Paper 2023/200
Classical and quantum 3 and 4-sieves to solve SVP with low memory
Abstract
The Shortest Vector Problem (SVP) is at the foundation of lattice-based cryptography. The fastest known method to solve SVP in dimension $d$ is by lattice sieving, which runs in time $2^{td+o(d)}$ with $2^{md+o(d)}$ memory for constants $t,m \in \Theta(1)$. Searching reduced vectors in the sieve is a problem reduced to the configuration problem, \ie searching $k$ vectors satisfying given constraints over their scalar products. In this work, we present a framework for $k$-sieve algorithms: we filter the input list of lattice vectors using a code structure modified from [BDGL16] to get lists centred around $k$ codewords summing to the null-vector. Then, we solve a simpler instance of the configuration problem in the $k$ filtered lists. Based on this framework, we describe classical sieves for $k=3$ and $4$ that introduce new time-memory trade-offs. We also use the $k$-Lists algorithm [KMPM19] inside our framework, and this improves the time for $k=3$ and gives new trade-offs for $k=4$.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. Minor revision. PQCrypto
- Contact author(s)
-
johanna loyer @ gmail com
andre chailloux @ inria fr - History
- 2023-08-02: revised
- 2023-02-15: received
- See all versions
- Short URL
- https://ia.cr/2023/200
- License
-
CC BY-SA
BibTeX
@misc{cryptoeprint:2023/200,
author = {Johanna Loyer and André Chailloux},
title = {Classical and quantum 3 and 4-sieves to solve SVP with low memory},
howpublished = {Cryptology ePrint Archive, Paper 2023/200},
year = {2023},
note = {\url{https://eprint.iacr.org/2023/200}},
url = {https://eprint.iacr.org/2023/200}
}
