Parallel (Probable) Lock-Free Hash Sieve: A Practical Sieving Algorithm for the SVP

In this paper, we assess the practicability of Hash Sieve, a recently proposed sieving algorithm for the Shortest Vector Problem (SVP) on lattices, on multi-core shared memory systems. To this end, we devised a parallel implementation that scales well, and is based on a probable lock-free system to handle concurrency. The probable lock-free system, implemented with spin-locks, in turn implemented with CAS operations, becomes likely a lock-free mechanism, since threads block only when strictly required and chances are that they are not required to block. With our implementation, we were able to solve the SVP on an arbitrary lattice in dimension 96, in less than 17.5 hours, using 16 physical cores. The least squares fit of the execution times of our implementation, in seconds, lies between 2(0.32n -- 15) or 2(0.33n -- 16). These results are of paramount importance for the selection of parameters in lattice-based cryptography, as they indicate that sieving algorithms are way more practical for solving the SVP than previously believed.

[1]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[2]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[3]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[4]  Thijs Laarhoven,et al.  Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems , 2012, IACR Cryptol. ePrint Arch..

[5]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[6]  Christian H. Bischof,et al.  A Comprehensive Empirical Comparison of Parallel ListSieve and GaussSieve , 2014, Euro-Par Workshops.

[7]  Michael Naehrig,et al.  Sieving for shortest vectors in ideal lattices: a practical perspective , 2017, Int. J. Appl. Cryptogr..

[8]  Alexander Vardy,et al.  Closest point search in lattices , 2002, IEEE Trans. Inf. Theory.

[9]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[10]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[11]  Michael Schneider,et al.  A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices , 2011, PaCT.

[12]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[13]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[14]  Michael Schneider,et al.  Random Sampling for Short Lattice Vectors on Graphics Cards , 2011, CHES.

[15]  Christian H. Bischof,et al.  Lock-Free GaussSieve for Linear Speedups in Parallel High Performance SVP Calculation , 2014, 2014 IEEE 26th International Symposium on Computer Architecture and High Performance Computing.

[16]  Moses Charikar,et al.  Similarity estimation techniques from rounding algorithms , 2002, STOC '02.

[17]  A. Joux,et al.  A sieve algorithm based on overlattices , 2014 .

[18]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[19]  Christian H. Bischof,et al.  Tuning GaussSieve for Speed , 2014, LATINCRYPT.

[20]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[21]  Feng Zhang,et al.  A Three-Level Sieve Algorithm for the Shortest Vector Problem , 2013, IACR Cryptol. ePrint Arch..

[22]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[23]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[24]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.