Cryptology ePrint Archive: Report 2016/713

Tuple lattice sieving

Shi Bai and Thijs Laarhoven and Damien Stehle

Abstract: Lattice sieving is asymptotically the fastest approach for solving the shortest vector problem (SVP) on Euclidean lattices. All known sieving algorithms for solving SVP require space which (heuristically) grows as $2^{0.2075 n + o(n)}$, where $n$ is the lattice dimension. In high dimensions, the memory requirement becomes a limiting factor for running these algorithms, making them uncompetitive with enumeration algorithms, despite their superior asymptotic time complexity. We generalize sieving algorithms to solve SVP with less memory. We consider reductions of tuples of vectors rather than pairs of vectors as existing sieve algorithms do. For triples, we estimate that the space requirement scales as $2^{0.1887 n + o(n)}$. The naive algorithm for this triple sieve runs in time $2^{0.5661 n + o(n)}$. With appropriate filtering of pairs, we reduce the time complexity to $2^{0.4812 n + o(n)}$ while keeping the same space complexity. We further analyze the effects of using larger tuples for reduction, and conjecture how this provides a continuous tradeoff between the memory-intensive sieving and the asymptotically slower enumeration.

Category / Keywords: foundations / lattices, shortest vector problem (SVP), sieving, enumeration

Original Publication (in the same form): Algorithmic Number Theory Symposium (ANTS-XII) 2016
DOI:
10.1112/S1461157016000292

Date: received 18 Jul 2016, last revised 12 Sep 2016

Contact author: mail at thijs com

Available format(s): PDF | BibTeX Citation

Note: Updated acknowledgments and added DOI reference

Version: 20160912:213650 (All versions of this report)

Short URL: ia.cr/2016/713

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]