Computing shortest lattice vectors on special hardware

The shortest vector problem (SVP) in lattices is related to problems in combinatorial optimization, algorithmic number theory, communication theory, and cryptography. In 1996, Ajtai published his breakthrough idea how to create lattice-based one-way functions based on the worst-case hardness of an approximate version of SVP. Worst-case hardness is one of the outstanding properties of all modern lattice-based cryptographic schemes. Furthermore, there are no sub-exponential time algorithms known solving SVP, even on potential, strong quantum computers. These facts distinguish the shortest vector problem as a good basis for modern cryptography. In order to theoretically assess the security of lattice-based cryptosystems, knowledge of the asymptotic runtime of SVP solvers is an important issue. For selection of practical parameters however, the average-case behaviour of these algorithms is at least as important. SVP solvers are applied as subroutine in so-called lattice basis reduction algorithms. These build the cornerstone of the fastest attacks on lattice-based cryptosystems. Therefore, improving SVP algorithms directly affects the fastest practical attacks on lattice-based cryptosystems. Building on existing serial SVP algorithms, this thesis presents multiple approaches towards estimating the practical hardness of the shortest vector problem. We employ various special hardware, ranging from multicore CPUs and graphics cards to “supercomputers” and compute clouds. We develop parallel algorithms and assess their practical running times and scalability. Among others, we present our parallel version of the Extreme Pruning Enumeration algorithm, the currently fastest SVP solver available worldwide. Our implementation set the current records in the SVP challenge, the mostly deployed public SVP solver competition. The influence of our work on the security of lattice-based cryptosystems is twofold. First, we help assessing the strength of worst-case problems that build the theoretical basement of lattice-based cryptography. Second, we show how to improve the fastest practical attacks on these systems in the average case. As further result, we present a variant of the sieving algorithm to solve the shortest vector problem in ideal lattices. Ideal lattices are the most important type of lattices in cryptography. Our algorithm is the first to exploit their special structure, allowing us to find shortest vectors faster than in regular lattices.

[1]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[2]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[3]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[4]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[5]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[6]  Damien Stehlé,et al.  Accelerating Lattice Reduction with FPGAs , 2010, LATINCRYPT.

[7]  Tim Güneysu,et al.  Exploiting the Power of GPUs for Asymmetric Cryptography , 2008, CHES.

[8]  Harald Ritter Aufzählung von kurzen Gittervektoren in allgemeiner Norm , 1997 .

[9]  Johannes Blömer,et al.  Sampling Methods for Shortest Vectors, Closest Vectors and Successive Minima , 2007, ICALP.

[10]  Michael Schneider,et al.  Random Sampling for Short Lattice Vectors on Graphics Cards , 2011, CHES.

[11]  Damien Stehlé,et al.  An LLL Algorithm with Quadratic Complexity , 2009, SIAM J. Comput..

[12]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[13]  Claus-Peter Schnorr,et al.  Segment LLL-Reduction of Lattice Bases , 2001, CaLC.

[14]  Michael Schneider,et al.  Parallel Enumeration of Shortest Lattice Vectors , 2010, Euro-Par.

[15]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[16]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[17]  Michael E. Pohst,et al.  A procedure for determining algebraic integers of given norm , 1983, EUROCAL.

[18]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[19]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[20]  S.A. Manavski,et al.  CUDA Compatible GPU as an Efficient Hardware Accelerator for AES Cryptography , 2007, 2007 IEEE International Conference on Signal Processing and Communications.

[21]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[22]  Gilles Villard,et al.  Parallel lattice basis reduction , 1992, ISSAC '92.

[23]  Angelos D. Keromytis,et al.  CryptoGraphics: Secret Key Cryptography Using Graphics Cards , 2005, CT-RSA.

[24]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[25]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[26]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[27]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[28]  Johannes A. Buchmann,et al.  Secure Parameters for SWIFFT , 2009, INDOCRYPT.

[29]  Damien Stehlé,et al.  An LLL-reduction algorithm with quasi-linear time complexity: extended abstract , 2011, STOC '11.

[30]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[31]  Nigel P. Smart,et al.  Toward Acceleration of RSA Using 3D Graphics Hardware , 2007, IMACC.

[32]  Vincent Rijmen,et al.  ECRYPT yearly report on algorithms and keysizes , 2009 .

[33]  Michael Schneider,et al.  A Parallel Implementation of GaussSieve for the Shortest Vector Problem in Lattices , 2011, PaCT.

[34]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[35]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[36]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[37]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[38]  Arjen K. Lenstra,et al.  Using the Cloud to Determine Key Strengths , 2012, INDOCRYPT.

[39]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[40]  Joseph H. Silverman,et al.  Dimension Reduction Methods for Convolution Modular Lattices , 2001, CaLC.

[41]  Richard Lindner,et al.  Explicit Hard Instances of the Shortest Vector Problem , 2008, PQCrypto.

[42]  Michael Schneider,et al.  Extended Lattice Reduction Experiments Using the BKZ Algorithm , 2010, Sicherheit.

[43]  Nicolas Gama,et al.  Symplectic Lattice Reduction and NTRU , 2006, EUROCRYPT.

[44]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[45]  Jin-Yi Cai,et al.  Approximating the SVP to within a Factor (1+1/dimxi) Is NP-Hard under Randomized Reductions , 1999, J. Comput. Syst. Sci..

[46]  李幼升,et al.  Ph , 1989 .

[47]  Vikraman Arvind,et al.  Some Sieving Algorithms for Lattice Problems , 2008, FSTTCS.

[48]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[49]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[50]  John Waldron,et al.  AES Encryption Implementation and Analysis on Commodity Graphics Processing Units , 2007, CHES.

[51]  Damien Stehlé,et al.  Rigorous and Efficient Short Lattice Vectors Enumeration , 2008, ASIACRYPT.

[52]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[53]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[54]  Subhash Khot,et al.  Inapproximability Results for Computational Problems on Lattices , 2010, The LLL Algorithm.

[55]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[56]  Alexander May,et al.  Using LLL-Reduction for Solving RSA and Factorization Problems , 2010, The LLL Algorithm.

[57]  Claus-Peter Schnorr,et al.  Block Reduced Lattice Bases and Successive Minima , 1994, Combinatorics, Probability and Computing.

[58]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[59]  Deian Stefan,et al.  Performance Analysis of the SHA-3 Candidates on Exotic Multi-core Architectures , 2010, CHES.

[60]  M. Ajtai The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[61]  Jie Cheng,et al.  Programming Massively Parallel Processors. A Hands-on Approach , 2010, Scalable Comput. Pract. Exp..

[62]  Oded Regev,et al.  On the Complexity of Lattice Problems with Polynomial Approximation Factors , 2010, The LLL Algorithm.

[63]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[64]  Chen-Mou Cheng,et al.  Extreme Enumeration on GPU and in Clouds - - How Many Dollars You Need to Break SVP Challenges - , 2011, CHES.

[65]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[66]  Johannes A. Buchmann,et al.  Practical Lattice Basis Sampling Reduction , 2006, ANTS.

[67]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[68]  Zhan Guo,et al.  VLSI architecture of the soft-output sphere decoder for MIMO systems , 2005, 48th Midwest Symposium on Circuits and Systems, 2005..

[69]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[70]  Susanne Wetzel,et al.  Parallel Lattice Basis Reduction Using a Multi-threaded Schnorr-Euchner LLL Algorithm , 2009, Euro-Par.

[71]  Michael Schneider,et al.  Analysis of Gauss-Sieve for Solving the Shortest Vector Problem in Lattices , 2011, WALCOM.

[72]  Xiaoyun Wang,et al.  Improved Nguyen-Vidick heuristic sieve algorithm for shortest vector problem , 2011, ASIACCS '11.

[73]  Damien Stehlé,et al.  LLL on the Average , 2006, ANTS.

[74]  Sebastian Fleissner GPU-Accelerated Montgomery Exponentiation , 2007, International Conference on Computational Science.

[75]  Ravi Kannan,et al.  Improved algorithms for integer programming and related lattice problems , 1983, STOC.

[76]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[77]  Alon Rosen,et al.  SWIFFTX : A Proposal for the SHA-3 Standard , 2008 .

[78]  Vadim Lyubashevsky,et al.  Towards practical lattice-based cryptography , 2008 .

[79]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[80]  Henry Cohn,et al.  New upper bounds on sphere packings I , 2001, math/0110009.

[81]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[82]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[83]  Jeffrey C. Lagarias,et al.  Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice , 1990, Comb..

[84]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[85]  Frederik Vercauteren,et al.  Parallel Shortest Lattice Vector Enumeration on Graphics Cards , 2010, AFRICACRYPT.

[86]  Helmut Bölcskei,et al.  Soft-output sphere decoding: algorithms and VLSI implementation , 2008, IEEE Journal on Selected Areas in Communications.

[87]  Daniel Goldstein,et al.  On the equidistribution of Hecke points , 2003 .

[88]  Tanja Lange,et al.  ECM on Graphics Cards , 2009, IACR Cryptol. ePrint Arch..

[89]  A. Korkine,et al.  Sur les formes quadratiques , 1873 .

[90]  Schrutka Geometrie der Zahlen , 1911 .

[91]  Markus Rückert,et al.  Lattice-based signature schemes with additional features , 2011 .