a given -dimensional lattice. We
first prove that there exists a basis
for any lattice of dimension such that
,
and
for .
This leads us to introduce a new NP-hard computational problem, that is, the smallest ratio problem (SRP): given an -dimensional
lattice ,
find a basis of such that
is minimal. The problem inspires the new lattice invariant
and new lattice constant
over all -dimensional
lattices : both the minimum and maximum are justified. The properties of and are discussed.
We also present an exact algorithm and an approximation algorithm for SRP.
This is the first sound study of SRP. Our work is a tiny step towards solving an open problem proposed by Dadush-Regev-Stephens-Davidowitz (CCC \u2714) for tackling the closest vector problem with preprocessing, that is, whether there exists a basis for any -rank lattice such that
Isochronous Gaussian Sampling: From Inception to Implementation
Gaussian sampling over the integers is a crucial tool in lattice-based cryptography, but has proven over the recent years to be surprisingly challenging to perform in a generic, efficient and provable secure manner. In this work, we present a modular framework for generating discrete Gaussians with arbitrary center and standard deviation. Our framework is extremely simple, and it is precisely this simplicity that allowed us to make it easy to implement, provably secure, portable, efficient, and provably resistant against timing attacks. Our sampler is a good candidate for any trapdoor sampling and it is actually the one that has been recently implemented in the Falcon signature scheme. Our second contribution aims at systematizing the detection of implementation errors in Gaussian samplers. We provide a statistical testing suite for discrete Gaussians called SAGA (Statistically Acceptable GAussian). In a nutshell, our two contributions take a step towards trustable and robust Gaussian sampling real-world implementations
Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices
International audienceA procedure for sampling lattice vectors is at the heart of many lattice constructions, and the algorithm of Klein (SODA 2000) and Gentry, Peikert, Vaikuntanathan (STOC 2008) is currently the one that produces the shortest vectors. But due to the fact that its most time-efficient (quadratic-time) variant requires the storage of the Gram-Schmidt basis, the asymptotic space requirements of this algorithm are the same for general and ideal lattices. The main result of the current work is a series of algorithms that ultimately lead to a sampling procedure producing the same outputs as the Klein/GPV one, but requiring only linear-storage when working on lattices used in ideal-lattice cryptography. The reduced storage directly leads to a reduction in key-sizes by a factor of Ω(d), and makes cryptographic constructions requiring lattice sampling much more suitable for practical applications. At the core of our improvements is a new, faster algorithm for computing the Gram-Schmidt orthogonalization of a set of vectors that are related via a linear isometry. In particular, for a linear isometry r : R d â R d which is computable in time O(d) and a d-dimensional vector b, our algorithm for computing the orthogonalization of (b, r(b), r 2 (b),. .. , r dâ1 (b)) uses O(d 2) floating point operations. This is in contrast to O(d 3) such operations that are required by the standard Gram-Schmidt algorithm. This improvement is directly applicable to bases that appear in ideal-lattice cryptography because those bases exhibit such " isometric structure ". The above-mentioned algorithm improves on a previous one of Gama, Howgrave-Graham, Nguyen (EUROCRYPT 2006) which used different techniques to achieve only a constant-factor speed-up for similar lattice bases. Interestingly, our present ideas can be combined with those from Gama et al. to achieve an even an larger practical speed-up. We next show how this new Gram-Schmidt algorithm can be applied towards lattice sampling in quadratic time using only linear space. The main idea is that rather than pre-computing and storing the Gram-Schmidt vectors, one can compute them " on-the-fly " while running th
Practical, Predictable Lattice Basis Reduction
Lattice reduction algorithms are notoriously hard to predict, both in terms of running time and output quality, which poses a major problem for cryptanalysis. While easy to analyze algorithms with good worst-case behavior exist, previous experimental evidence suggests that they are outperformed in practice by algorithms whose behavior is still not well understood, despite more than 30 years of intensive research. This has lead to a situation where a rather complex simulation procedure seems to be the most common way to predict the result of their application to an instance. In this work we present new algorithmic ideas towards bridging this gap between theory and practice. We report on an extensive experimental study of several lattice reduction algorithms, both novel and from the literature, that shows that theoretical algorithms are in fact surprisingly practical and competitive. In light of our results we come to the conclusion that in order to predict lattice reduction, simulation is superfluous and can be replaced by a closed formula using weaker assumptions.
One key technique to achieving this goal is a novel algorithm to solve the Shortest Vector Problem (SVP) in the dual without computing the dual basis. Our algorithm enjoys the same practical efficiency as the corresponding primal algorithm and can be easily added to an existing implementation of it
Computing a Lattice Basis Revisited
International audienc
Reduction algorithms for the cryptanalysis of lattice based asymmetrical cryptosystems
Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2008Includes bibliographical references (leaves: 79-91)Text in English; Abstract: Turkish and Englishxi, 119 leavesThe theory of lattices has attracted a great deal of attention in cryptology in recent years. Several cryptosystems are constructed based on the hardness of the lattice problems such as the shortest vector problem and the closest vector problem. The aim of this thesis is to study the most commonly used lattice basis reduction algorithms, namely Lenstra Lenstra Lovasz (LLL) and Block Kolmogorov Zolotarev (BKZ) algorithms, which are utilized to approximately solve the mentioned lattice based problems.Furthermore, the most popular variants of these algorithms in practice are evaluated experimentally by varying the common reduction parameter delta in order to propose some practical assessments about the effect of this parameter on the process of basis reduction.These kind of practical assessments are believed to have non-negligible impact on the theory of lattice reduction, and so the cryptanalysis of lattice cryptosystems, due to thefact that the contemporary nature of the reduction process is mainly controlled by theheuristics
Algebraic and Euclidean Lattices: Optimal Lattice Reduction and Beyond
We introduce a framework generalizing lattice reduction algorithms to module
lattices in order to practically and efficiently solve the -Hermite
Module-SVP problem over arbitrary cyclotomic fields. The core idea is to
exploit the structure of the subfields for designing a doubly-recursive
strategy of reduction: both recursive in the rank of the module and in the
field we are working in. Besides, we demonstrate how to leverage the inherent
symplectic geometry existing in the tower of fields to provide a significant
speed-up of the reduction for rank two modules. The recursive strategy over the
rank can also be applied to the reduction of Euclidean lattices, and we can
perform a reduction in asymptotically almost the same time as matrix
multiplication. As a byproduct of the design of these fast reductions, we also
generalize to all cyclotomic fields and provide speedups for many previous
number theoretical algorithms. Quantitatively, we show that a module of rank 2
over a cyclotomic field of degree can be heuristically reduced within
approximation factor in time , where is
the bitlength of the entries. For large enough, this complexity shrinks to
. This last result is particularly striking as it
goes below the estimate of swaps given by the classical analysis of the
LLL algorithm using the so-called potential