, We use this preprocessing cost (the preprocessing before each trial enumeration except the initial preprocessing) as input to the pruner (for both PressedBKZ 60 and BKZ 90-reduced bases). The total pruned enumeration cost estimate in fpylll, tabulated in Table 5.1, confirms that Pressed-BKZ 60 and BKZ 90-reduced bases indeed have similar quality as they all admit similar total pruned enumeration costs. In general, the pruner seems to be quite precise in practice (hence so are the estimates in Table 5.1). Thus it suffices to compare the initial preprocessing cost between Pressed-BKZ, Here we just used BKZ 80 for simplicity (there could be other strategies). The re-preprocessing took 1.7 × 10 5 seconds (i.e., 3.4 × 10 12 nodes), vol.60
, In this subsection, we have only considered a straightforward strategy, BKZ plus enumeration, for solving the SVP-120 instance, the following we will further compare with progressive-BKZ, vol.16
, List of publications
, Improved reduction from the bounded distance decoding problem to the unique shortest vector problem in lattices, Citations: § XIII and 5, vol.76, pp.1-76, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01394213
, Learning with errors and extrapolated dihedral cosets, Citations: § XIV and 5, pp.702-727, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01934165
, Measuring, simulating and exploiting the head concavity phenomenon in BKZ, Proc. of Asiacrypt 2018. Citations: § XIV and 6
URL : https://hal.archives-ouvertes.fr/hal-01934174
, Estimate all the {LWE, NTRU} schemes! To appear in the Proc. of SCN 2018. Citations: § 81, vol.101, p.115
, On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, vol.74, pp.325-354, 2015.
URL : https://hal.archives-ouvertes.fr/hal-00776069
, A public-key cryptosystem with worst-case/average-case equivalence, Citations: § X and 2, pp.284-293, 1997.
, Improved hardness results for unique shortest vector problem, Citations: § X and 2, vol.116, pp.631-637, 2016.
, Post-quantum key exchange-a new hope, Proc. of USENIX Security Symposium, p.18, 2016.
, Solving the shortest vector problem in 2 n time using discrete Gaussian sampling: Extended abstract, Proc. of STOC, pp.16-17, 2015.
, Generating hard instances of lattice problems (extended abstract), Citations: § X and 2, pp.99-108, 1996.
, The shortest vector problem in l 2 is NP-hard for randomized reductions (extended abstract), Citations: § X, vol.2, p.46, 1998.
, A sieve algorithm for the shortest lattice vector problem, Proc. of STOC, pp.16-17, 2001.
, On the concrete hardness of learning with errors, Citations: § XII, vol.9, p.57, 2015.
, Gap/S)ETH hardness of SVP, Proc. of STOC, pp.13-14, 2018.
, Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator, Proc. of EUROCRYPT, vol.4, p.113, 2016.
, On Lovász lattice reduction and the nearest lattice point problem, Citations: § XII, vol.6, p.62, 1986.
, New bounds in some transference theorems in the geometry of numbers, Mathematische Annalen, vol.296, issue.4, p.13, 1993.
, Post Quantum Cryptography, Citations: § XII, p.57, 2008.
, From optimal measurement to efficient quantum algorithms for the hidden subgroup problem over semidirect product groups, Proc. of FOCS, p.115, 2005.
, Optimal measurements for the dihedral hidden subgroup problem, Chicago J. Theor. Comput. Sci, p.115, 2006.
, Conditional quantum dynamics and logic gates, Phys. Rev. Lett, vol.74, p.26, 1995.
, Logical reversibility of computation, IBM J. Res. Dev, vol.17, issue.6, p.27, 1973.
, Private communication, Citations: § 43, vol.44, p.49, 2015.
, Classical hardness of learning with errors, Proc. of STOC, vol.62, p.67, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00922194
, The upper error bound of a new near-optimal code, IEEE Trans. on Information Theory, vol.21, issue.4, p.44, 1975.
, Efficient fully homomorphic encryption from (standard) LWE, Proc. of FOCS, p.57, 2011.
, Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe, Citations: § 11, vol.32, p.79, 2009.
, BKZ 2.0: Better lattice security estimates, Proc. of ASIACRYPT, pp.1-20, 2011.
URL : https://hal.archives-ouvertes.fr/hal-01109961
, Quantum algorithm for a generalized hidden shift problem, Proc. of SODA, vol.32, p.115, 2007.
, New directions in cryptography, IEEE Trans. Inform. Theory, IT, vol.22, pp.644-654, 1976.
, Lattice sparsification and the approximate closest vector problem, Proc. of SODA, p.45, 2013.
, On the closest vector problem with a distance guarantee, Proc. of CCC, p.45, 2014.
, The FPLLL development team. fplll, a lattice reduction library
, The FPYLLL development team. fpylll, a Python interface to fplll
, Shortest vector from lattice sieving: A few dimensions for free, Proc. of EUROCRYPT, p.18, 2018.
, On quantum algorithms for noncommutative hidden subgroups, Proc. of STACS, pp.29-57, 1999.
, Another NP-complete problem and the complexity of computing short vectors in a lattice, 1981.
, Hidden translation and orbit coset in quantum computing, Proc. of STOC, p.28, 2003.
, Hidden translation and translating coset in quantum computing, SIAM J. Comput, vol.43, issue.1, p.57, 2014.
, A procedure for determining algebraic integers of given norm, Proc. of EUROCAL, vol.17, p.44, 1983.
, Public-key cryptosystems from lattice reduction problems, Citations: § X and 2, pp.112-131, 1997.
, Candidate multilinear maps from ideal lattices, Citations: § X and 2, pp.1-17, 2013.
, Rankin's constant and blockwise lattice reduction, Proc. of CRYPTO, p.37, 2006.
, Reusable garbled circuits and succinct functional encryption, Proc. of STOC, p.57, 2013.
, Approximating shortest lattice vectors is not harder than approximating closest lattice vectors, Inf. Process. Lett, vol.71, issue.2, p.18, 1999.
, Finding short lattice vectors within Mordell's inequality, Proc. of STOC, p.37, 2008.
, Predicting lattice reduction, Proc. of EUROCRYPT, pp.37-39, 2008.
, Lattice enumeration using extreme pruning, Proc. of EUROCRYPT, vol.17, p.82, 2010.
URL : https://hal.archives-ouvertes.fr/hal-01083526
, Trapdoors for hard lattices and new cryptographic constructions, Proc. of STOC, p.59, 2008.
, Creating superpositions that correspond to efficiently integrable probability distributions, 2002.
, Quantum mechanical algorithms for the nonabelian hidden subgroup problem, Proc. of STOC, p.28, 2001.
, Attribute-based encryption for circuits, Proc. of STOC, p.57, 2013.
, A pseudorandom generator from any one-way function, SIAM J. Comput, vol.28, issue.4, p.23, 1999.
, Analyzing blockwise lattice algorithms using dynamical systems, Proc. of CRYPTO, pp.447-464, 2011.
URL : https://hal.archives-ouvertes.fr/hal-00640638
, Tensor-based hardness of the shortest vector problem to within almost polynomial factors, Citations: § X and 2, pp.469-477, 2007.
URL : https://hal.archives-ouvertes.fr/hal-01111558
, Normal subgroup reconstruction and quantum computation using group representations, Proc. of STOC, p.28, 2000.
, Improved analysis of Kannan's shortest lattice vector algorithm, Proc. of CRYPTO, vol.17, p.87, 2007.
, Worst-case Hermite-Korkine-Zolotarev reduced lattice bases
URL : https://hal.archives-ouvertes.fr/inria-00211875
, , vol.3331, p.79, 2008.
, A 'pretty good' measurement for distinguishing quantum states, Journal of Modern Optics, vol.41, issue.12, p.115, 1994.
, Improved algorithms for integer programming and related lattice problems, Proc. of STOC, vol.17, p.44, 1983.
, Minkowski's convex body theorem and integer programming, Citations: § XIII, vol.12, issue.3, p.44, 1987.
, Hardness of approximating the shortest vector problem in high L p norms, Proc. of FOCS, vol.5, p.45, 2003.
, Hardness of approximating the shortest vector problem in lattices, Citations: § X, vol.52, p.45, 2005.
, On the unique shortest lattice vector problem, Citations: § X and 2, vol.255, pp.641-648, 2001.
, A subexponential-time quantum algorithm for the dihedral hidden subgroup problem, Citations: § 25, vol.35, p.116, 2005.
, Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem, Proc. of TQC, vol.30, p.114, 2013.
, Integer programming with a fixed number of variables, Mathematics of Operations Research, vol.8, issue.4, p.58, 1983.
, Factoring polynomials with rational coefficients, Math. Ann, vol.261, pp.515-534, 1982.
, On bounded distance decoding for general lattices, Citations: § X and 2, pp.450-461, 2006.
, Korkine-Zolotarev bases and successive minimal of a lattice and its reciprocal lattice, Combinatorica, vol.10, p.35, 1990.
, On bounded distance decoding, unique shortest vectors, and the minimum distance problem, Proc. of CRYPTO, vol.53, p.115, 2009.
, An Algorithmic Theory of Numbers, Graphs and Convexity. SIAM, 1986. CBMS-NSF Regional Conference Series in Applied Mathematics. Citations: § 38
, A note on BDD problems with ? 2-gap, Citations: § 18, vol.114, p.49, 2014.
URL : https://hal.archives-ouvertes.fr/hal-00922234
, Perfect Lattices in Euclidean Spaces, p.10, 2002.
, Complexity of Lattice problem: A Cryptography Perspective. Kluwer, Citations: § XIII, vol.5, p.46, 2002.
, Lecture notes of lattices algorithms and applications, taught at the Computer Science & Engineering Department
, The shortest vector in a lattice is hard to approximate to within some constant, Citations: § 16 and 18, vol.30, 2001.
, The shortest vector problem is NP-hard to approximate to within some constant, SIAM J. Comput, vol.30, issue.6, p.46, 2001.
, Inapproximability of the shortest vector problem: Toward a deterministic reduction, Theory of Computing, vol.8, issue.22, p.16, 2012.
, Private communication, Citations: § 43, vol.44, p.49, 2015.
, Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, Proc. of CRYPTO, p.114, 2011.
, Worst-case to average-case reductions based on gaussian measures, Citations: § X and 2, vol.37, pp.267-302, 2007.
, Lattice-based cryptography, Citations: § XI and 3, pp.147-191, 2009.
, Modelling the lll algorithm by sandpiles, Proc. of LATIN, pp.32-39, 2010.
URL : https://hal.archives-ouvertes.fr/hal-01082028
, A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations, Citations: § 16 and 17, pp.351-358, 2010.
, Faster exponential time algorithms for the shortest vector problem, Proc. of SODA, 2010. Citations: § 16 and 17
, Quantum Computation and Quantum Information, vol.26, p.27, 2000.
, Bounding basis reduction properties, Des. Codes Cryptography, vol.84, issue.1-2, p.79, 2017.
, The LLL Algorithm: Survey and Applications. Information Security and Cryptography, pp.32-124, 2009.
URL : https://hal.archives-ouvertes.fr/hal-01141414
, Quantum rejection sampling, Citations: § 28 and 65, vol.5, 2013.
, Lecture notes of lattices in cryptography, taught at the Computer Science and Engineering
, Public-key cryptosystems from the worst-case shortest vector problem, Proc. of STOC, p.21, 2009.
, A decade of lattice cryptography, Foundations and Trends in Theoretical Computer Science, vol.10, issue.4, p.57, 2016.
, Polynomial-time solution to the hidden subgroup problem for a class of non-abelian groups, 1998.
, Lecture notes of lattices in computer science, taught at the Computer Science
, Quantum computation and lattice problems, Proc. of FOCS, pp.520-529, 2002.
, New lattice based cryptographic constructions, Citations: § X and 2, pp.407-416, 2003.
, New lattice-based cryptographic constructions, J. ACM, vol.51, issue.6, p.63, 2004.
, Quantum computation and lattice problems, Citations: § XIII, vol.33, issue.3, p.63, 2004.
, A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space, vol.30, p.114, 2004.
, On lattices, learning with errors, random linear codes, and cryptography, Proc. of STOC, vol.2, p.60, 2005.
, On lattices, learning with errors, random linear codes, and cryptography, Citations: § XI, vol.56, issue.6, p.63, 2009.
, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol.21, issue.2, pp.120-126, 1978.
, Progress on LLL and lattice reduction
, Theory of Linear and Integer Programming, vol.8, 1986.
, A hierarchy of polynomial lattice basis reduction algorithms, Theor. Comput. Science, vol.53, p.44, 1987.
, Lattice reduction by random sampling and birthday methods, STACS, vol.4, p.79, 2003.
DOI : 10.1007/3-540-36494-3_14
URL : http://publikationen.ub.uni-frankfurt.de/volltexte/2005/1209/pdf/schnorr.pdf
, Discrete Gaussian sampling reduces to CVP and SVP, Proc. of SODA, 2016. Citations: § 13 and 45
DOI : 10.1137/1.9781611974331.ch121
URL : https://epubs.siam.org/doi/pdf/10.1137/1.9781611974331.ch121
, Search-to-Decision Reductions for Lattice Problems with Approximation Factors (Slightly) Greater Than One, Proc. of APPROX/RANDOM, vol.19, pp.1-19, 2016.
, Lattice basis reduction: Improved practical algorithms and solving subset sum problems, Proc. of FCT, vol.36, p.38, 1991.
DOI : 10.1007/3-540-54458-5_51
, Lattice basis reduction: improved practical algorithms and solving subset sum problems, Mathematics of Programming, vol.66, p.82, 1994.
DOI : 10.1007/3-540-54458-5_51
, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, Citations: § IX and 1, vol.41, pp.303-332, 1999.
, A Computational Introduction to Number Theory and Algebra, p.67, 2005.
, On the Poisson distribution of lengths of lattice vectors in a random lattice, Mathematische Zeitschrift, vol.269, issue.3, pp.11-79, 2011.
, Efficient public key encryption based on ideal lattices, Proc. of ASIACRYPT, p.59, 2009.
, Dimension-preserving reductions between lattice problems, Citations: § X, 2, and 16, 2015.
, Lecture notes of advanced topics in cryptography: lattices, taught at the Electrical Engineering & Computer Science, Massachusetts Institute of Technology
, Algorithmic complexity in coding theory and the minimum distance problem, Citations: § X and 2, pp.92-109, 1997.
, Second order statistical behavior of LLL and BKZ, Proc. of SAC, vol.4, p.89, 2017.
, IX 2 Graphique des réductions entre le problème LWE (dans le cas moyen) et certains problèmes sur les réseau
, 1 1.2 Graph of reductions between known the (average-case) LWE problem and some (worstcase) lattice problems: BDD, uSVP and GapSVP
, Babai's round-off algorithm for CVP under different bases
, A lattice in R 2 and two of its bases
, An example of sparsification with p = 5, z = (1, 2)
,
, An illustration of the LWE samples
,
, Quantum circuit for evaluating a function f with input |x
, 28 2.9 Comparison of run-time and SVP approximation factor between LLL-reduction, BKZreduction and HKZ-reduction, An illustration of DCP samples with modulus N = 14
, Comparison between prior reductions from BDD ? to uSVP ? , and ours, p.45
, An example of sparsification for BDD 1/2 (here w ? ? p,z /?)
, ? 2) instance, BDD, vol.1, issue.2
, Geometric illustration of the reduction
, 57 4.2 A comparison between our solver (via our LWE to EDCP reduction and solving LWE by the LLL algorithm) and the Childs and van Dam's solver for solving EDCP, An illustration of one-dimensional U-EDCP with number of possibilities 2, 4 and 6, and, p.59
, Graph of reductions between the LWE problem, the EDCP problem, chosen worst-case lattice problems
, A visualization of the space subdivision
, A visualization of the balls' intersections
, Graph of reductions between U-EDCP, G-EDCP and LWE with parameter losses, p.64
, Quantum circuit for our reduction from LWE to EDCP
,
, Gram-Schmidt log-norms for BKZ 45 at tour 2, 000
, 10 Evolution of the Gram-Schmidt log-norms during BKZ 40 's execution, BKZ 40 , BKZ 50 and BKZ 60 on a BKZ 40 reduced basis, vol.87, p.88
, Evolution of the b * i /GH's during BKZ 40 's execution
, Evolution of Root Hermite factors during the execution of BKZ 45
, Output Gram-Schmidt log-norms for BKZ 40 with pruning
, Evolution of the b * i /GH's during the execution of BKZ 60 with pruning, p.91
, Gram-Schmidt log-norms for BKZ 45 at tour 50
, Same as Figuer 5.15, but zoomed in
, Gram-Schmidt log-norms for BKZ 45 at tour 2, 000
, Gram-Schmidt log-norms for BKZ 60 at tour 50
, BKZ, vol.60, issue.20
, 99 5.23 Evolution of the root Hermite factor during the execution of BKZ 45 (no pruned enumeration) on SVP-100
, 100 5.25 Comparison of Gram-Schmidt log-norms obtained by the simulators and BKZ 60 (no pre-processing) on SVP-150, after 4,000 tours, Evolution of the root Hermite factor during the execution of BKZ 60 (with pruned enumeration) on SVP-150
, Root Hermite factor for selected ? ? {50, 60, · · · , 300}. Here the dimension is 3 · ?, p.102
, Full sequences of Gram-Schmidt log-norms of bases returned by BKZ 60 and pressed-BKZ 60, p.104
, Full sequences of Gram-Schmidt log-norms of bases returned by BKZ 60 , pressed-BKZ 60 and simulated pressed-BKZ 60
, Here the dimension is 1000 for ?, Comparison between our simulator for pressed-BKZ and the Chen-Nguyen simulator for standard BKZ for selected ? ? {50, vol.60, 2000.
, Comparison between our simulator for pressed-BKZ and the Chen-Nguyen simulator for standard BKZ for selected ? ? {50, 60, · · · , 300}. Here the dimension is 3 · ?, p.106
, Comparison of root Hermite factors of simulated BKZ with and without variable blocksize. The simulation is performed with our new simulator up to 40 tours, p.107
, Comparison of root Hermite factors of simulated BKZ with and without variable blocksize. The simulation is performed with our new simulator up to 2,000 tours, p.108
, Comparison of root Hermite factors of standard BKZ 60 with and without variable blocksize within 40 tours
, 109 5.37 Gram-Schmidt log-norms of experimental pressed-BKZ 60 and BKZ 90 (28 tours).. .. . 111 5.36 Gram-Schmidt log-norms of simulated pressed-BKZ 60 and simulated BKZ ?, Comparison of root Hermite factors of standard BKZ 60 with and without variable blocksize within 2,000 tours, p.111
, 112 1 Partition algorithm for exponentially approximated first minimum
, Regev's public key encryption scheme
, Size-reduction algorithm
,
,
,
,