Paper 2014/880

Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective

Joppe W. Bos, Michael Naehrig, and Joop van de Pol

Abstract

The security of many lattice-based cryptographic schemes relies on the hardness of finding short vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm to compute such short vectors. It combines favorable properties of previous approaches resulting in reduced run time and memory requirement per node. Our publicly available implementation outperforms all previous Gauss sieve approaches for dimensions 80, 88, and 96. When computing short vectors in ideal lattices, we show how to reduce the number of multiplications and comparisons by using a symbolic Fourier transform. We computed a short vector in a negacyclic ideal lattice of dimension 128 in less than nine days on 1024 cores, more than twice as fast as the recent record computation for the same lattice on the same computer hardware.

Metadata
Available format(s)
PDF
Publication info
Preprint. MINOR revision.
Keywords
Lattice cryptanalysisparallel Gauss sieveideal latticesring LWE
Contact author(s)
joppe bos @ nxp com
History
2016-03-01: last of 2 revisions
2014-10-28: received
See all versions
Short URL
https://ia.cr/2014/880
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/880,
      author = {Joppe W.  Bos and Michael Naehrig and Joop van de Pol},
      title = {Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/880},
      year = {2014},
      url = {https://eprint.iacr.org/2014/880}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.