Random Sampling Revisited: Lattice Enumeration with Discrete Pruning

In 2003, Schnorr introduced Random sampling to find very short lattice vectors, as an alternative to enumeration. An improved variant has been used in the past few years by Kashiwabara et al. to solve the largest Darmstadt SVP challenges. However, the behaviour of random sampling and its variants is not well-understood: all analyses so far rely on a questionable heuristic assumption, namely that the lattice vectors produced by some algorithm are uniformly distributed over certain parallelepipeds. In this paper, we introduce lattice enumeration with discrete pruning, which generalizes random sampling and its variants, and provides a novel geometric description based on partitions of the n-dimensional space. We obtain what is arguably the first sound analysis of random sampling, by showing how discrete pruning can be rigorously analyzed under the well-known Gaussian heuristic, in the same model as the Gama-Nguyen-Regev analysis of pruned enumeration from EUROCRYPT ’10, albeit using different tools: we show how to efficiently compute the volume of the intersection of a ball with a box, and to efficiently approximate a large sum of many such volumes, based on statistical inference. Furthermore, we show how to select good parameters for discrete pruning by enumerating integer points in an ellipsoid. Our analysis is backed up by experiments and allows for the first time to reasonably estimate the success probability of random sampling and its variants, and to make comparisons with previous forms of pruned enumeration. Our work unifies random sampling and pruned enumeration and show that they are complementary of each other: both have different characteristics and offer different trade-offs to speed up enumeration.

[1]  Johannes A. Buchmann,et al.  Practical Lattice Basis Sampling Reduction , 2006, ANTS.

[2]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[3]  Alexander Vardy,et al.  Closest point search in lattices , 2002, IEEE Trans. Inf. Theory.

[4]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[5]  K. Yamaguchi,et al.  Analysis of the Extended Search Space for the Shortest Vector in Lattice , 2011 .

[6]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[7]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[8]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[9]  Tsuyoshi Takagi,et al.  Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator , 2016, EUROCRYPT.

[10]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[11]  C. A. Rogers The Number of Lattice Points in a Set , 1956 .

[12]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[13]  Jeffrey C. Lagarias,et al.  Polynomial Time Algorithms for Finding Integer Relations Among Real Numbers , 1989, STACS.

[14]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[15]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[16]  Phong Q. Nguyen Public-key Cryptanalysis , 2008 .

[17]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[18]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[19]  Michael Schneider,et al.  Random Sampling for Short Lattice Vectors on Graphics Cards , 2011, CHES.

[20]  László Babai,et al.  On Lovász' Lattice Reduction and the Nearest Lattice Point Problem (Shortened Version) , 1985, STACS.

[21]  Kenji Kashiwabara,et al.  An Accelerated Algorithm for Solving SVP Based on Statistical Analysis , 2015, J. Inf. Process..

[22]  Cecil C. Rousseau,et al.  Problems and Solutions , 1997, SIAM Rev..

[23]  Carl Ludwig Siegel,et al.  A Mean Value Theorem in Geometry of Numbers , 1945 .

[24]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[25]  Damien Stehlé,et al.  On the Extremality of an 80-Dimensional Lattice , 2010, ANTS.

[26]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[27]  Toshio Hosono,et al.  Numerical inversion of Laplace transform and some applications to wave optics , 1981 .

[28]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[29]  Dan Ding,et al.  A Genetic Algorithm for Searching Shortest Lattice Vector of SVP Challenge , 2014, IACR Cryptol. ePrint Arch..

[30]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[31]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[32]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.