TY - GEN
T1 - Sieve, Enumerate, Slice, and Lift: - Hybrid Lattice Algorithms for SVP via CVPP.
AU - Doulgerakis, Emmanouil
AU - Laarhoven, Thijs
AU - de Weger, Benne
PY - 2020
Y1 - 2020
N2 - Motivated by recent results on solving large batches of closest vector problem (CVP) instances, we study how these techniques can be combined with lattice enumeration to obtain faster methods for solving the shortest vector problem (SVP) on high-dimensional lattices. Theoretically, under common heuristic assumptions we show how to solve SVP in dimension d with a cost proportional to running a sieve in dimension $$d - \varTheta (d / \log d)$$, resulting in a $$2^{\varTheta (d / \log d)}$$ speedup and memory reduction compared to running a full sieve. Combined with techniques from [Ducas, Eurocrypt 2018] we can asymptotically get a total of $$[\log (13/9) + o(1)] \cdot d / \log d$$ dimensions for free for solving SVP. Practically, the main obstacles for observing a speedup in moderate dimensions appear to be that the leading constant in the $$\varTheta (d / \log d)$$ term is rather small; that the overhead of the (batched) slicer may be large; and that competitive enumeration algorithms heavily rely on aggressive pruning techniques, which appear to be incompatible with our algorithms. These obstacles prevented this asymptotic speedup (compared to full sieving) from being observed in our experiments. However, it could be expected to become visible once optimized CVPP techniques are used in higher dimensional experiments.
AB - Motivated by recent results on solving large batches of closest vector problem (CVP) instances, we study how these techniques can be combined with lattice enumeration to obtain faster methods for solving the shortest vector problem (SVP) on high-dimensional lattices. Theoretically, under common heuristic assumptions we show how to solve SVP in dimension d with a cost proportional to running a sieve in dimension $$d - \varTheta (d / \log d)$$, resulting in a $$2^{\varTheta (d / \log d)}$$ speedup and memory reduction compared to running a full sieve. Combined with techniques from [Ducas, Eurocrypt 2018] we can asymptotically get a total of $$[\log (13/9) + o(1)] \cdot d / \log d$$ dimensions for free for solving SVP. Practically, the main obstacles for observing a speedup in moderate dimensions appear to be that the leading constant in the $$\varTheta (d / \log d)$$ term is rather small; that the overhead of the (batched) slicer may be large; and that competitive enumeration algorithms heavily rely on aggressive pruning techniques, which appear to be incompatible with our algorithms. These obstacles prevented this asymptotic speedup (compared to full sieving) from being observed in our experiments. However, it could be expected to become visible once optimized CVPP techniques are used in higher dimensional experiments.
KW - Closest vector problem (CVP)
KW - Lattice enumeration
KW - Lattice sieving
KW - Randomized slicer
KW - Shortest vector problem (SVP)
UR - http://www.scopus.com/inward/record.url?scp=85088537281&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-51938-4_15
DO - 10.1007/978-3-030-51938-4_15
M3 - Conference contribution
AN - SCOPUS:85088537281
SN - 9783030519377
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 301
EP - 320
BT - Progress in Cryptology - AFRICACRYPT 2020 - 12th International Conference on Cryptology in Africa, Proceedings
A2 - Nitaj, Abderrahmane
A2 - Youssef, Amr
PB - Springer
T2 - 12th International Conference on the Theory and Application of Cryptographic Techniques in Africa, AFRICACRYPT 2020
Y2 - 20 July 2020 through 22 July 2020
ER -