BKZ 2.0: Better Lattice Security Estimates

Chen, Yuanmi; Nguyêñ, Phong Q.

doi:10.1007/978-3-642-25385-0_1

Cited by 419 publications

(407 citation statements)

References 35 publications

Supporting

Mentioning

402

Contrasting

Unclassified

Order By: Relevance

“…Such bases, in some sense, allow easier and/or more accurate solutions of approximation variants of SVP or its related problem, the Closest Vector Problem (CVP). In practice, the most effective arbitrary-dimension lattice basis reduction algorithms are descendants of the LLL algorithm [14], with the Block-KorkineZolotarev (BKZ) family [22,5] (or framework) of algorithms being the most effective in practice. The LLL and BKZ algorithms rely on successive exact SVP solution in a number of projected lattices.…”

Section: Background and Notationmentioning

confidence: 99%

Tuning GaussSieve for Speed

Fitzpatrick

Bischof

Buchmann

et al. 2015

Progress in Cryptology - LATINCRYPT 2014

View full text Add to dashboard Cite

Abstract. The area of lattice-based cryptography is growing ever-more prominent as a paradigm for quantum-resistant cryptography. One of the most important hard problem underpinning the security of latticebased cryptosystems is the shortest vector problem (SVP). At present, two approaches dominate methods for solving instances of this problem in practice: enumeration and sieving. In 2010, Micciancio and Voulgaris presented a heuristic member of the sieving family, known as GaussSieve, demonstrating it to be comparable to enumeration methods in practice. With contemporary lattice-based cryptographic proposals relying largely on the hardness of solving the shortest and closest vector problems in ideal lattices, examining possible improvements to sieving algorithms becomes highly pertinent since, at present, only sieving algorithms have been successfully adapted to solve such instances more efficiently than in the random lattice case. In this paper, we propose a number of heuristic improvements to GaussSieve, which can also be applied to other sieving algorithms for SVP.

show abstract

Section: Background and Notationmentioning

confidence: 99%

Tuning GaussSieve for Speed

Fitzpatrick

Bischof

Buchmann

et al. 2015

Progress in Cryptology - LATINCRYPT 2014

View full text Add to dashboard Cite

show abstract

“…Finding these points does not appear feasible with the lattice reduction software we used. However, it may be possible to find them using improved implementations such as BKZ 2.0 [9]. There is still a lot of room for improvement in our results, and we hope this paper spurs more research on Bleichenbacher's method.…”

Section: Discussionmentioning

confidence: 88%

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Mulder¹,

Hutter

Marson³

et al. 2013

Cryptographic Hardware and Embedded Systems - CHES 2013

View full text Add to dashboard Cite

Abstract. In this paper we describe an attack against nonce leaks in 384-bit ECDSA using an FFT-based attack due to Bleichenbacher. The signatures were computed by a modern smart card. We extracted the low-order bits of each nonce using a template-based power analysis attack against the modular inversion of the nonce. We also developed a BKZ-based method for the range reduction phase of the attack, as it was impractical to collect enough signatures for the collision searches originally used by Bleichenbacher. We confirmed our attack by extracting the entire signing key using a 5-bit nonce leak from 4 000 signatures.

show abstract

“…This may be seen as the first theoretical evidence that, at least when using a small modulus q, restricting the ∞ norm of the solutions may make the SIS problem qualitatively harder than just restricting the 2 norm. There is already significant empirical evidence for this belief: the most practically efficient attacks on SIS, which use lattice basis reduction (e.g., [12,9]), only find solutions with bounded 2 norm, whereas combinatorial attacks such as [5,27] (see also [22]) or theoretical lattice attacks [10] that can guarantee an ∞ bound are much more costly in practice, and also require exponential space. Finally, we mention that setting β ∞ β is very natural in the usual formulations of one-way and collision-resistant hash functions based on SIS, where collisions correspond (for example) to vectors in {−1, 0, 1} m , and therefore have ∞ bound β ∞ = 1, but 2 bound β = √ m. Similar gaps between β ∞ and β can easily be enforced in other applications, e.g., digital signatures [13].…”

Section: Theorem 1 (Corollary Of Theorem 4)mentioning

confidence: 99%

“…The evaluation of the concrete level of security/efficiency offered by SIS and LWE for specific small parameter values still requires careful cryptanalysis, and consideration of the best known attacks. (See, for example, [22,15,9]. )…”

Section: Theorem 2 (Corollary Of Theorem 6)mentioning

confidence: 99%

Hardness of SIS and LWE with Small Parameters

Micciancio

Peikert

2013

Lecture Notes in Computer Science

213

138

View full text Add to dashboard Cite

Abstract. The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. An important question from both a practical and theoretical perspective is how small their parameters can be made, while preserving their hardness.We prove two main results on SIS and LWE with small parameters. For SIS, we show that the problem retains its hardness for moduli q ≥ β · n δ for any constant δ > 0, where β is the bound on the Euclidean norm of the solution. This improves upon prior results which required q > β · √ n log n, and is close to optimal since the problem is trivially easy for q ≤ β. For LWE, we show that it remains hard even when the errors are small (e.g., uniformly random from {0, 1}), provided that the number of samples is small enough (e.g., linear in the dimension n of the LWE secret). Prior results required the errors to have magnitude at least √ n and to come from a Gaussian-like distribution.

show abstract

BKZ 2.0: Better Lattice Security Estimates

Cited by 419 publications

References 35 publications

Tuning GaussSieve for Speed

Tuning GaussSieve for Speed

Using Bleichenbacher”s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA

Hardness of SIS and LWE with Small Parameters

Contact Info

Product

Resources

About