Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing

Recently, it was shown that angular locality-sensitive hashing LSH can be used to significantly speed up lattice sieving, leading to a heuristic time complexity for solving the shortest vector problem SVP of $$2^{0.337n + on}$$20.337n+on and space complexity $$2^{0.208n + on}$$20.208n+on. We study the possibility of applying other LSH methods to sieving, and show that with the spherical LSH method of Andoni et al. we can heuristically solve SVP in time $$2^{0.298n + on}$$20.298n+on and space $$2^{0.208n + on}$$20.208n+on. We further show that a practical variant of the resulting SphereSieve is very similar to Wang et al.'s two-level sieve, with the key difference that we impose an order on the outer list of centers.

[1]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[2]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[3]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[4]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[5]  Christian H. Bischof,et al.  Lock-Free GaussSieve for Linear Speedups in Parallel High Performance SVP Calculation , 2014, 2014 IEEE 26th International Symposium on Computer Architecture and High Performance Computing.

[6]  Moses Charikar,et al.  Similarity estimation techniques from rounding algorithms , 2002, STOC '02.

[7]  A. Joux,et al.  A sieve algorithm based on overlattices , 2014 .

[8]  Alexandr Andoni,et al.  Optimal Data-Dependent Hashing for Approximate Near Neighbors , 2015, STOC.

[9]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[10]  Christian H. Bischof,et al.  A Comprehensive Empirical Comparison of Parallel ListSieve and GaussSieve , 2014, Euro-Par Workshops.

[11]  Christian H. Bischof,et al.  Tuning GaussSieve for Speed , 2014, LATINCRYPT.

[12]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[13]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[14]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[15]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[16]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[17]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[18]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[19]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[20]  Michael Schneider,et al.  A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices , 2011, PaCT.

[21]  Christian H. Bischof,et al.  Parallel (Probable) Lock-Free Hash Sieve: A Practical Sieving Algorithm for the SVP , 2015, 2015 44th International Conference on Parallel Processing.

[22]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[23]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[24]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[25]  Nicole Immorlica,et al.  Locality-sensitive hashing scheme based on p-stable distributions , 2004, SCG '04.

[26]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[27]  Piotr Indyk,et al.  Approximate nearest neighbors: towards removing the curse of dimensionality , 1998, STOC '98.

[28]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[29]  Nigel P. Smart,et al.  Estimating Key Sizes for High Dimensional Lattice-Based Systems , 2013, IMACC.

[30]  Alexandr Andoni,et al.  Beyond Locality-Sensitive Hashing , 2013, SODA.

[31]  Feng Zhang,et al.  A Three-Level Sieve Algorithm for the Shortest Vector Problem , 2013, IACR Cryptol. ePrint Arch..

[32]  Antoine Joux,et al.  Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neighbor search , 2015, IACR Cryptol. ePrint Arch..

[33]  Michael Schneider,et al.  Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices , 2011, WALCOM.

[34]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[35]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[36]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[37]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[38]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[39]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[40]  Anja Becker,et al.  Efficient (Ideal) Lattice Sieving Using Cross-Polytope LSH , 2015, AFRICACRYPT.

[41]  Alexandr Andoni,et al.  Near-Optimal Hashing Algorithms for Approximate Nearest Neighbor in High Dimensions , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[42]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.

[43]  Michael Naehrig,et al.  Sieving for shortest vectors in ideal lattices: a practical perspective , 2017, Int. J. Appl. Cryptogr..

[44]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[45]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[46]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..