eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2022/1343

Improved Progressive BKZ with Lattice Sieving and a Two-Step Mode for Solving uSVP

Wenwen Xia, Xidian University
Leizhang Wang, Xidian University
GengWang, Shanghai Jiao Tong University
Dawu Gu, Xidian University, Shanghai Jiao Tong University
Baocang Wang, Xidian University
Abstract

The unique Shortest Vector Problem (uSVP) is one of the core hard problems in lattice-based cryptography. In NIST PQC standardization (Kyber, Dilithium), leaky-LWE-Estimator is used to estimate the hardness of LWE-based cryptosystems by reducing LWE to uSVP and considers the primal attack using Progressive BKZ (ProBKZ). ProBKZ trivially increases blocksize β and lifts the shortest vector in the final BKZ block to find the unique shortest vector in the full lattice. In this paper, we show that a ProBKZ algorithm as above (we call it a BKZ-only mode) is not the best way to solve uSVP. So we present a two-step mode to solve it, where the ProBKZ algorithm is followed by a sieving algorithm with the dimension larger than the blocksize of BKZ. While instantiating our two-step mode with the sieving algorithm Pump and Pump-and-jump BKZ (PnjBKZ) presented in G6K, which are the state-of-art sieving and BKZ implementations, we show that our algorithm is not only better than the BKZ-only mode but also better than the heuristic uSVP solving algorithm in G6K. However, a ProBKZ with the heuristic parameter selection in leaky-LWE-Estimator or the optimized parameter selection in the literature (Yoshinori Aono et al. at Asiacrypt 2016), is insufficient in optimizing the efficiency of a two-step solving algorithm. To find the best param- eters, we design a PnjBKZ simulator which allows the choice of value jump to be more than 1. Based on the newly designed simulator, we give a blocksize and jump strategy selection algorithm, which can achieve the best simulated efficiency in solving uSVP instances. Combining all the things above, we get a new lattice solving algorithm called Improved Progressive PnjBKZ (ProPnjBKZ for short). We test the efficiency of our ProPnjBKZ with the TU Darmstadt LWE Challenge. The experiment result shows that our ProPnjBKZ is 7.6∼12.9 times more efficient than the heuristic uSVP solving algorithm in G6K. Besides, we break the TU Darmstadt LWE Challenges with (n, α) ∈{(40, 0.035), (40, 0.040), (50, 0.025), (55, 0.020), (90, 0.005)}. Finally, we give a newly refined security estimator of LWE. The evaluation results indicate that the concrete hardness of the lattice-based NIST candidate schemes from LWE primal attack will decrease by 1.9∼4.2 bits when using our optimized blocksize and jump selection strategy and two-step solving mode. In addition, when using the list-decoding technology proposed by MATZOV in 2022, it further decreased by 8∼10.7 bits.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
cryptanalysislattice reductionuSVP· progressive BKZPnjBKZ Simulatoroptimized blocksize and jump strategy.
Contact author(s)
xiawenwen @ stu xidian edu cn
lzwang_2 @ stu xidian edu cn
wanggxx @ sjtu edu cn
dwgu @ sjtu edu cn
bcwang @ xidian edu cn
History
2023-10-15: last of 5 revisions
2022-10-08: received
See all versions
Short URL
https://ia.cr/2022/1343
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1343,
      author = {Wenwen Xia and Leizhang Wang and GengWang and Dawu Gu and Baocang Wang},
      title = {Improved Progressive BKZ with Lattice Sieving and a Two-Step Mode for Solving uSVP},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1343},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1343}},
      url = {https://eprint.iacr.org/2022/1343}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.