Efficient (Ideal) Lattice Sieving Using Cross-Polytope LSH

Combining the efficient cross-polytope locality-sensitive hash family of Terasawa and Tanaka with the heuristic lattice sieve algorithm of Micciancio and Voulgaris, we show how to obtain heuristic and practical speedups for solving the shortest vector problem SVP on both arbitrary and ideal lattices. In both cases, the asymptotic time complexity for solving SVP in dimension n is $$2^{0.298n + on}$$. For any lattice, hashes can be computed in polynomial time, which makes our CPSieve algorithm much more practical than the SphereSieve of Laarhoven and de Weger, while the better asymptotic complexities imply that this algorithm will outperform the GaussSieve of Micciancio and Voulgaris and the HashSieve of Laarhoven in moderate dimensions as well. We performed tests to show this improvement in practice. For ideal lattices, by observing that the hash of a shifted vector is a shift of the hash value of the original vector and constructing rerandomization matrices which preserve this property, we obtain not only a linear decrease in the space complexity, but also a linear speedup of the overall algorithm. We demonstrate the practicability of our cross-polytope ideal lattice sieve ICPSieve by applying the algorithm to cyclotomic ideal lattices from the ideal SVP challenge and to lattices which appear in the cryptanalysis of NTRU.

[1]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[2]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[3]  Christian H. Bischof,et al.  A Comprehensive Empirical Comparison of Parallel ListSieve and GaussSieve , 2014, Euro-Par Workshops.

[4]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[5]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[6]  A. Joux,et al.  A sieve algorithm based on overlattices , 2014 .

[7]  Alexandr Andoni,et al.  Optimal Data-Dependent Hashing for Approximate Near Neighbors , 2015, STOC.

[8]  Alexandr Andoni,et al.  Near-Optimal Hashing Algorithms for Approximate Nearest Neighbor in High Dimensions , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[9]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[10]  Alexandr Andoni,et al.  Practical and Optimal LSH for Angular Distance , 2015, NIPS.

[11]  Michael Naehrig,et al.  Sieving for shortest vectors in ideal lattices: a practical perspective , 2017, Int. J. Appl. Cryptogr..

[12]  Christian H. Bischof,et al.  Lock-Free GaussSieve for Linear Speedups in Parallel High Performance SVP Calculation , 2014, 2014 IEEE 26th International Symposium on Computer Architecture and High Performance Computing.

[13]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[14]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[15]  Moses Charikar,et al.  Similarity estimation techniques from rounding algorithms , 2002, STOC '02.

[16]  Thijs Laarhoven,et al.  Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing , 2015, LATINCRYPT.

[17]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[18]  Alexandr Andoni,et al.  Beyond Locality-Sensitive Hashing , 2013, SODA.

[19]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[20]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[21]  Zhe Wang,et al.  Multi-Probe LSH: Efficient Indexing for High-Dimensional Similarity Search , 2007, VLDB.

[22]  Feng Zhang,et al.  A Three-Level Sieve Algorithm for the Shortest Vector Problem , 2013, IACR Cryptol. ePrint Arch..

[23]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[24]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[25]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[26]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[27]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[28]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[29]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[30]  Christian H. Bischof,et al.  Tuning GaussSieve for Speed , 2014, LATINCRYPT.

[31]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[32]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[33]  Michael E. Pohst,et al.  On the computation of lattice vectors of minimal length, successive minima and reduced bases with applications , 1981, SIGS.

[34]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[35]  Dimitris Achlioptas,et al.  Database-friendly random projections , 2001, PODS.

[36]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[37]  Nigel P. Smart,et al.  Estimating Key Sizes for High Dimensional Lattice-Based Systems , 2013, IMACC.

[38]  Christian H. Bischof,et al.  Parallel (Probable) Lock-Free Hash Sieve: A Practical Sieving Algorithm for the SVP , 2015, 2015 44th International Conference on Parallel Processing.

[39]  Joseph H. Silverman,et al.  NSS: An NTRU Lattice-Based Signature Scheme , 2001, EUROCRYPT.

[40]  Nicole Immorlica,et al.  Locality-sensitive hashing scheme based on p-stable distributions , 2004, SCG '04.

[41]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems Based on Voronoi Cell Computations , 2013, SIAM J. Comput..

[42]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[43]  Piotr Indyk,et al.  Approximate nearest neighbors: towards removing the curse of dimensionality , 1998, STOC '98.

[44]  Kenneth Ward Church,et al.  Very sparse random projections , 2006, KDD '06.

[45]  Michael Schneider,et al.  A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices , 2011, PaCT.

[46]  Michael Schneider,et al.  Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices , 2011, WALCOM.

[47]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[48]  Rina Panigrahy,et al.  Entropy based nearest neighbor search in high dimensions , 2005, SODA '06.

[49]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[50]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[51]  Tanaka Yuzuru,et al.  Spherical LSH for Approximate Nearest Neighbor Search on Unit Hypersphere , 2007 .

[52]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[53]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[54]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[55]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[56]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[57]  Ron Steinfeld,et al.  Making NTRU as Secure as Worst-Case Problems over Ideal Lattices , 2011, EUROCRYPT.

[58]  Gene H. Golub,et al.  Matrix computations , 1983 .

[59]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[60]  Christian H. Bischof,et al.  A Parallel Variant of LDSieve for the SVP on Lattices , 2017, 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP).