A sieve algorithm based on overlattices

In this paper, we present a heuristic algorithm for solving exact, as well as approximate, shortest vector and closest vector problems on lattices. The algorithm can be seen as a modified sieving algorithm for which the vectors of the intermediate sets lie in overlattices or translated cosets of overlattices. The key idea is hence no longer to work with a single lattice but to move the problems around in a tower of related lattices. We initiate the algorithm by sampling very short vectors in an overlattice of the original lattice that admits a quasi-orthonormal basis and hence an efficient enumeration of vectors of bounded norm. Taking sums of vectors in the sample, we construct short vectors in the next lattice. Finally, we obtain solution vector(s) in the initial lattice as a sum of vectors of an overlattice. The complexity analysis relies on the Gaussian heuristic. This heuristic is backed by experiments in low and high dimensions that closely reflect these estimates when solving hard lattice problems in the average case. This new approach allows us to solve not only shortest vector problems, but also closest vector problems, in lattices of dimension $n$ in time $2^{0.3774n}$ using memory $2^{0.2925n}$. Moreover, the algorithm is straightforward to parallelize on most computer architectures.

[1]  A. Korkine,et al.  Sur les formes quadratiques , 1873 .

[2]  L. J. Mordell On some arithmetical results in the geometry of numbers , 1935 .

[3]  On Positive Definite Quadratic Forms , 1953 .

[4]  Richard M. Karp,et al.  Reducibility Among Combinatorial Problems , 1972, 50 Years of Integer Programming.

[5]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[6]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[7]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[8]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[9]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[10]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 1998, Electron. Colloquium Comput. Complex..

[11]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[12]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[13]  Jeffrey Lin Thunder Higher-dimensional analogs of Hermite's constant. , 1998 .

[14]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[15]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[16]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[17]  Michael I. Boguslavsky,et al.  Radon transforms and packings , 2001, Discret. Appl. Math..

[18]  Miklós Ajtai,et al.  Random lattices and a conjectured 0 - 1 law about their polynomial time computable properties , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[19]  Nicolas Gama,et al.  Rankin's Constant and Blockwise Lattice Reduction , 2006, CRYPTO.

[20]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[21]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[22]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[23]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[24]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[25]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[26]  Alexander Meurer,et al.  Decoding Random Linear Codes in $\tilde{\mathcal{O}}(2^{0.054n})$ , 2011, ASIACRYPT.

[27]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[28]  Michael Schneider,et al.  A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices , 2011, PaCT.

[29]  Finding a very short lattice vector in the extended search space , 2011 .

[30]  Antoine Joux,et al.  Improved Generic Algorithms for Hard Knapsacks , 2011, IACR Cryptol. ePrint Arch..

[31]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[32]  Feng Zhang,et al.  A Three-Level Sieve Algorithm for the Shortest Vector Problem , 2013, IACR Cryptol. ePrint Arch..

[33]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP in the Ideal Lattice of 128 dimensions , 2013, IACR Cryptol. ePrint Arch..

[34]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations , 2013, SIAM J. Comput..

[35]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[36]  Nicolas Gama,et al.  Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems , 2016, EUROCRYPT.