Analyzing Blockwise Lattice Algorithms Using Dynamical Systems

Strong lattice reduction is the key element for most attacks against lattice-based cryptosystems. Between the strongest but impractical HKZ reduction and the weak but fast LLL reduction, there have been several attempts to find efficient trade-offs. Among them, the BKZ algorithm introduced by Schnorr and Euchner [FCT'91] seems to achieve the best time/quality compromise in practice. However, no reasonable complexity upper bound is known for BKZ, and Gama and Nguyen [Eurocrypt' 08] observed experimentally that its practical runtime seems to grow exponentially with the lattice dimension. In this work, we show that BKZ can be terminated long before its completion, while still providing bases of excellent quality. More precisely, we show that if given as inputs a basis (bi)i ≤ n e Qn × n of a lattice L and a block-size β, and if terminated after Ω (n3/β2(log n + log logmaxi ||bi||)) calls to a β-dimensional HKZ-reduction (or SVP) subroutine, then BKZ returns a basis whose first vector has norm ≤ 2vβn-1/2(β-1)+3/2 ċ (det L)1/n, where vβ ≤ β is the maximum of Hermite's constants in dimensions ≤ β. To obtain this result, we develop a completely new elementary technique based on discrete-time affine dynamical systems, which could lead to the design of improved lattice reduction algorithms.

[1]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[2]  Alejandro López-Ortiz LATIN 2010: Theoretical Informatics, 9th Latin American Symposium, Oaxaca, Mexico, April 19-23, 2010. Proceedings , 2010, Lecture Notes in Computer Science.

[3]  O. Regev The Learning with Errors problem , 2010 .

[4]  Damien Stehlé,et al.  An LLL-reduction algorithm with quasi-linear time complexity: extended abstract , 2011, STOC '11.

[5]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[6]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[7]  Steven A. Orszag,et al.  CBMS-NSF REGIONAL CONFERENCE SERIES IN APPLIED MATHEMATICS , 1978 .

[8]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[9]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[10]  Claus-Peter Schnorr,et al.  Accelerated Slide- and LLL-Reduction , 2011, Electron. Colloquium Comput. Complex..

[11]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[12]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[13]  J. Martinet Perfect Lattices in Euclidean Spaces , 2010 .

[14]  Phong Q. Nguyen Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97 , 1999, CRYPTO.

[15]  Cynthia Dwork,et al.  Advances in Cryptology – CRYPTO 2020: 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17–21, 2020, Proceedings, Part III , 2020, Annual International Cryptology Conference.

[16]  William Whyte,et al.  Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches , 2009, ACNS.

[17]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[18]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[19]  Lokenath Debnath,et al.  Inequalities for convex sequences and their applications , 2007, Comput. Math. Appl..

[20]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[21]  Robin Milner An Action Structure for Synchronous pi-Calculus , 1993, FCT.

[22]  Arnold Schönhage,et al.  Fast reduction and composition of binary quadratic forms , 1991, ISSAC '91.

[23]  Ali Akhavi,et al.  Worst-Case Complexity of the Optimal LLL Algorithm , 2000, LATIN.

[24]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[25]  László Lovász,et al.  Algorithmic theory of numbers, graphs and convexity , 1986, CBMS-NSF regional conference series in applied mathematics.

[26]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[27]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[28]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[29]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[30]  Damien Stehlé,et al.  An LLL Algorithm with Quadratic Complexity , 2009, SIAM J. Comput..

[31]  Nicolas Gama,et al.  Rankin's Constant and Blockwise Lattice Reduction , 2006, CRYPTO.

[32]  Damien Stehlé,et al.  Terminating BKZ , 2011, IACR Cryptol. ePrint Arch..

[33]  Gaston H. Gonnet,et al.  LATIN 2000: Theoretical Informatics: 4th Latin American Symposium, Punta del Este, Uruguay, April 10-14, 2000 Proceedings , 2000, Lecture Notes in Computer Science.

[34]  Claus-Peter Schnorr,et al.  Block Reduced Lattice Bases and Successive Minima , 1994, Combinatorics, Probability and Computing.

[35]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[36]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[37]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[38]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[39]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[40]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[41]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[42]  Brigitte Vallée,et al.  Modelling the LLL Algorithm by Sandpiles , 2010, LATIN.

[43]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[44]  H. Lenstra,et al.  Flags and Lattice Basis Reduction , 2001 .

[45]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[46]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[47]  Claus-Peter Schnorr,et al.  Progress on LLL and Lattice Reduction , 2010, The LLL Algorithm.

[48]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[49]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[50]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[51]  Damien Stehlé,et al.  Rigorous and Efficient Short Lattice Vectors Enumeration , 2008, ASIACRYPT.

[52]  Josef Pieprzyk,et al.  Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings , 2008, ASIACRYPT.

[53]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[54]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[55]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .