Paper 2023/200

Classical and quantum 3 and 4-sieves to solve SVP with low memory

Johanna Loyer, French Institute for Research in Computer Science and Automation
André Chailloux, French Institute for Research in Computer Science and Automation
Abstract

The Shortest Vector Problem (SVP) is at the foundation of lattice-based cryptography. The fastest known method to solve SVP in dimension $d$ is by lattice sieving, which runs in time $2^{td+o(d)}$ with $2^{md+o(d)}$ memory for constants $t,m \in \Theta(1)$. Searching reduced vectors in the sieve is a problem reduced to the configuration problem, \ie searching $k$ vectors satisfying given constraints over their scalar products. In this work, we present a framework for $k$-sieve algorithms: we filter the input list of lattice vectors using a code structure modified from [BDGL16] to get lists centred around $k$ codewords summing to the null-vector. Then, we solve a simpler instance of the configuration problem in the $k$ filtered lists. Based on this framework, we describe classical sieves for $k=3$ and $4$ that introduce new time-memory trade-offs. We also use the $k$-Lists algorithm [KMPM19] inside our framework, and this improves the time for $k=3$ and gives new trade-offs for $k=4$.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. PQCrypto
Contact author(s)
johanna loyer @ gmail com
andre chailloux @ inria fr
History
2023-08-02: revised
2023-02-15: received
See all versions
Short URL
https://ia.cr/2023/200
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX 

@misc{cryptoeprint:2023/200,
      author = {Johanna Loyer and André Chailloux},
      title = {Classical and quantum 3 and 4-sieves to solve {SVP} with low memory},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/200},
      year = {2023},
      url = {https://eprint.iacr.org/2023/200}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.