Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of...
Transcript of Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of...
![Page 1: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/1.jpg)
Progressive lattice sieving
Thijs Laarhoven and Artur Mariano
♠❛✐❧❅t❤✐❥s✳❝♦♠❤tt♣✿✴✴✇✇✇✳t❤✐❥s✳❝♦♠✴
PQCrypto 2018, Fort Lauderdale (FL), USA
(April 10, 2018)
![Page 2: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/2.jpg)
O
LatticesWhat is a lattice?
![Page 3: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/3.jpg)
O
b1
b2
LatticesWhat is a lattice?
![Page 4: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/4.jpg)
O
b1
b2
LatticesWhat is a lattice?
![Page 5: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/5.jpg)
O
b1
b2
s
LatticesShortest Vector Problem (SVP)
![Page 6: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/6.jpg)
O
b1
b2
s
-s
LatticesShortest Vector Problem (SVP)
![Page 7: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/7.jpg)
SVP hardnessTheory
Algorithm log2(Time) log2(Space)
Pro
ven
SV
P
Enumeration [Poh81, Kan83, . . . , MW15, AN17] O(n log n) O(log n)AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985nListSieve [MV10, MDB14] 3.199n 1.327nBirthday sieves [PS09, HPS11] 2.465n 1.233nEnumeration/DGS hybrid [CCL17] 2.048n 0.500nVoronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000nQuantum sieve [LMP13, LMP15] 1.799n 1.286nQuantum enum/DGS [CCL17] 1.256n 0.500nDiscrete Gaussian sampling [ADRS15, ADS15, AS18] 1.000n 1.000n
Heu
rist
icSV
P
The Nguyen–Vidick sieve [NV08] 0.415n 0.208nThe GaussSieve [MV10, . . . , IKMT14, BNvdP16, YKYC17] 0.415n 0.208nTriple sieve [BLS16, HK17] 0.396n 0.189nTwo-level sieve [WLTB11] 0.384n 0.256nThree-level sieve [ZPH13] 0.3778n 0.283nOverlattice sieve [BGJ14] 0.3774n 0.293nTriple sieve with NNS [HK17, HKL18] 0.359n 0.189nHyperplane LSH [Cha02, Laa15, . . . , LM18, Duc18] 0.337n 0.337nGraph-based NNS [EPY99, DCL11, MPLK14, Laa18] 0.327n 0.282nHypercube LSH [TT07, Laa17] 0.322n 0.322nQuantum sieve [LMP13, LMP15] 0.312n 0.208nMay–Ozerov NNS [MO15, BGJ15] 0.311n 0.311nSpherical LSH [AINR14, LdW15] 0.298n 0.298nCross-polytope LSH [TT07, AILRS15, BL16, KW17] 0.298n 0.298nSpherical LSF [BDGL16, MLB17, ALRW17, Chr17] 0.292n 0.292nQuantum NNS sieve [LMP15, Laa16] 0.265n 0.265n
![Page 8: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/8.jpg)
SVP hardnessPractice [SVP17]
■ ■■■■■ ■■■
■■
■■
■■ ■■■■■■ ■
■■■ ■■ ■
▼▼ ▼▼▼▼ ▼
▼▼▼▼▼
▼▼▼▼▼▼▼
★ ★★★★★
★★★
★★★
★★
★ ★★ ★ ★
■ Enumeration (continuous pruning)▼ Enumeration (discrete pruning)★ Sieving
80 100 120 140 160100
104
106
108
1010
→ Lattice dimension
→Singlecoretimings(seconds)
1 hour
1 day
1 year
1 century
![Page 9: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/9.jpg)
SVP hardnessNIST submissions
Title Si En Submitters
CRYSTALS–Dilithium • Lyubashevsky, Ducas, Kiltz, Lepoint, Schwabe, Seiler, StehléCRYSTALS–Kyber • Schwabe, Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, . . .Ding Key Exchange • Ding, Takagi, Gao, Wang(R.)EMBLEM • Seo, Park, Lee, Kim, LeeFALCON • Prest, Fouque, Hoffstein, Kirchner, Lyubashevsky, Pornin, Ricosset, . . .FrodoKEM • Naehrig, Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, . . .Giophantus • Akiyama, Goto, Okumura, Takagi, Nuida, Hanaoka, Shimizu, IkematsuHILA5 • SaarinenKCL • Zhao, Jin, Gong, SuiKINDI • El BansarkhaniLAC • Lu, Liu, Jia, Xue, He, ZhangLIMA • Smart, Albrecht, Lindell, Orsini, Osheter, Paterson, PeerLizard • Cheon, Park, Lee, Kim, Song, Hong, Kim, Kim, Hong, Yun, Kim, Park, . . .LOTUS • Phong, Hayashi, Aono, MoriaiNewHope • Pöppelmann, Alkim, Avanzi, Bos, Ducas, De La Piedra, Schwabe, StebilaNTRUEncrypt ◦ ◦ Zhang, Chen, Hoffstein, WhyteNTRU-HRSS-KEM • Schanck, Hülsing, Rijneveld, SchwabeNTRU Prime • Bernstein, Chuengsatiansup, Lange, Van VredendaalpqNTRUSign ◦ ◦ Zhang, Chen, Hoffstein, WhyteqTESLA • Bindel, Akleylek, Alkim, Barreto, Buchmann, Eaton, Gutoski, Krämer, . . .Round2 • Garcia-Morchon, Zhang, Bhattacharya, Rietman, Tolhuizen, Torre-ArceSABER • D’Anvers, Karmakar, Roy, VercauterenThree Bears • HamburgTitanium • Steinfeld, Sakzad, Zhao
Totals: 21 3 Total: 24 proposals estimate SVP hardness with sieving/enumeration
*Not included in this overview: Compact LWE, DRS, Mersenne, Odd Manhattan, Ramstake, . . .
![Page 10: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/10.jpg)
SVP hardnessOverview
Problem: How hard is SVP in high dimensions?
• Two main approaches: enumeration and sieving
◮ Enumeration: memory-efficient, asymptotically slow◮ Sieving: memory-intensive, asymptotically fast
• Theoretically (large n): sieving > enumeration
• Practically (small n): enumeration > sieving
• NIST submissions: (mostly) sieving
![Page 11: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/11.jpg)
SVP hardnessOverview
Problem: How hard is SVP in high dimensions?
• Two main approaches: enumeration and sieving
◮ Enumeration: memory-efficient, asymptotically slow◮ Sieving: memory-intensive, asymptotically fast
• Theoretically (large n): sieving > enumeration
• Practically (small n): enumeration > sieving
• NIST submissions: (mostly) sieving
Problem: Can sieving still be improved?
![Page 12: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/12.jpg)
SVP hardnessOverview
Problem: How hard is SVP in high dimensions?
• Two main approaches: enumeration and sieving
◮ Enumeration: memory-efficient, asymptotically slow◮ Sieving: memory-intensive, asymptotically fast
• Theoretically (large n): sieving > enumeration
• Practically (small n): enumeration > sieving
• NIST submissions: (mostly) sieving
Problem: Can sieving still be improved?
• Theoretically: Probably not... [BDGL16, ALRW17, HKL18]
![Page 13: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/13.jpg)
SVP hardnessOverview
Problem: How hard is SVP in high dimensions?
• Two main approaches: enumeration and sieving
◮ Enumeration: memory-efficient, asymptotically slow◮ Sieving: memory-intensive, asymptotically fast
• Theoretically (large n): sieving > enumeration
• Practically (small n): enumeration > sieving
• NIST submissions: (mostly) sieving
Problem: Can sieving still be improved?
• Theoretically: Probably not... [BDGL16, ALRW17, HKL18]
• Practically: Yes! (this work), [Duc18]
![Page 14: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/14.jpg)
O
GaussSieve1. Generate random lattice vectors
![Page 15: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/15.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
GaussSieve1. Generate random lattice vectors
![Page 16: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/16.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
GaussSieve2. Reduce the vectors with each other
![Page 17: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/17.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v1v1
GaussSieve2. Reduce the vectors with each other
![Page 18: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/18.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v1
v2v2
GaussSieve2. Reduce the vectors with each other
![Page 19: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/19.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v1
v2
v1
GaussSieve2. Reduce the vectors with each other
![Page 20: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/20.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10 v1
v2
v3
v3
GaussSieve2. Reduce the vectors with each other
![Page 21: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/21.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10 v1
v2
v3
v1v2
GaussSieve2. Reduce the vectors with each other
![Page 22: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/22.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v1v2
v3
v1
GaussSieve2. Reduce the vectors with each other
![Page 23: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/23.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3
v3
GaussSieve2. Reduce the vectors with each other
![Page 24: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/24.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v4
v4
GaussSieve2. Reduce the vectors with each other
![Page 25: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/25.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v5
v5
GaussSieve2. Reduce the vectors with each other
![Page 26: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/26.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v6
v6
GaussSieve2. Reduce the vectors with each other
![Page 27: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/27.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v7
v7
GaussSieve2. Reduce the vectors with each other
![Page 28: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/28.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v8
v8GaussSieve2. Reduce the vectors with each other
![Page 29: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/29.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v9
v9
GaussSieve2. Reduce the vectors with each other
![Page 30: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/30.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3v10
v10
GaussSieve2. Reduce the vectors with each other
![Page 31: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/31.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3
GaussSieve3. Search the list for a shortest vector
![Page 32: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/32.jpg)
O
v1
v2
v3
v4
v5
v6
v7
v8
v9
v10
v2
v3
v2
GaussSieve3. Search the list for a shortest vector
![Page 33: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/33.jpg)
O
b1
b2
ProGaussSieve1. Generate random vectors on sublattice
![Page 34: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/34.jpg)
O
b1
b2
ProGaussSieve1. Generate random vectors on sublattice
![Page 35: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/35.jpg)
O
ProGaussSieve1. Generate random vectors on sublattice
![Page 36: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/36.jpg)
O
v1
v2
v3
ProGaussSieve1. Generate random vectors on sublattice
![Page 37: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/37.jpg)
O
v1
v2
v3
ProGaussSieve2. Reduce the vectors with each other
![Page 38: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/38.jpg)
O
v1
v2
v3
v1v1
ProGaussSieve2. Reduce the vectors with each other
![Page 39: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/39.jpg)
O
v1
v2
v3
v1
v2v2
ProGaussSieve2. Reduce the vectors with each other
![Page 40: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/40.jpg)
O
v1
v2
v3
v1
v2
v1
ProGaussSieve2. Reduce the vectors with each other
![Page 41: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/41.jpg)
O
v1
v2
v3
v2
v3
v3
ProGaussSieve2. Reduce the vectors with each other
![Page 42: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/42.jpg)
O
v1
v2
v3
v2
ProGaussSieve2. Reduce the vectors with each other
![Page 43: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/43.jpg)
O
v2
ProGaussSieve2. Reduce the vectors with each other
![Page 44: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/44.jpg)
O
v0
ProGaussSieve3. Generate random vectors on full lattice
![Page 45: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/45.jpg)
O
v1
v2
v3
v4
v5
v0
ProGaussSieve3. Generate random vectors on full lattice
![Page 46: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/46.jpg)
O
v1
v2
v3
v4
v5
v0
ProGaussSieve4. Reduce the vectors with each other
![Page 47: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/47.jpg)
O
v1
v2
v3
v4
v5
v0
v1
v1
ProGaussSieve4. Reduce the vectors with each other
![Page 48: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/48.jpg)
O
v1
v2
v3
v4
v5
v0
v1
v2
v2
ProGaussSieve4. Reduce the vectors with each other
![Page 49: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/49.jpg)
O
v1
v2
v3
v4
v5
v0
v1
v2
v0
v1
ProGaussSieve4. Reduce the vectors with each other
![Page 50: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/50.jpg)
O
v1
v2
v3
v4
v5
v0
v1
v2
v1
ProGaussSieve4. Reduce the vectors with each other
![Page 51: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/51.jpg)
O
v1
v2
v3
v4
v5
v0
v2
v3v3
ProGaussSieve4. Reduce the vectors with each other
![Page 52: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/52.jpg)
O
v1
v2
v3
v4
v5
v0
v2
v4
v4
ProGaussSieve4. Reduce the vectors with each other
![Page 53: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/53.jpg)
O
v1
v2
v3
v4
v5
v0
v2
v5
v5
ProGaussSieve4. Reduce the vectors with each other
![Page 54: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/54.jpg)
O
v1
v2
v3
v4
v5
v0
v2
ProGaussSieve4. Reduce the vectors with each other
![Page 55: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/55.jpg)
Progressive sievingTime complexities
★ ★
★★★ ★★
★ ★★
★
●●
●●
●● ● ● ●
★★ ★
★★ ★
● ●● ● ●
● ●★ GaussSieve
● HashSieve★ ProGaussSieve
● ProHashSieve
40 50 60 70 800.1
1
10
100
1000
104
105
Dimension d
Time(seconds)
20.52d-22
20.45 d
-2020.49 d
-25
20.42 d
-22
![Page 56: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/56.jpg)
Progressive sievingExecution profiles (n= 70)
HashSieve
ProHashSieve
0 1 2 3 4 5 6 70
500
1000
1500
2000
2500
3000
Iteration (× 106)
Time(seconds)
HashSieve
ProHashSieve
0 1 2 3 4 5 6 70
20
40
60
80
Iteration (× 106)
Listsize(×1000)
![Page 57: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/57.jpg)
Progressive sievingExecution profiles (n= 70)
HashSieve
ProHashSieve
0 1 2 3 4 5 6 730
40
50
60
70
Iteration (× 106)
Latticerank
HashSieve
ProHashSieve
0 1 2 3 4 5 6 72000
2200
2400
2600
2800
3000
Iteration (× 106)
Normofshortestvector
![Page 58: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/58.jpg)
Progressive sievingEffects of basis reduction (n= 70)
Exact SVP ←− GaussSieve −→ ←− HashSieve −→
LLL BKZ-10 BKZ-30 LLL BKZ-10 BKZ-30
Standard sieving 19100 18100 16500 3300 3050 2900
Progressive sieving 595 440 390 165 125 115
Speedup factor 32× 41× 42× 20× 24× 25×
Approximate SVP ←− GaussSieve −→ ←− HashSieve −→
(γ= 1.1) LLL BKZ-10 BKZ-30 LLL BKZ-10 BKZ-30
Standard sieving 18500 17200 15600 3180 2960 2700
Progressive sieving 120 40 3 65 20 2
Speedup factor 150× 400× 5000× 50× 150× 1000×
![Page 59: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/59.jpg)
Conclusion
Progressive lattice sieving
• Uses recursive approach (rank reduction)
• Finds approximate solutions faster
• Benefits more from reduced bases
• Better predictability
• Faster, using slightly less memory
• No theoretical/asymptotic improvements...◮ Best classical time: (3/2)n/2+o(n)
≈ 20.292n+o(n)
◮ Best quantum time: (13/9)n/2+o(n)≈ 20.265n+o(n)
![Page 60: Progressive lattice sieving - Thijsthijs.com/docs/pqc18-slides.pdfProgressive sieving Effects of basis reduction (n =70)Exact SVP ←−GaussSieve −→ ←−HashSieve −→ LLL](https://reader035.fdocuments.us/reader035/viewer/2022071511/6130c4a11ecc515869444ec3/html5/thumbnails/60.jpg)
Questions?