Measuring, simulating and exploiting the head concavity phenomenon - - PowerPoint PPT Presentation

Measuring, simulating and exploiting the head concavity phenomenon in BKZ

Shi Bai1 Damien Stehl´ e2 Weiqiang Wen3

1Florida Atlantic University. USA. 2´

Ecole Normale Sup´ erieure de Lyon. France.

3IRISA, Universit´

e Rennes 1. France.

Asiacrypt 2018, Brisbane, Australia.

1 / 21

Outline

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography.

2 / 21

Outline

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography.

• 1. Explain and quantify the shorter-than-expected phenomenon in the

head region in BKZ.

2 / 21

Outline

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography.

• 1. Explain and quantify the shorter-than-expected phenomenon in the

head region in BKZ.

• 2. A more accurate simulator for BKZ.

2 / 21

Outline

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography.

• 1. Explain and quantify the shorter-than-expected phenomenon in the

head region in BKZ.

• 2. A more accurate simulator for BKZ.
• 3. A new BKZ variant that exploits the shorter-than-expected

phenomenon.

2 / 21

Lattice

b2 b1

• b2
• b2

Definition

Given a set of linearly independent vectors {b1, · · · , bn} ⊆ Qm, the lattice L spanned by the bi’s is

L({b1, · · · , bn}) =

• n
• i=1

zibi | zi ∈ Z

• .

Let B be the column matrix of {b1, · · · , bn} and denote the lattice by L(B).

3 / 21

Lattice

• b2
• b2

b2 b1

λ1

Lattice minimum

Given a lattice L, the minimum λ1(L) is the norm of a shortest non-zero vector in L.

3 / 21

Lattice

b2 b1

• b2
• b2
• b1

Bases of a lattice

Given B1, B2 ∈ Qm×n, then L(B1) = L(B2) iff B2 = B1U for some unimodular matrix U ∈ Zn×n.

3 / 21

Lattice

b2 b1

• b2
• b2
• b1

The BKZ lattice reduction algorithm helps to find bases like (b1, b2).

Bases of a lattice

Given B1, B2 ∈ Qm×n, then L(B1) = L(B2) iff B2 = B1U for some unimodular matrix U ∈ Zn×n.

3 / 21

Lattice

• b2
• b2

b2 b1(b∗

1)

b∗

2

• b2
• b1(

b

∗ 1)

• b

∗ 2

Gram-Schmidt orthogonalization

Let B∗ = (b∗

1, · · · , b∗ n) denote the Gram–Schmidt orthogonalization of B.

The determinant of a lattice L is det(L) =

ib∗ i .

3 / 21

BKZ-β reduced

Given B = (b1, · · · , bn), let b(j)

i

denote the orthogonal projection of bi

• nto the subspace (b1, · · · , bj−1)⊥.

For i < j ≤ n, let B[i,j] denote the (matrix) local block (b(i)

i , · · · , b(i) j ) and

L[i,j] denote the lattice generated by B[i,j].

Definition

A basis B is BKZ-β reduced for block size β ≥ 2 if it is size-reduced∗ and satisfies: b∗

i = λ1(L[i,min(i+β−1,n)]), ∀i ≤ n.

* A basis B is size-reduced, if it satisfies |µi,j |≤ 1/2 for j < i ≤ n where µi,j =

bi ,b∗ j b∗ j 2 .

4 / 21

The BKZ algorithm

The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously.

Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = (b1, · · · , bn), a block size β. Output: A BKZ-β reduced basis of L(B).

1: repeat 2: for i = 1 to n − 1 do 3: SVPβ: find b such that b(i)= λ1(L(b(i)

i , · · · , b(i) min(n,i+β−1))).

4: if b∗

i > λ1(L(b(i) i , · · · , b(i) min(n,i+β−1))) then

5: LLL-reduce(b1, · · · , bi−1, b, bi, · · · , bmin(n,i+β)). 6: else 7: LLL-reduce(b1, · · · , bmin(n,i+β)). 8: end if 9: end for 10: until no change occurs.

• C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In FCT’91.

5 / 21

The BKZ algorithm

The algorithm attempts to make all local blocks satisfy above the minimality condition simultaneously.

Algorithm 1 BKZ algorithm (Schnorr and Euchner) Input: A basis B = (b1, · · · , bn), a block size β. Output: A BKZ-β reduced basis of L(B).

1: repeat 2: for i = 1 to n − 1 do 3: SVPβ: find b such that b(i)= λ1(L(b(i)

i , · · · , b(i) min(n,i+β−1))).

4: if b∗

i > λ1(L(b(i) i , · · · , b(i) min(n,i+β−1))) then

5: LLL-reduce(b1, · · · , bi−1, b, bi, · · · , bmin(n,i+β)). 6: else 7: LLL-reduce(b1, · · · , bmin(n,i+β)). 8: end if 9: end for 10: until no change occurs.

• [Line 3] In practice, SVP solver can be pruned enumeration or

sieving.

SVP Challenge. https://www.latticechallenge.org/svp-challenge/. 5 / 21

Quality of BKZ-β reduced basis

A concrete cryptanalysis relies on the BKZ simulator of Chen and Nguyen (ASIACRYPT’11). It uses the Gaussian heuristic on local blocks, with a modification for the tail blocks.

Gaussian heuristic

For any random n-dimensional lattice L, we have λ1(L) ≈ GH(L) = 1 v1/n

n

· det(L)1/n where vn is the volume of a unit n-ball.

• Y. Chen and P.Q. Nguyen. BKZ 2.0: Better lattice security estimates. In ASIACRYPT’11.

6 / 21

(Simplified) Chen-Nguyen simulator

Algorithm 2 (Simplified) Chen-Nguyen simulator. Input: G-S norms (b∗

1, · · · , b∗ n), a block size β.

Output: Simulated G-S norms of BKZβ-reduced basis of L(B).

1: repeat 2: for i = 1 to n − 1 do 3: SVPβ: find b such that b(i)= λ1(L(b(i)

i , · · · , b(i) min(n,i+β−1))).

4: if b∗

i > GH(L((b(i) i , · · · , b(i) min(n,i+β)))) then

5: Update b∗

i = GH(L((b(i) i , · · · , b(i) min(n,i+β)))).

6: else 7: Keep b∗

i unchanged.

8: end if 9: end for 10: until no change occurs. 7 / 21

Practical behavior of Chen-Nguyen’s simulator

20 40 60 80 100 −1.00 −0.50 0.00 0.50 1.00 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Gram–S. log-norms of BKZ45 at tour 50.

2 4 6 8 10 0.9 1 1.1 1.2 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Same as left hand side, but zoomed in.

Such “head concavity” phenomenon has been reported in

8 / 21

Practical behavior of Chen-Nguyen’s simulator

20 40 60 80 100 −1.00 −0.50 0.00 0.50 1.00 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Gram–S. log-norms of BKZ45 at tour 50.

2 4 6 8 10 0.9 1 1.1 1.2 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Same as left hand side, but zoomed in.

Such “head concavity” phenomenon has been reported in

◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11);

8 / 21

Practical behavior of Chen-Nguyen’s simulator

20 40 60 80 100 −1.00 −0.50 0.00 0.50 1.00 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Gram–S. log-norms of BKZ45 at tour 50.

2 4 6 8 10 0.9 1 1.1 1.2 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator 1

Same as left hand side, but zoomed in.

Such “head concavity” phenomenon has been reported in

◮ experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11); ◮ and modeled by Yu and Ducas (SAC’17).

• Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17.

8 / 21

A better simulator using the distribution of λ1 in random lattices.

9 / 21

Tools

Let Γn = {L ∈ Rn | vol(L) = 1} be the set of all full rank-n lattices with unit volume. Chen [Cor. 3.1.4] and S¨

• dergren [Thm. 1]:

Distribution of minimum in random lattices

Sample L uniformly in Γn. The distribution of vn · λ1(L)n converges in distribution to Expo(1/2) as n → ∞. Take λ1(L) as a random variable Y , then Y = X 1/n · GH(L) for X sampled from Expo(1/2).

• Y. Chen. R´

eduction de r´ eseau et s´ ecurit´ e concr` ete du chiffrement compl` etement homomorphe. PhD thesis, Universit´ e Paris Diderot, 2013.

• A. S¨
• dergren. On the poisson distribution of lengths of lattice vectors in a random lattice. Mathematische Zeitschrift, 2011.

10 / 21

A probabilistic BKZ simulator

Algorithm 3 The new BKZ simulator (simplified) Input: G-S norms (b∗

1, · · · , b∗ n), a block size β.

Output: Simulated G-S norms of BKZ-β-reduced basis of L(B).

1: repeat 2: for i = 1 to n − 1 do 3: Sample X from Expo[1/2]. 4: if b∗

i > X 1/β · GH(L(b(i) i , · · · , b(i) min(n,i+β−1))) then

5: Update b∗

i = X 1/β · GH(L(b(i) i , · · · , b(i) min(n,i+β))).

6: else 7: Keep b∗

i unchanged.

8: end if 9: end for 10: until no change occurs. 11 / 21

Quality of our simulator

20 40 60 80 100 −1.00 −0.50 0.00 0.50 1.00 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator New simulator 1

Gram–S. log-norms of BKZ45 at tour 50.

2 4 6 8 10 0.9 1 1.1 1.2 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator New simulator 1

Same as left hand side, but zoomed in.

12 / 21

Quality of our simulator (more)

20 40 60 80 100 120 140 −1 1 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator New simulator 1

Gram–S. log-norms of BKZ60 at tour 20000.

2 4 6 8 10 1.3 1.4 1.5 1.6 1.7 1.8 Index i log b∗

i

Experimental logb∗

i

Chen–Nguyen simulator New simulator 1

Same as left hand side, but zoomed in.

13 / 21

Quality of our simulator (RHF)

10 20 30 40 1.012 1.014 1.016 1.018 t-th tour Root Hermite factor Experimental logb∗

i

Chen–Nguyen simulator New simulator

Evolution of RHF during BKZ45 (no pruned enumeration) on SVP-100.

20 40 60 80 100 1.010 1.012 1.014 1.016 1.018 t-th tour Root Hermite factor Experimental logb∗

i

Chen–Nguyen simulator New simulator

Evolution of RHF during BKZ60 (pruned enumeration) on SVP-150.

Given a lattice L(B) of rank n, the Root Hermite Factor of B is RHF(B) =

• b1/det(L)1/n1/n .

14 / 21

Limit of the head concavity

50 100 150 200 250 300 1.002 1.004 1.006 1.008 1.010 1.012 Block-size Root Hermite factor Chen–Nguyen simulator New simulator

Simulated RHF for β ∈ {50, 60, · · · , 300}. Here the dimension is ≥ 4β.

50 100 150 200 250 300 1.002 1.004 1.006 1.008 1.010 1.012 Block-size Root Hermite factor Chen–Nguyen simulator New simulator

Simulated RHF for β ∈ {50, 60, · · · , 300}. Here the dimension is 3β.

For large block sizes, the discrepancy vanishes: both simulators converge to the same root Hermite factors.

15 / 21

Exploit the head concavity phenomenon!

16 / 21

A new BKZ variant: “Pressed BKZ”

Algorithm 4 The pressed-BKZ algorithm Input: A basis B = (b1, · · · , bn), a block size β. Output: A pressed-BKZ-β reduced basis of L(B).

1: for start = 1 to n − β + 1 do 2:

Re-randomize L(b(start)

start , · · · , b(start) n

).

3:

BKZ-β on the block from start to n.

4: end for 17 / 21

Experiments: BKZ-60

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 1

Gram–Schmidt log-norms of BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (2 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (2–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (2–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (3 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (3–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (3–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (4 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (4–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (4–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (5 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (5–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (5–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (6 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (6–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (6–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (7 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (7–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (7–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (8 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (8–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (8–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (9 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (9–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (9–n) 1

Same as left hand side, but zoomed in.

18 / 21

Experiments: Pressed-BKZ-60 (10 − n)

20 40 60 80 100 120 −1 1 Index i log b∗

i

BKZ60 pressed-BKZ60 (10–n) 1

Gram–Schmidt log-norms of (Pressed-)BKZ60.

2 4 6 8 10 1 1.1 1.2 1.3 1.4 1.5 Index i log b∗

i

BKZ60 pressed-BKZ60 (10–n) 1

Same as left hand side, but zoomed in.

18 / 21

Comparison with standard BKZ (in preprocessing)

Input: a SVP-120 challenge

◮ Quality of pressed-BKZ-60 ≈ BKZ-80 ∼ 90 (after certain #tours).

Pressed-BKZ-60 takes less time;

◮ Solving SVP-120 using the preprocessed pressed-BKZ-60 and a

variant of progressive-BKZ in the bkz2 sweet spot branch of fplll. Faster (in experiments) than the lower-bound estimates in the Progressive BKZ (Aono et al. EUROCRYPT’16). Limitation: strategy is not guaranteed to be optimal.

• Y. Aono, Y. Wang, T. Hayashi, and T. Takagi. Improved progressive BKZ algorithms and their precise cost estimation by sharp
• simulator. EUROCRYPT’16.

https://github.com/fplll/fpylll/tree/bkz2_sweet_spot 19 / 21

Conclusion

Impacts:

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis;

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters.

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters. ◮ Pressed-BKZ improves quality for limited block-sizes;

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters. ◮ Pressed-BKZ improves quality for limited block-sizes;

Future work:

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters. ◮ Pressed-BKZ improves quality for limited block-sizes;

Future work:

◮ Better strategies for Pressed-BKZ?

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters. ◮ Pressed-BKZ improves quality for limited block-sizes;

Future work:

◮ Better strategies for Pressed-BKZ? ◮ Impact of Pressed-BKZ for larger blocks?

20 / 21

Conclusion

Impacts:

◮ Better estimate for concrete cryptanalysis; ◮ No impact for NIST security parameters. ◮ Pressed-BKZ improves quality for limited block-sizes;

Future work:

◮ Better strategies for Pressed-BKZ? ◮ Impact of Pressed-BKZ for larger blocks? ◮ Rigorous (or less heuristic) analysis of practical behavior of BKZ?

20 / 21

Thank you!

21 / 21