Finding shortest lattice vectors faster using quantum search

Laarhoven, Thijs; Mosca, Michele; Pol, Joop van de

doi:10.1007/s10623-015-0067-5

Cited by 73 publications

(29 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, we used Algorithm 1 to find our recommended parameters (p, q, t) = (761, 4591, 143) with estimated pre-quantum security 2 248 . We expect post-quantum security levels to be somewhat lower (e.g., [80] saves a factor 1.1 in the best known asymptotic SVP exponents), and lattice security remains a tricky research topic, but there is a comfortable security margin above our target 2 128 . In the parameter generation algorithm the subroutine nextprime(i) returns the first prime number >i.…”

Section: Parametersmentioning

confidence: 96%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

124

View full text Add to dashboard Cite

Abstract. Several ideal-lattice-based cryptosystems have been broken by recent attacks that exploit special structures of the rings used in those cryptosystems. The same structures are also used in the leading proposals for post-quantum lattice-based cryptography, including the classic NTRU cryptosystem and typical Ring-LWE-based cryptosystems. This paper (1) proposes NTRU Prime, which tweaks NTRU to use rings without these structures; (2) proposes Streamlined NTRU Prime, a public-key cryptosystem optimized from an implementation perspective, subject to the standard design goal of IND-CCA2 security; (3) finds high-security post-quantum parameters for Streamlined NTRU Prime; and (4) optimizes a constant-time implementation of those parameters. The resulting sizes and speeds show that reducing the attack surface has very low cost.

show abstract

Section: Parametersmentioning

confidence: 96%

NTRU Prime: Reducing Attack Surface at Low Cost

Bernstein

Chuengsatiansup

Lange

et al. 2017

Lecture Notes in Computer Science

124

View full text Add to dashboard Cite

show abstract

“…While Grover's search algorithm gives a square-root speedup to the search problem, it is not necessarily the case that Grover's algorithm immediately halves the security level. For example, Laarhoven et al [35] give a quantum algorithm for finding shortest lattice vectors in time 2 1.799n+o(n) , compared to the best known classical algorithm with time 2 2.465n+o(n) . If the best quantum algorithm is just a square-root speedup of the best known classical algorithm, then our parameters would require 2 81.9 operations for a quantum attacker to break; but it is an open question whether Grover's algorithm can naively be applied in that way, or whether the quantum impact is less dramatic like in the work of Laarhoven et al…”

Section: A Parameter Selectionmentioning

confidence: 99%

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Bos

Costello

Naehrig

et al. 2015

2015 IEEE Symposium on Security and Privacy

239

131

View full text Add to dashboard Cite

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing ciphersuites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem; we accompany these ciphersuites with a rigorous proof of security. Our approach ties latticebased key exchange together with traditional authentication using RSA or elliptic curve digital signatures: the post-quantum key exchange provides forward secrecy against future quantum attackers, while authentication can be provided using RSA keys that are issued by today's commercial certificate authorities, smoothing the path to adoption.Our cryptographically secure implementation, aimed at the 128-bit security level, reveals that the performance price when switching from non-quantum-safe key exchange is not too high. With our R-LWE ciphersuites integrated into the OpenSSL library and using the Apache web server on a 2-core desktop computer, we could serve 506 RLWE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KiB payload. Compared to elliptic curve Diffie-Hellman, this means an 8 KiB increased handshake size and a reduction in throughput of only 21%. This demonstrates that provably secure post-quantum key-exchange can already be considered practical.

show abstract

“…2.465n+o(n) and space 2 1.325n+o(n) [23] (see [18] for a quantum acceleration). In practice, heuristic variants of the lattice sieving algorithms are found to be more efficient.…”

Section: Introductionmentioning

confidence: 99%

Tuple lattice sieving

Bai

Laarhoven²,

Stehlé

2016

LMS J. Comput. Math.

Self Cite

View full text Add to dashboard Cite

Lattice sieving is asymptotically the fastest approach for solving the shortest vector problem (SVP) on Euclidean lattices. All known sieving algorithms for solving the SVP require space which (heuristically) grows as 2 0.2075n+o(n) , where n is the lattice dimension. In high dimensions, the memory requirement becomes a limiting factor for running these algorithms, making them uncompetitive with enumeration algorithms, despite their superior asymptotic time complexity.We generalize sieving algorithms to solve SVP with less memory. We consider reductions of tuples of vectors rather than pairs of vectors as existing sieve algorithms do. For triples, we estimate that the space requirement scales as 2 0.1887n+o(n) . The naive algorithm for this triple sieve runs in time 2 0.5661n+o(n) . With appropriate filtering of pairs, we reduce the time complexity to 2 0.4812n+o(n) while keeping the same space complexity. We further analyze the effects of using larger tuples for reduction, and conjecture how this provides a continuous trade-off between the memory-intensive sieving and the asymptotically slower enumeration.

show abstract

Finding shortest lattice vectors faster using quantum search

Cited by 73 publications

References 72 publications

NTRU Prime: Reducing Attack Surface at Low Cost

NTRU Prime: Reducing Attack Surface at Low Cost

Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem

Tuple lattice sieving

Contact Info

Product

Resources

About