Paper 2024/739

BGJ15 Revisited: Sieving with Streamed Memory Access

Ziyu Zhao, Tsinghua University
Jintai Ding, Tsinghua University
Bo-Yin Yang, Academia Sinica
Abstract

The focus of this paper is to tackle the issue of memory access within sieving algorithms for lattice problems. We have conducted an in-depth analysis of an optimized BGJ sieve (Becker-Gama-Joux 2015), and our findings suggest that its inherent structure is significantly more memory-efficient compared to the asymptotically fastest BDGL sieve (Becker-Ducas-Gama-Laarhoven 2016). Specifically, it necessitates merely $2^{0.2075n + o(n)}$ streamed (non-random) main memory accesses for the execution of an $n$-dimensional sieving. We also provide evidence that the time complexity of this refined BGJ sieve could potentially be $2^{0.292n + o(n)}$, or at least something remarkably close to it. Actually, it outperforms the BDGL sieve in all dimensions that are practically achievable. We hope that this study will contribute to the resolution of the ongoing debate regarding the measurement of RAM access overhead in large-scale, sieving-based lattice attacks. The concept above is also supported by our implementation. Actually, we provide a highly efficient, both in terms of time and memory, CPU-based implementation of the refined BGJ sieve within an optimized sieving framework. This implementation results in approximately 40% savings in RAM usage and is at least $2^{4.5}$ times more efficient in terms of gate count compared to the previous 4-GPU implementation (Ducas-Stevens-Woerden 2021). Notably, we have successfully solved the 183-dimensional SVP Darmstadt Challenge in 30 days using a 112-core server and approximately 0.87TB of RAM. The majority of previous sieving-based SVP computations relied on the HK3-sieve (Herold-Kirshanova 2017), hence this implementation could offer further insights into the behavior of these asymptotically faster sieving algorithms when applied to large-scale problems. Moreover, our refined cost estimation of SVP based on this implementation suggests that some of the NIST PQC candidates, such as Falcon-512, are unlikely to achieve NIST's security requirements.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
Lattice SievingShortest VectorChallenges
Contact author(s)
ziyuzhao0008 @ outlook com
jintai ding @ gmail com
by @ crypto tw
History
2024-05-16: approved
2024-05-15: received
See all versions
Short URL
https://ia.cr/2024/739
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/739,
      author = {Ziyu Zhao and Jintai Ding and Bo-Yin Yang},
      title = {{BGJ15} Revisited: Sieving with Streamed Memory Access},
      howpublished = {Cryptology ePrint Archive, Paper 2024/739},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/739}},
      url = {https://eprint.iacr.org/2024/739}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.