Paper 2018/079
Progressive lattice sieving
Thijs Laarhoven and Artur Mariano
Abstract
Most algorithms for hard lattice problems are based on the principle of rank reduction: to solve a problem in a $d$-dimensional lattice, one first solves one or more problem instances in a sublattice of rank $d - 1$, and then uses this information to find a solution to the original problem. Existing lattice sieving methods, however, tackle lattice problems such as the shortest vector problem (SVP) directly, and work with the full-rank lattice from the start. Lattice sieving further seems to benefit less from starting with reduced bases than other methods, and finding an approximate solution almost takes as long as finding an exact solution. These properties currently set sieving apart from other methods. In this work we consider a progressive approach to lattice sieving, where we gradually introduce new basis vectors only when the sieve has stabilized on the previous basis vectors. This leads to improved (heuristic) guarantees on finding approximate shortest vectors, a bigger practical impact of the quality of the basis on the run-time, better memory management, a smoother and more predictable behavior of the algorithm, and significantly faster convergence - compared to traditional approaches, we save between a factor $20$ to $40$ in the time complexity for SVP.
Metadata
- Available format(s)
-
PDF
- Category
- Foundations
- Publication info
- Published elsewhere. PQCrypto 2018
- Keywords
- lattice-based cryptographylattice sievingshortest vector problem (SVP)nearest neighbor searching
- Contact author(s)
- mail @ thijs com
- History
- 2018-02-13: revised
- 2018-01-23: received
- See all versions
- Short URL
- https://ia.cr/2018/079
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/079,
author = {Thijs Laarhoven and Artur Mariano},
title = {Progressive lattice sieving},
howpublished = {Cryptology {ePrint} Archive, Paper 2018/079},
year = {2018},
url = {https://eprint.iacr.org/2018/079}
}
