hashsieve: theory and practice 0.2cmpart 1: theorythijs.com/docs/crypto15-darmstadt2.pdf ·...

HashSieve: Theory and PracticePart 1: Theory

Artur Mariano, Thijs Laarhoven, Christian Bischof

mail@thijs.comhttp://www.thijs.com/

CROSSING seminar, Darmstadt, Germany(October 15, 2015)

O

LatticesWhat is a lattice?

O

b1

b2

LatticesWhat is a lattice?

O

b1

b2

LatticesWhat is a lattice?

O

b1

b2t

LatticesClosest Vector Problem (CVP)

O

b1

b2t

v

LatticesClosest Vector Problem (CVP)

O

b1

b2

s

LatticesShortest Vector Problem (SVP)

LatticesApplications

• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”

• “Destructive cryptography”: Lattice cryptanalysis

I Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]

How hard are hard lattice problems such as SVP?

LatticesApplications

• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”

• “Destructive cryptography”: Lattice cryptanalysisI Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]

How hard are hard lattice problems such as SVP?

LatticesApplications

• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”

• “Destructive cryptography”: Lattice cryptanalysisI Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]

How hard are hard lattice problems such as SVP?

LatticesExact SVP algorithms

Algorithm log2(Time) log2(Space)

Provable

SVP

Enumeration [Poh81, Kan83, . . . , MW15] Ω(n log n) O(log n)AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985nListSieve [MV10, MDB14] 3.199n 1.327nAKS-sieve-birthday [PS09, HPS11] 2.648n 1.324nListSieve-birthday [PS09] 2.465n 1.233nVoronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000nDiscrete Gaussians [ADRS15, ADS15, Ste16] 1.000n 1.000n

Heuristic

SVP Nguyen-Vidick sieve [NV08] 0.415n 0.208n

GaussSieve [MV10, . . . , IKMT14, BNvdP14] 0.415n? 0.208nTwo-level sieve [WLTB11] 0.384n 0.256nThree-level sieve [ZPH13] 0.3778n 0.283nOverlattice sieve [BGJ14] 0.3774n 0.293nHyperplane LSH [Laa15, MLB15] 0.337n 0.208n

O

Nguyen-Vidick sieve

O

Nguyen-Vidick sieve1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

O

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1v1

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v2

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3v3

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4v4

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5v5

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6v6

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7v7

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8v8

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9v9Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v10

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11v11

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12v12Nguyen-Vidick sieve

2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13v13

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14v14

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15v15

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16v16

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve2. Split L into centers C and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

v7

Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

v7

Nguyen-Vidick sieveOverview

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

v7

Nguyen-Vidick sieveOverview

• Space complexity:√4/3n ≈ 20.21n+o(n) vectors

I Need√4/3n vectors to cover all corners of Rn

• Time complexity: (4/3)n ≈ 20.42n+o(n)

I Comparing a target vector to all centers: 20.21n+o(n)

I Repeating this for each list vector: 20.21n+o(n)

I Repeating the whole sieving procedure: poly(n)

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

v7

Nguyen-Vidick sieveOverview

• Space complexity:√4/3n ≈ 20.21n+o(n) vectors

I Need√4/3n vectors to cover all corners of Rn

• Time complexity: (4/3)n ≈ 20.42n+o(n)

I Comparing a target vector to all centers: 20.21n+o(n)

I Repeating this for each list vector: 20.21n+o(n)

I Repeating the whole sieving procedure: poly(n)

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

v7

Nguyen-Vidick sieveOverview

• Space complexity:√4/3n ≈ 20.21n+o(n) vectors

I Need√4/3n vectors to cover all corners of Rn

• Time complexity: (4/3)n ≈ 20.42n+o(n)

I Comparing a target vector to all centers: 20.21n+o(n)

I Repeating this for each list vector: 20.21n+o(n)

I Repeating the whole sieving procedure: poly(n)

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).

Nguyen-Vidick sieveSpace/time trade-off

Time=

Spac

e

NV'08

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

GaussSieveSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

O

Two-level sieve1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

O

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1v1

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v2

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3v3

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4v4

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5v5

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6v6

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7v7

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8v8

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9v9Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v10

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11v11

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12v12Two-level sieve

2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13v13

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14v14

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15v15

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16v16

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve2. Split L into centers C1, C2 and short vectors R

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Two-level sieve3. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

Two-level sieve3. Repeat with L← R until we find a shortest vector

Two-level sieveSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Two-level sieveSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Three-level sieveOverview

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.

Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.

Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.

ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.

Three-level sieveOverview

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.

Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.

Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.

ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.

Three-level sieveOverview

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.

Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.

Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.

ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.

Three-level sieveOverview

Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.

Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.

Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.

ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.

Three-level sieveSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Three-level sieveSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

ZPH'13

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Decomposition approachSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

ZPH'13

BGJ'14BGJ'14

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

O

Hyperplane LSH1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH1. Sample a list L of random lattice vectors

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH2. Partition the space using random hyperplanes

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH2. Partition the space using random hyperplanes

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

O

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1v1

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v2

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3v3

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4v4

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5v5

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6v6

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7v7

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8v8

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9v9Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v10

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11v11

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12v12Hyperplane LSH

3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13v13

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14v14

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15v15

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16v16

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH3. Split L into C and R within each region

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH4. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH4. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

v1

v2v3

v4

v5

v6

v7

v8

v9

v10v11

v12

v13

v14

v15

v16

Hyperplane LSH4. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSH4. Repeat with L← R until we find a shortest vector

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSHOverview

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSHOverview

• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”

• Space complexity: 20.337n+o(n)

I Number of vectors: 20.208n+o(n)

I Number of hash tables: 20.129n+o(n)

I Each hash table contains all vectors

• Time complexity: 20.337n+o(n)

I Cost of computing hashes: 20.129n+o(n)

I Candidate nearest vectors: 20.129n+o(n)

I Repeat this for each list vector: 20.208n+o(n)

TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSHOverview

• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”

• Space complexity: 20.337n+o(n)

I Number of vectors: 20.208n+o(n)

I Number of hash tables: 20.129n+o(n)

I Each hash table contains all vectors

• Time complexity: 20.337n+o(n)

I Cost of computing hashes: 20.129n+o(n)

I Candidate nearest vectors: 20.129n+o(n)

I Repeat this for each list vector: 20.208n+o(n)

TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSHOverview

• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”

• Space complexity: 20.337n+o(n)

I Number of vectors: 20.208n+o(n)

I Number of hash tables: 20.129n+o(n)

I Each hash table contains all vectors• Time complexity: 20.337n+o(n)

I Cost of computing hashes: 20.129n+o(n)

I Candidate nearest vectors: 20.129n+o(n)

I Repeat this for each list vector: 20.208n+o(n)

TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).

O

v1

v2v3

v4

v5

v6

v7

v9

v10v11

v12

v13

v14

v15

v16

v1

v2

v3

v4

v5

v6

Hyperplane LSHOverview

• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”

• Space complexity: 20.337n+o(n)

I Number of vectors: 20.208n+o(n)

I Number of hash tables: 20.129n+o(n)

I Each hash table contains all vectors• Time complexity: 20.337n+o(n)

I Cost of computing hashes: 20.129n+o(n)

I Candidate nearest vectors: 20.129n+o(n)

I Repeat this for each list vector: 20.208n+o(n)

TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).

Hyperplane LSHSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

ZPH'13

BGJ'14BGJ'14

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Hyperplane LSHSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

ZPH'13

BGJ'14BGJ'14

Laa'15

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Hyperplane LSHSpace/time trade-off

Time=

Spac

e

NV'08

MV'10

WLT

B'11

ZPH'13

BGJ'14BGJ'14

Laa'15

Laa'15

20.20 n 20.25 n 20.30 n 20.35 n 20.40 n

20.25 n

20.30 n

20.35 n

20.40 n

20.45 n

Space complexity

Tim

eco

mpl

exit

y

Questions[vdP’12]