Improved Analysis of Kannan's Shortest Lattice Vector Algorithm
نویسندگان
چکیده
The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essentially relies upon the intractability of computing a shortest non-zero lattice vector and a closest lattice vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kannan, and, though remarkably simple, their complexity estimates have not been improved since more than twenty years. Kannan’s algorithm for solving the shortest vector problem is in particular crucial in Schnorr’s celebrated block reduction algorithm, on which are based the best known attacks against the lattice-based encryption schemes mentioned above. Understanding precisely Kannan’s algorithm is of prime importance for providing meaningful key-sizes. In this paper we improve the complexity analyses of Kannan’s algorithms and discuss the possibility of improving the underlying enumeration strategy. Key-words: Lattice reduction, complexity analysis, lattice-based cryptosystems. ⋆ CNRS and École Normale Supérieure de Lyon, LIP, 46 allée d’Italie, 69007 Lyon, France. Amélioration de l’analyse de l’algorithme de Kannan pour le problème du vecteur le plus court Résumé : La sécurité des cryptosystèmes basés sur les réseaux, tels NTRU, GGH, ou encore AjtaiDwork, repose essentiellement sur la difficulté à calculer un vecteur non nul le plus court, ou le plus proche d’un vecteur cible donné, en grande dimension. Les meilleurs algorithmes pour accomplir ces tâches sont dus à Kannan, et, en dépit de leur grande simplicité, l’analyse de leur complexité n’a pas été améliorée depuis plus de 20 ans. L’algorithme de Kannan pour résoudre le problème du vecteur le plus court est particulièrement critique dans le célèbre algorithme de Schnorr pour la réduction par blocs, sur lequel sont basées les meilleures attaques contre les schémas de chiffrement utilisant les réseaux mentionnées précédemment. Comprendre précisément la complexité de l’algorithme de Kannan est donc crucial pour déterminer des tailles de clé pertinentes. Dans ce travail, nous améliorons les analyses de complexité des algorithmes de Kannan, et discutons la possibilité d’améliorer la stratégie d’énumération sous-jacente. Mots-clés : Réduction des réseaux, analyse de complexité, cryptosystèmes basés sur les réseaux Improved Analysis of Kannan’s Shortest Lattice Vector Algorithm 3
منابع مشابه
Improved Analysis of Kannan ’ s Shortest Lattice Vector Algorithm ( Extended Abstract )
Abstract. The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essentially relies upon the intractability of computing a shortest non-zero lattice vector and a closest lattice vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kannan, and, though remarkably simple, their complexity estimates have not been improved since ov...
متن کاملA Complete Worst-case Analysis of Kannan’s Shortest Lattice Vector Algorithm
Computing a shortest nonzero vector of a given euclidean lattice and computing a closest lattice vector to a given target are pervasive problems in computer science, computational mathematics and communication theory. The classical algorithms for these tasks were invented by Ravi Kannan in 1983 and, though remarkably simple to establish, their complexity bounds have not been improved for almost...
متن کاملImproved Analysis of Kannan’s Shortest Lattice
Abstract. The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essentially relies upon the intractability of computing a shortest non-zero lattice vector and a closest lattice vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kannan, and, though remarkably simple, their complexity estimates have not been improved since ov...
متن کاملOptimal lower bounds for the Korkine-Zolotareff parameters of a lattice and for Schnorr's algorithm for the shortest vector problem
Schnorr’s algorithm for finding an approximation for the shortest nonzero vector in an n-dimensional lattice depends on a parameter k. He proved that for a fixed k ≤ n his algorithm (block 2k-reduction) provides a lattice vector whose length is greater than the length of a shortest nonzero vector in the lattice by at most a factor of (2k)2n/k. (The time required by the algorithm depends on k.) ...
متن کاملA Genetic Algorithm for Searching Shortest Lattice Vector of SVP Challenge
In this paper, we propose a genetic algorithm for solving the shortest vector problem (SVP) based on sparse integer representations of short vectors in lattices as chromesomes, which, we prove, can guarantee finding the shortest lattice vector under a Markov chain analysis. Moreover, we also suggest some improvements by introducing heuristic techniques: local search and heuristic pruning. The e...
متن کامل