Shortest Vector from Lattice Sieving: A Few Dimensions for Free

Ducas, Léo

doi:10.1007/978-3-319-78381-9_5

Cited by 78 publications

(85 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For finding optimal solutions in the entire search space, some methods in EA have proposed a progressive approach, where initially only a subset of the constraints (search space) is studied to find local solutions, before expanding to a wider search space and finding global solutions (Coello et al, ). Similar ideas have recently been explored in the context of lattice sieving (Laarhoven and Mariano, 2018;Ducas, 2018), starting to sieve in a sublattice of the original lattice before widening the search space. This heuristically and practically accelerates the time until convergence.…”

Section: Past Sieving Techniquesmentioning

confidence: 98%

Evolutionary Techniques in Lattice Sieving Algorithms

Laarhoven

2019

Proceedings of the 11th International Joint Conference on Computational Intelligence

View full text Add to dashboard Cite

Lattice-based cryptography has recently emerged as a prominent candidate for secure communication in the quantum age. Its security relies on the hardness of certain lattice problems, and the inability of known lattice algorithms, such as lattice sieving, to solve these problems efficiently. In this paper we investigate the similarities between lattice sieving and evolutionary algorithms, how various improvements to lattice sieving can be viewed as applications of known techniques from evolutionary computation, and how other evolutionary techniques can benefit lattice sieving in practice.

show abstract

Section: Past Sieving Techniquesmentioning

confidence: 98%

Evolutionary Techniques in Lattice Sieving Algorithms

Laarhoven

2019

Proceedings of the 11th International Joint Conference on Computational Intelligence

View full text Add to dashboard Cite

show abstract

“…The standard reference for estimating the cost enumeration is [10], which gives a cost of 2 0.270β ln β−1.019β+16.10 [3,9] clockcycles. Alternatively, the Gauss-Sieve algorithm [22] with dimension for free and other tricks showed a running time of 2 0.396β+8.4 clock cycles [11]. Those two methods lead respectively to estimates of 2 78 and 2 80 clock-cycles to recover one secret row.…”

Section: Direct Bdd-usvp Attackmentioning

confidence: 99%

Learning Strikes Again: The Case of the DRS Signature Scheme

Ducas

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev (Eurocrypt 2006). Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.At PKC 2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, due to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that 100 000 signatures are available, the secret key may be recovered using BKZ-138 for the first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below 80-bits (maybe even 70-bits), to be compared to an original claim of 128-bits.

show abstract

“…Our sieving performance is enabled by building on, generalising and extending previous works. In particular, the landscape of enumeration and sieving started to change recently with [Duc18a,LM18]. For example, [Duc18a] speculated that the crossover point, for solving SVP, between the SubSieve proposed there and pruned enumeration would be around d = 90 if combined with faster sieving than [MV10b].…”

Section: Introductionmentioning

confidence: 99%

“…In particular, the landscape of enumeration and sieving started to change recently with [Duc18a,LM18]. For example, [Duc18a] speculated that the crossover point, for solving SVP, between the SubSieve proposed there and pruned enumeration would be around d = 90 if combined with faster sieving than [MV10b]. A key ingredient for this performance gain was the realisation of several "dimensions for free" by utilising heavy preprocessing and Babai lifting (or size reduction) in said free dimensions.…”

Section: Introductionmentioning

confidence: 99%

“…In other words, we may consider these improvements as applying lessons learnt from enumeration to sieving algorithms. It is worth recalling here that the fastest enumeration algorithm relies on the input basis being quasi-HKZ reduced [Kan83], but prior to [Duc18a,LM18] sieving was largely oblivious to the quality of the input basis. Furthermore, both [Duc18a,LM18] suggest exploiting the fact that sieving algorithms hold a database of many short vectors, for example by recycling them in future sieving steps.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The General Sieve Kernel and New Records in Lattice Reduction

Albrecht

Ducas

Herold

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We propose the General Sieve Kernel (G6K, pronounced /Ze.si.ka/), an abstract stateful machine supporting a wide variety of lattice reduction strategies based on sieving algorithms. Using the basic instruction set of this abstract stateful machine, we first give concise formulations of previous sieving strategies from the literature and then propose new ones. We then also give a light variant of BKZ exploiting the features of our abstract stateful machine. This encapsulates several recent suggestions (Ducas at Eurocrypt 2018; Laarhoven and Mariano at PQCrypto 2018) to move beyond treating sieving as a blackbox SVP oracle and to utilise strong lattice reduction as preprocessing for sieving. Furthermore, we propose new tricks to minimise the sieving computation required for a given reduction quality with mechanisms such as recycling vectors between sieves, on-the-fly lifting and flexible insertions akin to Deep LLL and recent variants of Random Sampling Reduction. Moreover, we provide a highly optimised, multi-threaded and tweakable implementation of this machine which we make open-source. We then illustrate the performance of this implementation of our sieving strategies by applying G6K to various lattice challenges. In particular, our approach allows us to solve previously unsolved instances of the Darmstadt SVP (151, 153, 155) and LWE (e.g. (75, 0.005)) challenges. Our solution for the SVP-151 challenge was found 400 times faster than the time reported for the SVP-150 challenge, the previous record. For exact SVP, we observe a performance crossover between G6K and FPLLL's state of the art implementation of enumeration at dimension 70.

show abstract

Shortest Vector from Lattice Sieving: A Few Dimensions for Free

Cited by 78 publications

References 36 publications

Evolutionary Techniques in Lattice Sieving Algorithms

Evolutionary Techniques in Lattice Sieving Algorithms

Learning Strikes Again: The Case of the DRS Signature Scheme

The General Sieve Kernel and New Records in Lattice Reduction

Contact Info

Product

Resources

About