hashsieve: theory and practice 0.2cmpart 1: theorythijs.com/docs/crypto15-darmstadt2.pdf ·...
TRANSCRIPT
HashSieve: Theory and PracticePart 1: Theory
Artur Mariano, Thijs Laarhoven, Christian Bischof
[email protected]://www.thijs.com/
CROSSING seminar, Darmstadt, Germany(October 15, 2015)
O
LatticesWhat is a lattice?
O
b1
b2
LatticesWhat is a lattice?
O
b1
b2
LatticesWhat is a lattice?
O
b1
b2t
LatticesClosest Vector Problem (CVP)
O
b1
b2t
v
LatticesClosest Vector Problem (CVP)
O
b1
b2
s
LatticesShortest Vector Problem (SVP)
LatticesApplications
• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”
• “Destructive cryptography”: Lattice cryptanalysis
I Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]
How hard are hard lattice problems such as SVP?
LatticesApplications
• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”
• “Destructive cryptography”: Lattice cryptanalysisI Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]
How hard are hard lattice problems such as SVP?
LatticesApplications
• “Constructive cryptography”: Lattice-based cryptosystemsI Based on hard lattice problems (SVP, CVP, LWE, SIS)I NTRU cryptosystem [HPS98, . . . , HPSSWZ15]I HIMMO key pre-distribution scheme [GMGPGRST14]I Fully Homomorphic Encryption [Gen09, . . . , CM15]I Candidate for “post-quantum cryptography”
• “Destructive cryptography”: Lattice cryptanalysisI Attack knapsack-based cryptosystems [Sha82, LO85, . . . ]I Attack RSA with Coppersmith’s method [Cop97, . . . ]I Attack lattice-based cryptosystems [Ngu99, JJ00, . . . ]
How hard are hard lattice problems such as SVP?
LatticesExact SVP algorithms
Algorithm log2(Time) log2(Space)
Provable
SVP
Enumeration [Poh81, Kan83, . . . , MW15] Ω(n log n) O(log n)AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985nListSieve [MV10, MDB14] 3.199n 1.327nAKS-sieve-birthday [PS09, HPS11] 2.648n 1.324nListSieve-birthday [PS09] 2.465n 1.233nVoronoi cell algorithm [AEVZ02, MV10b] 2.000n 1.000nDiscrete Gaussians [ADRS15, ADS15, Ste16] 1.000n 1.000n
Heuristic
SVP Nguyen-Vidick sieve [NV08] 0.415n 0.208n
GaussSieve [MV10, . . . , IKMT14, BNvdP14] 0.415n? 0.208nTwo-level sieve [WLTB11] 0.384n 0.256nThree-level sieve [ZPH13] 0.3778n 0.283nOverlattice sieve [BGJ14] 0.3774n 0.293nHyperplane LSH [Laa15, MLB15] 0.337n 0.208n
O
Nguyen-Vidick sieve
O
Nguyen-Vidick sieve1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
O
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1v1
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v2
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3v3
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4v4
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5v5
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6v6
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7v7
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8v8
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9v9Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v10
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11v11
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12v12Nguyen-Vidick sieve
2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13v13
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14v14
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15v15
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16v16
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve2. Split L into centers C and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
v7
Nguyen-Vidick sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
v7
Nguyen-Vidick sieveOverview
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
v7
Nguyen-Vidick sieveOverview
• Space complexity:√4/3n ≈ 20.21n+o(n) vectors
I Need√4/3n vectors to cover all corners of Rn
• Time complexity: (4/3)n ≈ 20.42n+o(n)
I Comparing a target vector to all centers: 20.21n+o(n)
I Repeating this for each list vector: 20.21n+o(n)
I Repeating the whole sieving procedure: poly(n)
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
v7
Nguyen-Vidick sieveOverview
• Space complexity:√4/3n ≈ 20.21n+o(n) vectors
I Need√4/3n vectors to cover all corners of Rn
• Time complexity: (4/3)n ≈ 20.42n+o(n)
I Comparing a target vector to all centers: 20.21n+o(n)
I Repeating this for each list vector: 20.21n+o(n)
I Repeating the whole sieving procedure: poly(n)
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
v7
Nguyen-Vidick sieveOverview
• Space complexity:√4/3n ≈ 20.21n+o(n) vectors
I Need√4/3n vectors to cover all corners of Rn
• Time complexity: (4/3)n ≈ 20.42n+o(n)
I Comparing a target vector to all centers: 20.21n+o(n)
I Repeating this for each list vector: 20.21n+o(n)
I Repeating the whole sieving procedure: poly(n)
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The NV-sieve runs in time 20.42n+o(n) and space 20.21n+o(n).
Nguyen-Vidick sieveSpace/time trade-off
Time=
Spac
e
NV'08
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
GaussSieveSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
O
Two-level sieve1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
O
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1v1
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v2
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3v3
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4v4
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5v5
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6v6
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7v7
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8v8
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9v9Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v10
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11v11
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12v12Two-level sieve
2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13v13
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14v14
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15v15
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16v16
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve2. Split L into centers C1, C2 and short vectors R
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Two-level sieve3. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
Two-level sieve3. Repeat with L← R until we find a shortest vector
Two-level sieveSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Two-level sieveSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Three-level sieveOverview
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.
Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.
Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.
ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.
Three-level sieveOverview
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.
Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.
Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.
ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.
Three-level sieveOverview
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.
Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.
Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.
ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.
Three-level sieveOverview
Heuristic (Nguyen and Vidick, J. Math. Crypt. ’08)The one-level sieve runs in time 20.4150n and space 20.2075n.
Heuristic (Wang et al., ASIACCS’11)The two-level sieve runs in time 20.3836n and space 20.2557n.
Heuristic (Zhang et al., SAC’13)The three-level sieve runs in time 20.3778n and space 20.2833n.
ConjectureThe four-level sieve runs in time 20.3774n and space 20.2925n, andhigher-level sieves are not faster than this.
Three-level sieveSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Three-level sieveSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
ZPH'13
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Decomposition approachSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
ZPH'13
BGJ'14BGJ'14
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
O
Hyperplane LSH1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH1. Sample a list L of random lattice vectors
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH2. Partition the space using random hyperplanes
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH2. Partition the space using random hyperplanes
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
O
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1v1
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v2
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3v3
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4v4
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5v5
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6v6
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7v7
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8v8
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9v9Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v10
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11v11
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12v12Hyperplane LSH
3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13v13
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14v14
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15v15
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16v16
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH3. Split L into C and R within each region
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH4. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH4. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
v1
v2v3
v4
v5
v6
v7
v8
v9
v10v11
v12
v13
v14
v15
v16
Hyperplane LSH4. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSH4. Repeat with L← R until we find a shortest vector
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSHOverview
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSHOverview
• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”
• Space complexity: 20.337n+o(n)
I Number of vectors: 20.208n+o(n)
I Number of hash tables: 20.129n+o(n)
I Each hash table contains all vectors
• Time complexity: 20.337n+o(n)
I Cost of computing hashes: 20.129n+o(n)
I Candidate nearest vectors: 20.129n+o(n)
I Repeat this for each list vector: 20.208n+o(n)
TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSHOverview
• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”
• Space complexity: 20.337n+o(n)
I Number of vectors: 20.208n+o(n)
I Number of hash tables: 20.129n+o(n)
I Each hash table contains all vectors
• Time complexity: 20.337n+o(n)
I Cost of computing hashes: 20.129n+o(n)
I Candidate nearest vectors: 20.129n+o(n)
I Repeat this for each list vector: 20.208n+o(n)
TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSHOverview
• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”
• Space complexity: 20.337n+o(n)
I Number of vectors: 20.208n+o(n)
I Number of hash tables: 20.129n+o(n)
I Each hash table contains all vectors• Time complexity: 20.337n+o(n)
I Cost of computing hashes: 20.129n+o(n)
I Candidate nearest vectors: 20.129n+o(n)
I Repeat this for each list vector: 20.208n+o(n)
TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).
O
v1
v2v3
v4
v5
v6
v7
v9
v10v11
v12
v13
v14
v15
v16
v1
v2
v3
v4
v5
v6
Hyperplane LSHOverview
• Two parameters to tuneI k = O(n): Number of hyperplanes, leading to 2k regionsI t = 2O(n): Number of different, independent “hash tables”
• Space complexity: 20.337n+o(n)
I Number of vectors: 20.208n+o(n)
I Number of hash tables: 20.129n+o(n)
I Each hash table contains all vectors• Time complexity: 20.337n+o(n)
I Cost of computing hashes: 20.129n+o(n)
I Candidate nearest vectors: 20.129n+o(n)
I Repeat this for each list vector: 20.208n+o(n)
TheoremSieving with hyperplane LSH heuristically solves SVP in time andspace 20.337n+o(n).
Hyperplane LSHSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
ZPH'13
BGJ'14BGJ'14
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Hyperplane LSHSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
ZPH'13
BGJ'14BGJ'14
Laa'15
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Hyperplane LSHSpace/time trade-off
Time=
Spac
e
NV'08
MV'10
WLT
B'11
ZPH'13
BGJ'14BGJ'14
Laa'15
Laa'15
20.20 n 20.25 n 20.30 n 20.35 n 20.40 n
20.25 n
20.30 n
20.35 n
20.40 n
20.45 n
Space complexity
Tim
eco
mpl
exit
y
Questions[vdP’12]