Cryptology ePrint Archive: Report 2014/880

Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective

Joppe W. Bos and Michael Naehrig and Joop van de Pol

Abstract: The security of many lattice-based cryptographic schemes relies on the hardness of finding short vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm to compute such short vectors. It combines favorable properties of previous approaches resulting in reduced run time and memory requirement per node. Our publicly available implementation outperforms all previous Gauss sieve approaches for dimensions 80, 88, and 96.

When computing short vectors in ideal lattices, we show how to reduce the number of multiplications and comparisons by using a symbolic Fourier transform. We computed a short vector in a negacyclic ideal lattice of dimension 128 in less than nine days on 1024 cores, more than twice as fast as the recent record computation for the same lattice on the same computer hardware.

Category / Keywords: Lattice cryptanalysis, parallel Gauss sieve, ideal lattices, ring LWE

Date: received 24 Oct 2014, last revised 18 Mar 2015

Contact author: joppe bos at nxp com

Available format(s): PDF | BibTeX Citation

Version: 20150318:162350 (All versions of this report)

Short URL: ia.cr/2014/880

Discussion forum: Show discussion | Start new discussion