Results 1  10
of
32
Better key sizes (and attacks) for LWEbased encryption
 In CTRSA
, 2011
"... We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success ..."
Abstract

Cited by 68 (7 self)
 Add to MetaCart
We analyze the concrete security and key sizes of theoretically sound latticebased encryption schemes based on the “learning with errors ” (LWE) problem. Our main contributions are: (1) a new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff, which performs better than the simple distinguishing attack considered in prior analyses; (2) concrete parameters and security estimates for an LWEbased cryptosystem that is more compact and efficient than the wellknown schemes from the literature. Our new key sizes are up to 10 times smaller than prior examples, while providing even stronger concrete security levels.
A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations (Extended Abstract)
, 2009
"... We give deterministic 2O(n)time algorithms to solve all the most important computational problems on point lattices in NP, including the Shortest Vector Problem (SVP), Closest Vector Problem (CVP), and Shortest Independent Vectors Problem (SIVP). This improves the nO(n) running time of the best pre ..."
Abstract

Cited by 62 (3 self)
 Add to MetaCart
(Show Context)
We give deterministic 2O(n)time algorithms to solve all the most important computational problems on point lattices in NP, including the Shortest Vector Problem (SVP), Closest Vector Problem (CVP), and Shortest Independent Vectors Problem (SIVP). This improves the nO(n) running time of the best previously known algorithms for CVP (Kannan, Math. Operation Research 12(3):415440, 1987) and SIVP (Micciancio, Proc. of SODA, 2008), and gives a deterministic alternative to the 2 O(n)time (and space) randomized algorithm for SVP of (Ajtai, Kumar and Sivakumar, STOC 2001). The core of our algorithm is a new method to solve the closest vector problem with preprocessing (CVPP) that uses the Voronoi cell of the lattice (described as intersection of halfspaces) as the result of the preprocessing function. In the process, we also give algorithms for several other lattice problems, including computing the kissing number of a lattice, and computing the set of all Voronoi relevant vectors. All our algorithms are deterministic, and have 2 O(n) time and space complexity 1 1
Algorithms for the shortest and closest lattice vector problems
 In Yeow Meng Chee, Zhenbo Guo, San Ling, Fengjing Shao, Yuansheng Tang, Huaxiong Wang, and Chaoping Xing, editors, IWCC, volume 6639 of Lecture Notes in Computer Science
"... Abstract. We present the state of the art solvers of the Shortest and Closest Lattice Vector Problems in the Euclidean norm. We recall the three main families of algorithms for these problems, namely the algorithm by Micciancio and Voulgaris based on the Voronoi cell [STOC’10], the MonteCarlo algor ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present the state of the art solvers of the Shortest and Closest Lattice Vector Problems in the Euclidean norm. We recall the three main families of algorithms for these problems, namely the algorithm by Micciancio and Voulgaris based on the Voronoi cell [STOC’10], the MonteCarlo algorithms derived from the Ajtai, Kumar and Sivakumar algorithm [STOC’01] and the enumeration algorithms originally elaborated by Kannan [STOC’83] and Fincke and Pohst [EUROCAL’83]. We concentrate on the theoretical worstcase complexity bounds, but also consider some practical facets of these algorithms. 1
Solving the Shortest Lattice Vector Problem in Time 2 2.465n
"... Abstract. The Shortest lattice Vector Problem is central in latticebased cryptography, as well as in many areas of computational mathematics and computer science, such as computational number theory and combinatorial optimisation. We present an algorithm for solving it in time 2 2.465n+o(n) and spa ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
(Show Context)
Abstract. The Shortest lattice Vector Problem is central in latticebased cryptography, as well as in many areas of computational mathematics and computer science, such as computational number theory and combinatorial optimisation. We present an algorithm for solving it in time 2 2.465n+o(n) and space 2 1.233n+o(n) , where n is the lattice dimension. This improves the best previously known algorithm, by Micciancio and Voulgaris [SODA 2010], which runs in time 2 3.199n+o(n) and space 2 1.325n+o(n).
Improved NguyenVidick heuristic sieve algorithm for shortest vector problem
 In Proceedings of ASIACCS ’11
, 2011
"... Abstract. In this paper, we present an improvement of the NguyenVidick heuristic sieve algorithm for shortest vector problem in general lattices, which time complexity is 2 0.3836n polynomial computations, and space complexity is 2 0.2557n. In the new algorithm, we introduce a new sieve technique w ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we present an improvement of the NguyenVidick heuristic sieve algorithm for shortest vector problem in general lattices, which time complexity is 2 0.3836n polynomial computations, and space complexity is 2 0.2557n. In the new algorithm, we introduce a new sieve technique with twolevel instead of the previous onelevel sieve, and complete the complexity estimation by calculating the irregular spherical cap covering.
Parallel Shortest Lattice Vector Enumeration on Graphics Cards
, 2010
"... In this paper we present an algorithm for parallel exhaustive search for short vectors in lattices. This algorithm can be applied to a wide range of parallel computing systems. To illustrate the algorithm, it was implemented on graphics cards using CUDA, a programming framework for NVIDIA graphics ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
In this paper we present an algorithm for parallel exhaustive search for short vectors in lattices. This algorithm can be applied to a wide range of parallel computing systems. To illustrate the algorithm, it was implemented on graphics cards using CUDA, a programming framework for NVIDIA graphics cards. We gain large speedups compared to previous serial CPU implementations. Our implementation is almost 5 times faster in high lattice dimensions. Exhaustive search is one of the main building blocks for lattice basis reduction in cryptanalysis. Our work results in an advance in practical lattice reduction.
Parallel Gauss Sieve Algorithm: Solving the SVP in the Ideal Lattice of 128 dimensions
"... Abstract. In this paper, we report that we have solved the shortest vector problem (SVP) over a 128dimensional lattice, which is currently the highest dimension of the SVP that has ever been solved. The security of latticebased cryptography is based on the hardness of solving the SVP in lattices. ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we report that we have solved the shortest vector problem (SVP) over a 128dimensional lattice, which is currently the highest dimension of the SVP that has ever been solved. The security of latticebased cryptography is based on the hardness of solving the SVP in lattices. In 2010 Micciancio et al. proposed a Gauss Sieve algorithm for heuristically solving the SVP using list L of Gaussreduced vectors. Milde et al. proposed a parallel implementation method for the Gauss Sieve algorithm. However, the efficiency of more than 10 threads in their implementation decreases due to a large number of nonGaussreduced vectors appearing in the distributed list of each thread. In this paper, we propose a more practical parallelized Gauss Sieve algorithm. Our algorithm deploys an additional Gaussreduced list V of sample vectors assigned to each thread, and all vectors in list L remain Gaussreduced by mutually reducing them using all sample vectors in V. Therefore, our algorithm enables the Gauss Sieve algorithm to run without excessive overhead even in a largescale parallel computation of more than 1,000 threads. Moreover, for speedup, we use the bidirectional rotation structure of an ideal lattice that makes the generation of additional vectors in the list with almost no additional overhead. Finally, we have succeeded in solving the SVP over a 128dimensional ideal lattice generated by cyclotomic polynomial x 128 + 1 using about 30,000 CPU hours.
Accelerating lattice reduction with FPGAs
 IN PROCEEDINGS OF THE FIRST INTERNATIONAL CONFERENCE ON PROGRESS IN CRYPTOLOGY: CRYPTOLOGY AND INFORMATION SECURITY IN LATIN
, 2010
"... We describe an FPGA accelerator for the Kannan–Fincke– Pohst enumeration algorithm (KFP) solving the Shortest Lattice Vector Problem (SVP). This is the first FPGA implementation of KFP specifically targeting cryptographically relevant dimensions. In order to optimize this implementation, we theoreti ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
We describe an FPGA accelerator for the Kannan–Fincke– Pohst enumeration algorithm (KFP) solving the Shortest Lattice Vector Problem (SVP). This is the first FPGA implementation of KFP specifically targeting cryptographically relevant dimensions. In order to optimize this implementation, we theoretically and experimentally study several facets of KFP, including its efficient parallelization and its underlying arithmetic. Our FPGA accelerator can be used for both solving standalone instances of SVP (within a hybrid CPU–FPGA compound) or myriads of smaller dimensional SVP instances arising in a BKZtype algorithm. For devices of comparable costs, our FPGA implementation is faster than a multicore CPU implementation by a factor around 2.12.
Lockfree GaussSieve for linear speedups in parallel high performance SVP calculation
 IN: SBACPAD
, 2014
"... Latticebased cryptography became a hottopic in the past years because it seems to be quantum immune, i.e., resistant to attacks operated with quantum computers. The security of latticebased cryptosystems is determined by the hardness of certain lattice problems, such as the Shortest Vector Pro ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Latticebased cryptography became a hottopic in the past years because it seems to be quantum immune, i.e., resistant to attacks operated with quantum computers. The security of latticebased cryptosystems is determined by the hardness of certain lattice problems, such as the Shortest Vector Problem (SVP). Thus, it is of prime importance to study how efficiently SVPsolvers can be implemented. This paper presents a parallel sharedmemory implementation of the GaussSieve algorithm, a well known SVPsolver. Our implementation achieves almost linear and linear speedups with up to 64 cores, depending on the tested scenario, and delivers better sequential performance than any other disclosed GaussSieve implementation. In this paper, we show that it is possible to implement a highly scalable version of GaussSieve on multicore CPUchips. The key features of our implementation are a lockfree singly linked list, and handtuned, vectorized code. Additionally, we propose an algorithmic optimization that leads to faster convergence.
Fast Lattice Point Enumeration with Minimal Overhead
, 2014
"... Enumeration algorithms are the best currently known methods to solve lattice problems, both in theory (within the class of polynomial space algorithms), and in practice (where they are routinely used to evaluate the concrete security of lattice cryptography). However, there is an uncomfortable gap b ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Enumeration algorithms are the best currently known methods to solve lattice problems, both in theory (within the class of polynomial space algorithms), and in practice (where they are routinely used to evaluate the concrete security of lattice cryptography). However, there is an uncomfortable gap between our theoretical understanding and practical performance of lattice point enumeration algorithms. The algorithms typically used in practice have worstcase asymptotic running time 2O(n 2), but perform extremely well in practice, at least for all values of the lattice dimension for which experimentation is feasible. At the same time, theoretical algorithms (Kannan, Mathematics of Operation Research 12(3):415440, 1987) are asymptotically superior (achieving 2O(n logn) running time), but they are never used in practice because they incur a substantial overhead that makes them uncompetitive for all reasonable values of the lattice dimension n. This gap is especially troublesome when algorithms are run in practice to evaluate the concrete security of a cryptosystem, and then experimental results are extrapolated to much larger dimension where solving lattice problems is computationally infeasible.