Improved Progressive BKZ with Lattice Sieving and a Two-Step Mode for Solving uSVP

The unique Shortest Vector Problem (uSVP) is one of the core hard problems in lattice-based cryptography. In NIST PQC standardization (Kyber, Dilithium), leaky-LWE-Estimator is used to estimate the hardness of LWE-based cryptosystems by reducing LWE to uSVP and considers the primal attack using Progressive BKZ (ProBKZ). ProBKZ trivially increases blocksize β and lifts the shortest vector in the final BKZ block to find the unique shortest vector in the full lattice. In this paper, we show that a ProBKZ algorithm as above (we call it a BKZ-only mode) is not the best way to solve uSVP. So we present a two-step mode to solve it, where the ProBKZ algorithm is followed by a sieving algorithm with the dimension larger than the blocksize of BKZ. While instantiating our two-step mode with the sieving algorithm Pump and Pump-and-jump BKZ (PnjBKZ) presented in G6K, which are the state-of-art sieving and BKZ implementations, we show that our algorithm is not only better than the BKZ-only mode but also better than the heuristic uSVP solving algorithm in G6K. However, a ProBKZ with the heuristic parameter selection in leaky-LWE-Estimator or the optimized parameter selection in the literature (Yoshinori Aono et al. at Asiacrypt 2016), is insufficient in optimizing the efficiency of a two-step solving algorithm. To find the best param- eters, we design a PnjBKZ simulator which allows the choice of value jump to be more than 1. Based on the newly designed simulator, we give a blocksize and jump strategy selection algorithm, which can achieve the best simulated efficiency in solving uSVP instances. Combining all the things above, we get a new lattice solving algorithm called Improved Progressive PnjBKZ (ProPnjBKZ for short). We test the efficiency of our ProPnjBKZ with the TU Darmstadt LWE Challenge. The experiment result shows that our ProPnjBKZ is 7.6∼12.9 times more efficient than the heuristic uSVP solving algorithm in G6K. Besides, we break the TU Darmstadt LWE Challenges with (n, α) ∈{(40, 0.035), (40, 0.040), (50, 0.025), (55, 0.020), (90, 0.005)}. Finally, we give a newly refined security estimator of LWE. The evaluation results indicate that the concrete hardness of the lattice-based NIST candidate schemes from LWE primal attack will decrease by 1.9∼4.2 bits when using our optimized blocksize and jump selection strategy and two-step solving mode. In addition, when using the list-decoding technology proposed by MATZOV in 2022, it further decreased by 8∼10.7 bits

Improved Pump and Jump BKZ by Sharp Simulator

The General Sieve Kernel (G6K) implemented a variety of lattice reduction algorithms based on sieving algorithms. One of the representative of these lattice reduction algorithms is Pump and jump-BKZ (pnj-BKZ) algorithm which is currently considered as the fastest lattice reduction algorithm. The pnj-BKZ is a BKZ-type lattice reduction algorithm which includes the jump strategy, and uses Pump as the SVP Oracle. Here, Pump which was also proposed in G6K, is an SVP sloving algorithm that combines progressive sieve technology and dimforfree technology. However unlike classical BKZ, there is no simulator for predicting the behavior of the pnj-BKZ algorithm when jump greater than 1, which is helpful to find a better lattice reduction strategy. There are two main differences between pnj-BKZ and the classical BKZ algorithm: one is that after pnj-BKZ performs the SVP Oracle on a certain projected sublattice, it won\u27t calling SVP Oracle for the next nearest projected sublattice. Instead, pnj-BKZ jumps to the corresponding projected sublattice after J indexs to run the algorithm for solving the SVP. By using this jump technique, the number of times that the SVP algorithm needs to be called for each round of pnj-BKZ will be reduced to about 1/J times of original. The second is that pnj-BKZ uses Pump as the SVP Oracle on the projected sublattice. Based on the BKZ2.0 simulator, we proposes a pnj-BKZ simulator by using the properties of HKZ reduction basis. Experiments show that our proposed pnj-BKZ simulator can well predicate the behavior of pnj-BKZ with jump greater than 1. Besides, we use this pnj-BKZ simulator to give the optimization strategy for choosing jump which can improve the reducing efficiency of pnj-BKZ. Our optimized pnj-BKZ is 2.9 and 2.6 times faster in solving TU LWE challenge ( n=75,alpha=0.005 ) and TU LWE challenge ( n=60,alpha=0.010 ) than G6K\u27s default LWE sloving strategy

A Refined Hardness Estimation of LWE in Two-step Mode

Recently, researchers have proposed many LWE estimators, such as lattice-estimator (Albrecht et al, Asiacrypt 2017) and leaky-LWE-Estimator (Dachman-Soled et al, Crypto 2020), while the latter has already been used in estimating the security level of Kyber and Dilithium using only BKZ. However, we prove in this paper that solving LWE by combining a lattice reduction step (by LLL or BKZ) and a target vector searching step (by enumeration or sieving), which we call a Two-step mode, is more efficient than using only BKZ. Moreover, we give a refined LWE estimator in Two-step mode by analyzing the relationship between the probability distribution of the target vector and the solving success rate in a Two-step mode LWE solving algorithm. While the latest Two-step estimator for LWE, which is the “primal-bdd” mode in lattice-estimator1, does not take into account some up-to-date results and lacks a thorough theoretical analysis. Under the same gate-count model, our estimation for NIST PQC standards drops by 2.1∼3.4 bits (2.2∼4.6 bits while considering more flexible blocksize and jump strategy) compared with leaky-LWE-Estimator. Furthermore, we also give a conservative estimation for LWE from the Two-step solving algorithm. Compared with the Core-SVP model, which is used in previous conservative estimations, our estimation relies on weaker assumptions and outputs higher evaluation results than the Core- SVP model. For NIST PQC standards, our conservative estimation is 4.17∼8.11 bits higher than the Core-SVP estimation. Hence our estimator can give a closer estimation for both upper bound and lower bound of LWE hardness

Precise Measurements of Branching Fractions for Ds+D_s^+ Meson Decays to Two Pseudoscalar Mesons

We measure the branching fractions for seven $D_{s}^{+}$ two-body decays to pseudo-scalar mesons, by analyzing data collected at $\sqrt{s}=4.178\sim4.226$ GeV with the BESIII detector at the BEPCII collider. The branching fractions are determined to be $\mathcal{B}(D_s^+\to K^+\eta^{\prime})=(2.68\pm0.17\pm0.17\pm0.08)\times10^{-3}$, $\mathcal{B}(D_s^+\to\eta^{\prime}\pi^+)=(37.8\pm0.4\pm2.1\pm1.2)\times10^{-3}$, $\mathcal{B}(D_s^+\to K^+\eta)=(1.62\pm0.10\pm0.03\pm0.05)\times10^{-3}$, $\mathcal{B}(D_s^+\to\eta\pi^+)=(17.41\pm0.18\pm0.27\pm0.54)\times10^{-3}$, $\mathcal{B}(D_s^+\to K^+K_S^0)=(15.02\pm0.10\pm0.27\pm0.47)\times10^{-3}$, $\mathcal{B}(D_s^+\to K_S^0\pi^+)=(1.109\pm0.034\pm0.023\pm0.035)\times10^{-3}$, $\mathcal{B}(D_s^+\to K^+\pi^0)=(0.748\pm0.049\pm0.018\pm0.023)\times10^{-3}$, where the first uncertainties are statistical, the second are systematic, and the third are from external input branching fraction of the normalization mode $D_s^+\to K^+K^-\pi^+$. Precision of our measurements is significantly improved compared with that of the current world average values

Evaluation of a Novel High-Efficiency SHS-EAH Multi-Stage DG-ADP Process for Cleaner Production of High-Quality Ferrovanadium Alloy

A novel high-efficiency industrialized clean production technology based on multi-stage gradient batching and smelting was proposed for the production of high-quality ferrovanadium. The thermodynamic mechanism of aluminothermic reduction equilibrium, alloy settlement and raw material impurity distribution were confirmed, and a multi-stage double-gradient aluminum addition pattern (DG-ADP), the highly efficient separation of molten slag and alloy, and typical impurity control standards of raw materials were achieved on the basis of a self-propagating high-temperature synthesis with an electric auxiliary heating (SHS-EAH) process. The reduction efficiency, separation efficiency and the comprehensive utilization rate of the secondary resources were significantly improved, as the whole total vanadium (T.V) content in the industrially produced residue slag reduced from 2.34 wt.% to 0.60 wt.%, while the corresponding smelting yield increased from 93.7 wt.% to 98.7 wt.% and the aluminum consumption decreased from 510 kg·t−1 to 400 kg·t−1. The multi-stage DG-ADP process enabled the internal circulation of vanadium-bearing materials in the ferrovanadium smelting system, as well as the external circulation of iron and residue slag in the same system, and finally achieved the zero discharge of solid and liquid waste from the ferrovanadium production line, which provides a brand-new perspective for the cleaner production of ferrovanadium alloy