Cryptology ePrint Archive: Report 2013/388

Parallel Gauss Sieve Algorithm: Solving the SVP in the Ideal Lattice of 128 dimensions

Tsukasa Ishiguro and Shinsaku Kiyomoto and Yutaka Miyake and Tsuyoshi Takagi

Abstract: In this paper, we report that we have solved the shortest vector problem (SVP) over a 128-dimensional lattice, which is currently the highest dimension of the SVP that has ever been solved. The security of lattice-based cryptography is based on the hardness of solving the SVP in lattices. In 2010 Micciancio \textit{et al.} proposed a Gauss Sieve algorithm for heuristically solving the SVP using list $L$ of Gauss-reduced vectors. Milde \textit{et al.} proposed a parallel implementation method for the Gauss Sieve algorithm. However, the efficiency of more than 10 threads in their implementation decreases due to a large number of non-Gauss-reduced vectors appearing in the distributed list of each thread. In this paper, we propose a more practical parallelized Gauss Sieve algorithm. Our algorithm deploys an additional Gauss-reduced list $V$ of sample vectors assigned to each thread, and all vectors in list $L$ remain Gauss-reduced by mutually reducing them using all sample vectors in $V$. Therefore, our algorithm enables the Gauss Sieve algorithm to run without excessive overhead even in a large-scale parallel computation of more than 1,000 threads. Moreover, for speed-up, we use the bi-directional rotation structure of an ideal lattice that makes the generation of additional vectors in the list with almost no additional overhead. Finally, we have succeeded in solving the SVP over a 128-dimensional ideal lattice generated by cyclotomic polynomial $x^{128}+1$ using about 30,000 CPU hours.

Category / Keywords: implementation / shortest vector problem, lattice-based cryptography, ideal lattice, Gauss Sieve algorithm, parallel algorithm

Date: received 13 Jun 2013, last revised 17 Jun 2013

Contact author: tsukasa at kddilabs jp

Available format(s): PDF | BibTeX Citation

Version: 20130618:043318 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]