algorithmic geometry of numbers: lll and bkz - heat project ducas/lll-bkz.pdfnew year of 1611: l eo...

Algorithmic Geometry of Numbers:LLL and BKZ

Leo Ducas

CWI,Amsterdam, The Netherlands

HEAT Summer-School on FHE and MLM

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 1 / 28

A gift from Johannes Kepler to Matthaus Wacker vonWackenfels

New year of 1611:

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 2 / 28

A gift from Johannes Kepler to Matthaus Wacker vonWackenfels

New year of 1611:

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 2 / 28

A fruitful contemplation

Figure : Strena, De Nive Sexangula (A new year gift: on the sexangular snow)

Story told by J.C. Ameisen (Sur les Epaules de Darwin, Dec. 2013)http://www.franceinter.fr/player/reecouter?play=798226

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 3 / 28

A famous Conjecture

Figure : The close packing conjecture

conjecture

Arrangement B is the most compact arrangement.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 4 / 28

A proof in dimension 2 ?

Let us restrict our attention to “regular arrangement”: lattices.What do we mean by compact ?

Definition (Packing density)

Let Λ be a lattice lattice, F a fundamental domain of Λ, and λ1 the lengthof the shortest non-zero vector. The packing density is defined by:

ρ(Λ) =Vol(λ1

2 · B)

Vol(F).

Figure : Fundamental domains

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 5 / 28

A proof in dimension 2 ?

Let us restrict our attention to “regular arrangement”: lattices.What do we mean by compact ?

Definition (Packing density)

Let Λ be a lattice lattice, F a fundamental domain of Λ, and λ1 the lengthof the shortest non-zero vector. The packing density is defined by:

ρ(Λ) =Vol(λ1

2 · B)

Vol(F).

Figure : Fundamental domains

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 5 / 28

A proof in dimension 2 ?

Let us restrict our attention to “regular arrangement”: lattices.What do we mean by compact ?

Definition (Packing density)

Let Λ be a lattice lattice, F a fundamental domain of Λ, and λ1 the lengthof the shortest non-zero vector. The packing density is defined by:

ρ(Λ) =Vol(λ1

2 · B)

Vol(F).

Figure : Fundamental domainsLeo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 5 / 28

Basis reduction in dimension 2

Lemma

Let Λ be a lattice. Assume, wlog.that v = (1, 0) is a shortest vector.Then, there exists a basis v,w that:

I ‖w‖ ≥ 1

I w = (x , y) where |x | ≤ 1/2

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 6 / 28

Basis reduction in dimension 2

Lemma

Let Λ be a lattice. Assume, wlog.that v = (1, 0) is a shortest vector.Then, there exists a basis v,w that:

I ‖w‖ ≥ 1

I w = (x , y) where |x | ≤ 1/2

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 6 / 28

Packing bound in dimension 2

We had v = (1, 0), w = (x , y) with ‖w‖ ≥ 1, and |x | ≤ 1/2. Hence:

|y | ≥√

3/4.

A fundamental domain is given by the parallelepiped :(vw

)·[−1

2,

1

2

]2

Its volume is:

det

(vw

)= det

(1 0x y

)= y ≥

√3/4.

This gives:

ρ(Λ) ≤ π · (1/2)2√3/4

=π

2√

3≈ 0.9068997.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 7 / 28

Optimal packing in dimension 2

This bound is reached by the hexagonal lattice packing:

This is well-known since [Bees, 2 · 109 BC] (proof by trial-and-error)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 8 / 28

Optimal packing in dimension 2

This bound is reached by the hexagonal lattice packing:

This is well-known since [Bees, 2 · 109 BC] (proof by trial-and-error)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 8 / 28

Overview

1 Introduction

2 Hermite reduction, and the LLL algorithm

3 BKZ, and security estimate for lattice based cryptography

4 Conclusion

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 9 / 28

Gram-Schmidt Orthogonalization

Orthogonal projection on the direction of u:

πu (v) =〈u, v〉〈u,u〉

u.

Gram Schmidt Process:

b∗1 = b1 = π⊥0 (b1)

b∗2 = b2 − πb∗1 (b2) = π⊥1 (b2)

b∗3 = b3 − πb∗1 (b3)− πb∗2 (b3) = π⊥2 (b3)

......

b∗k = bk −k−1∑j=1

πb∗j (bk) = π⊥k−1(bk)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 10 / 28

Gram-Schmidt basis and Volume

I For any basis B of Λ, P(B) is a fundamental domain of Λ, and so isP(B∗).

I The volume of the fundamental domain is independant of the choice ofthe basis:

Vol(Λ) , Vol(P(B∗)) =∏‖b∗i ‖

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 11 / 28

Reduced basis of 2-dimensional lattice

Let us re-express reduction in dimension 2 in Gram-Schmidt terms:

Definition (Simplified)

A basis (b1,b2) of Λ is said reduced if

‖b1‖‖b∗2‖

≤√

4

3

Such bases always exist.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 12 / 28

Reduced basis of n-dimensional lattice

Definition (Hermite)

Let B = (b1,b2, . . . ,bn) be a basis of Λ. Set Λi = π⊥i (L(bi ,bi+1)).The basis B is said reduced if, for all i ,

π⊥i (bi ), π⊥i (bi+1) is a reduced of Λi .

In particular :‖b∗i ‖‖b∗i+1‖

≤√

43 and

‖b0‖ ≤(

4

3

)n/4

· Vol(Λ)1/n.

Theorem

Such bases always exist.

Proof by animation.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 13 / 28

Reduced basis of n-dimensional lattice

Definition (Hermite)

Let B = (b1,b2, . . . ,bn) be a basis of Λ. Set Λi = π⊥i (L(bi ,bi+1)).The basis B is said reduced if, for all i ,

π⊥i (bi ), π⊥i (bi+1) is a reduced of Λi .

In particular :‖b∗i ‖‖b∗i+1‖

≤√

43 and

‖b0‖ ≤(

4

3

)n/4

· Vol(Λ)1/n.

Theorem

Such bases always exist.

Proof by animation.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 13 / 28

Existence of Hermite-reduced basis

I Define a potential P =∑

(n − i) log ‖b∗i ‖I Prove that the potential strictly decrease at each step

I Prove that there are only finitely bases that can be visited during thisprocess (discreteness of the lattice and bound on the norms)

This proof is an algorithm !But it may require super-exponentially many step...

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 14 / 28

Existence of Hermite-reduced basis

I Define a potential P =∑

(n − i) log ‖b∗i ‖I Prove that the potential strictly decrease at each step

I Prove that there are only finitely bases that can be visited during thisprocess (discreteness of the lattice and bound on the norms)

This proof is an algorithm !

But it may require super-exponentially many step...

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 14 / 28

Existence of Hermite-reduced basis

I Define a potential P =∑

(n − i) log ‖b∗i ‖I Prove that the potential strictly decrease at each step

I Prove that there are only finitely bases that can be visited during thisprocess (discreteness of the lattice and bound on the norms)

This proof is an algorithm !But it may require super-exponentially many step...

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 14 / 28

LLL : an efficient relaxation

Idea: Relax the constraint so that each step improves the potential P by anon-negligible term ε > 0.

Theorem (LenstraLenstraLovasz82)

For any ε, there exists a deterministic polynomial time algorithm, the basisof a lattice can be reduced so that:

‖b∗i ‖‖b∗i+1‖

≤√

4

3+ ε.

Must-read : [The LLL Algorithm, NguyenVallee].

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 15 / 28

LLL in practice

The analysis guarantee that:

‖b∗i ‖‖b∗i+1‖

≤√

4

3+ ε ≈ 1.15.

In practice‖b∗i ‖‖b∗i+1‖

≈ 1.04.

P. Nguyen: “I hope I’ll get to learn why before I die !”

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 16 / 28

LLL in practice

The analysis guarantee that:

‖b∗i ‖‖b∗i+1‖

≤√

4

3+ ε ≈ 1.15.

In practice‖b∗i ‖‖b∗i+1‖

≈ 1.04.

P. Nguyen: “I hope I’ll get to learn why before I die !”

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 16 / 28

LLL in practice

The analysis guarantee that:

‖b∗i ‖‖b∗i+1‖

≤√

4

3+ ε ≈ 1.15.

In practice‖b∗i ‖‖b∗i+1‖

≈ 1.04.

P. Nguyen: “I hope I’ll get to learn why before I die !”

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 16 / 28

Overview

1 Introduction

2 Hermite reduction, and the LLL algorithm

3 BKZ, and security estimate for lattice based cryptography

4 Conclusion

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 17 / 28

The BKZ algorithm

Idea: [SchnorrEuchner,1994] find the shortest vector in projectedsub-lattices of dimension b > 2 as a sub-routine.

Theorem (HanrotPujolSthele)

The BKZb algorithm runs in time poly(n) · SVP(b).

How short of a vector does BKZb finds ?

I Theoretical upper-bounds involving Rankin’s constant

I Heuristically and experimentally, BKZ behave much better

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 18 / 28

The BKZ algorithm

Idea: [SchnorrEuchner,1994] find the shortest vector in projectedsub-lattices of dimension b > 2 as a sub-routine.

Theorem (HanrotPujolSthele)

The BKZb algorithm runs in time poly(n) · SVP(b).

How short of a vector does BKZb finds ?

I Theoretical upper-bounds involving Rankin’s constant

I Heuristically and experimentally, BKZ behave much better

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 18 / 28

The root hermite factor (heuristic)

In practice, BKZb produces a vector of size:

δnb · Vol(Λ)1/n.

The gaussian heuristic predicts that the root Hermite factor δb is about:

δb = (b/2πe)1/2b.

Figure : Heuristic Root Hermit factor δb

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 19 / 28

The root hermite factor (heuristic)

In practice, BKZb produces a vector of size:

δnb · Vol(Λ)1/n.

The gaussian heuristic predicts that the root Hermite factor δb is about:

δb = (b/2πe)1/2b.

Figure : Heuristic Root Hermit factor δb

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 19 / 28

The root hermite factor (a better heuristic ?)

Figure : Heuristic Root Hermit factor δb

This heuristic seems accurate for b > 45, but below that, is completlyabsurd ! Find out a better one !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 20 / 28

Run-time of BKZ

No good close formula–even abstracting out the cost of SVP(b).

Very complete survey on the state of the art, and prediction scripts in[AlbrechtPlayerScott2015].

A gold mine: Thesis of [Chen2013] (a.k.a. full version of BKZ 2.0) !Reproducing and sharing code for some of those technique would be veryvaluble (and should be rewarded...)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 21 / 28

Run-time of SVP

I Enumeration [Kannan,FinckePost] with pruning [GamaNguyenRegev]:Super-exponential, ugly, hard to optimize, performance hard to predict, but

still the best algorithmI Sieving [MicciancioVoulgaris] with NNS techniques [Laarhoven, ...]:

neat, clean, exponential run-time with known constant...

and catching up!

Time=Space

●

●● ●

●●●●

●●●●

●●

● ●

●●

NV'08

MV'10

WLTB'11

ZPH'13

BGJ'14

BGJ '14

Laa '15

Laa '15

LdW'15

/ BL'15

LdW '15 / BL '15

BGJ '15

(this work)

(this work)

(this work)

20.20 n 20.25 n 20.30 n 20.35 n20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Timecomplexity

Hot topic:

Get sieving to beatenumeration in practice.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 22 / 28

Run-time of SVP

I Enumeration [Kannan,FinckePost] with pruning [GamaNguyenRegev]:Super-exponential, ugly, hard to optimize, performance hard to predict, but

still the best algorithmI Sieving [MicciancioVoulgaris] with NNS techniques [Laarhoven, ...]:

neat, clean, exponential run-time with known constant... and catching up!

Time=Space

●

●● ●

●●●●

●●●●

●●

● ●

●●

NV'08

MV'10

WLTB'11

ZPH'13

BGJ'14

BGJ '14

Laa '15

Laa '15

LdW'15

/ BL'15

LdW '15 / BL '15

BGJ '15

(this work)

(this work)

(this work)

20.20 n 20.25 n 20.30 n 20.35 n20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Timecomplexity

Hot topic:

Get sieving to beatenumeration in practice.

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 22 / 28

Lower bounds for the designer

My grain of salt:

I Simplify all hard to predict terms to the advantage of the attacker (hecould come up with heuristic tricks)

I Make a clear distinction between best-known attack and security claim(help the cryptanalyst getting there hard work published)

Sieve-BKZ cost (using [BeckerD.GamaLaarhoven] for sieving):

poly(n) · 20.292b+o(b)

Lower bound for the designer:

20.292b (paranoıacs may use 20.215b).

This lower bounds also applies to enumeration with sieving for b > 150 !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 23 / 28

Lower bounds for the designer

My grain of salt:

I Simplify all hard to predict terms to the advantage of the attacker (hecould come up with heuristic tricks)

I Make a clear distinction between best-known attack and security claim(help the cryptanalyst getting there hard work published)

Sieve-BKZ cost (using [BeckerD.GamaLaarhoven] for sieving):

poly(n) · 20.292b+o(b)

Lower bound for the designer:

20.292b (paranoıacs may use 20.215b).

This lower bounds also applies to enumeration with sieving for b > 150 !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 23 / 28

Lower bounds for the designer

My grain of salt:

I Simplify all hard to predict terms to the advantage of the attacker (hecould come up with heuristic tricks)

I Make a clear distinction between best-known attack and security claim(help the cryptanalyst getting there hard work published)

Sieve-BKZ cost (using [BeckerD.GamaLaarhoven] for sieving):

poly(n) · 20.292b+o(b)

Lower bound for the designer:

20.292b (paranoıacs may use 20.215b).

This lower bounds also applies to enumeration with sieving for b > 150 !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 23 / 28

Overview

1 Introduction

2 Hermite reduction, and the LLL algorithm

3 BKZ, and security estimate for lattice based cryptography

4 Conclusion

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 24 / 28

The killer instinct ?

Figure : Cryptanalysis (according to certain view)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 25 / 28

The killer instinct ?

Figure : Cryptanalysis (according to certain view)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 25 / 28

A game (a very serious one!)

Figure : Cryptanalysis (according my view)

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 26 / 28

The cat and mouse game

The cat and mouse game is essential in determining what is secure andwhat is not, and is an amazing catalyst for crypto, math, and algorithmic.The rules:

Mouse: Meaningful and compact problems, or the cat may not even bother

Cat: Reproducible claims, code-sharing, work as a community toward aunified lattice cryptanalysis playground

Problem:

In lattice-based crypto, we don’t have enough cats !

Solution:

Feed your cats (achievable concrete targets) !

Solution:

Become a cat !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 27 / 28

The cat and mouse game

The cat and mouse game is essential in determining what is secure andwhat is not, and is an amazing catalyst for crypto, math, and algorithmic.The rules:

Mouse: Meaningful and compact problems, or the cat may not even bother

Cat: Reproducible claims, code-sharing, work as a community toward aunified lattice cryptanalysis playground

Problem:

In lattice-based crypto, we don’t have enough cats !

Solution:

Feed your cats (achievable concrete targets) !

Solution:

Become a cat !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 27 / 28

The cat and mouse game

The cat and mouse game is essential in determining what is secure andwhat is not, and is an amazing catalyst for crypto, math, and algorithmic.The rules:

Mouse: Meaningful and compact problems, or the cat may not even bother

Cat: Reproducible claims, code-sharing, work as a community toward aunified lattice cryptanalysis playground

Problem:

In lattice-based crypto, we don’t have enough cats !

Solution:

Feed your cats (achievable concrete targets) !

Solution:

Become a cat !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 27 / 28

Thank you !

Leo Ducas (CWI, Amsterdam) LLL and BKZ HEAT, October 2015 28 / 28