Conference Paper

Some Sieving Algorithms for Lattice Problems.

DOI: 10.4230/LIPIcs.FSTTCS.2008.1738 Conference: IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2008, December 9-11, 2008, Bangalore, India
Source: DBLP
We study the algorithmic complexity of lattice problems based on the sieving technique due to M. Ajtai, R. Kumar and D. Sivakumar [“A sieve algorithm for the shortest lattice vector”, in: Proceedings of the thirty-third annual ACM symposium on theory of computing (STOC 2001). New York, NY: Association for Computing Machinery (ACM). 601–610 (2001; doi:10.1145/380752.380857)]. Given a k-dimensional subspace M⊆ℝ n and a full rank integer lattice ℒ⊆ℚ n , the subspace avoiding problem SAP, defined by J. Blömer and S. Naewe [Lect. Notes Comput. Sci. 4596, 65–77 (2007; Zbl 1171.11328)], is to find a shortest vector in ℒ∖M. We first give a 2 O(n+klogk) time algorithm to solve the subspace avoiding problem. Applying this algorithm we obtain the following results. 1. We give a 2 O(n) time algorithm to compute ith successive minima of a full rank lattice ℒ⊂ℚ n if i is O(n logn). 2. We give a 2 O(n) time algorithm to solve a restricted closest vector problem (CVP), where the inputs fulfil a promise about the distance of the input vector from the lattice. 3. We also show that unrestricted CVP has a 2 O(n) exact algorithm if there is a 2 O(n) time exact algorithm for solving CVP with additional input v i ∈ℒ, 1≤i≤n, where ∥v i ∥ p is the ith successive minima of ℒ for each i. We also give a new approximation algorithm for SAP and the convex body avoiding problem which is a generalization of SAP. Several of our algorithms work for gauge functions as metric, where the gauge function has a natural restriction and is accessed by an oracle.

Full-text preview

Available from:
  • Source
    • "In 2001 Ajtai et al. proposed the first sieve algorithm for solving the SVP [3]. There are many variants of the sieving algorithm [22, 6, 5] that try to improve the computational costs of the algorithm. In 2009 Micciancio and Voulgaris proposed a practical sieving algorithm, called the Gauss Sieve algorithm [20]. "
    [Show abstract] [Hide abstract] ABSTRACT: In this paper, we report that we have solved the SVP Challenge over a 128-dimensional lattice in Ideal Lattice Challenge from TU Darmstadt, which is currently the highest dimension in the challenge that has ever been solved. The security of lattice-based cryptography is based on the hardness of solving the shortest vector problem (SVP) in lattices. In 2010, Micciancio and Voulgaris proposed a Gauss Sieve algorithm for heuristically solving the SVP using a list L of Gauss-reduced vectors. Milde and Schneider proposed a parallel implementation method for the Gauss Sieve algorithm. However, the efficiency of the more than 10 threads in their implementation decreased due to the large number of non-Gauss-reduced vectors appearing in the distributed list of each thread. In this paper, we propose a more practical parallelized Gauss Sieve algorithm. Our algorithm deploys an additional Gauss-reduced list V of sample vectors assigned to each thread, and all vectors in list L remain Gauss-reduced by mutually reducing them using all sample vectors in V. Therefore, our algorithm allows the Gauss Sieve algorithm to run for large dimensions with a small communication overhead. Finally, we succeeded in solving the SVP Challenge over a 128-dimensional ideal lattice generated by the cyclotomic polynomial x 128 + 1 using about 30,000 CPU hours.
    Full-text · Article · Mar 2014
  • Source
    • "These problems are central to the geometry of numbers and have applications to integer programming, factoring polynomials, cryptography etc. The fastest known algorithms for solving SVP in general norms, are 2 O(n) time randomized algorithms based on the AKS sieve [1, 2]. Finding deterministic algorithms of this complexity for both SVP and CVP has been an important open problem. "
    [Show abstract] [Hide abstract] ABSTRACT: We give a deterministic 2(o(n))algorithm for computing an M-ellipsoid of a convex body, matching a known lower bound. This leads to a nearly optimal deterministic algorithm for estimating the volume of a convex body and improved deterministic algorithms for fundamental lattice problems under general norms.
    Preview · Article · Sep 2013 · Proceedings of the National Academy of Sciences
  • Source
    Preview · Article ·
Show more