Measuring, simulating and exploiting the head concavity ...The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography

Measuring, simulating and exploiting the head concavityphenomenon in BKZ

Shi Bai1 Damien Stehle2 Weiqiang Wen3

1Florida Atlantic University. USA.2Ecole Normale Superieure de Lyon. France.

3IRISA, Universite Rennes 1. France.

Asiacrypt 2018, Brisbane, Australia.

1 / 21

Outline

The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm iscentral in cryptanalysis for lattice-based cryptography.

1. Explain and quantify the shorter-than-expected phenomenon in thehead region in BKZ.

2. A more accurate simulator for BKZ.

3. A new BKZ variant that exploits the shorter-than-expectedphenomenon.

2 / 21

Outline





2 / 21

Outline





2 / 21

Outline





2 / 21

Lattice

b2b1

b2b2

0

DefinitionGiven a set of linearly independent vectors {b1, · · · ,bn} ⊆ Qm, the lattice Lspanned by the bi ’s is

L({b1, · · · , bn}) ={ n∑

i=1

zi bi | zi ∈ Z}.

Let B be the column matrix of {b1, · · · ,bn} and denote the lattice by L(B).3 / 21

Lattice

b2b2

b2b1

λ 1 0

Lattice minimumGiven a lattice L, the minimum λ1(L) is the norm of a shortest non-zerovector in L.

3 / 21

Lattice

b2b1

b2b2

b1

0

Bases of a latticeGiven B1,B2 ∈ Qm×n, then L(B1) = L(B2) iff B2 = B1U for someunimodular matrix U ∈ Zn×n.

3 / 21

Lattice

b2b1

b2b2

b1

0

The BKZ lattice reduction algorithm helps to find bases like (b1, b2).

Bases of a latticeGiven B1,B2 ∈ Qm×n, then L(B1) = L(B2) iff B2 = B1U for someunimodular matrix U ∈ Zn×n.

3 / 21

Lattice

b2b2

b2b1(b∗1)

b∗2

b2

b1(b∗1) b

∗2

0

Gram-Schmidt orthogonalizationLet B∗ = (b∗1, · · · ,b∗n) denote the Gram–Schmidt orthogonalization of B.The determinant of a lattice L is det(L) =

∏i‖b∗i ‖.

3 / 21

BKZ-β reducedGiven B = (b1, · · · ,bn), let b(j)

i denote the orthogonal projection of bionto the subspace (b1, · · · ,bj−1)⊥.

For i < j ≤ n, let B[i ,j] denote the (matrix) local block (b(i)i , · · · ,b(i)

j ) andL[i ,j] denote the lattice generated by B[i ,j].

DefinitionA basis B is BKZ-β reduced for block size β ≥ 2 if it is size-reduced∗ andsatisfies:

‖b∗i ‖= λ1(L[i ,min(i+β−1,n)]), ∀i ≤ n.

* A basis B is size-reduced, if it satisfies |µi,j |≤ 1/2 for j < i ≤ n where µi,j =〈bi ,b∗j 〉

‖b∗j ‖2 .

4 / 21

The BKZ algorithmThe algorithm attempts to make all local blocks satisfy above theminimality condition simultaneously.

Algorithm 1 BKZ algorithm (Schnorr and Euchner)Input: A basis B = (b1, · · · ,bn), a block size β.Output: A BKZ-β reduced basis of L(B).

1: repeat2: for i = 1 to n − 1 do3: SVPβ: find b such that ‖b(i)‖= λ1(L(b(i)

i , · · · , b(i)min(n,i+β−1))).

4: if ‖b∗i ‖> λ1(L(b(i)i , · · · , b(i)

min(n,i+β−1))) then5: LLL-reduce(b1, · · · , bi−1, b, bi , · · · , bmin(n,i+β)).6: else7: LLL-reduce(b1, · · · , bmin(n,i+β)).8: end if9: end for

10: until no change occurs.

C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In FCT’91.5 / 21

The BKZ algorithmThe algorithm attempts to make all local blocks satisfy above theminimality condition simultaneously.

Algorithm 1 BKZ algorithm (Schnorr and Euchner)Input: A basis B = (b1, · · · ,bn), a block size β.Output: A BKZ-β reduced basis of L(B).

1: repeat2: for i = 1 to n − 1 do3: SVPβ: find b such that ‖b(i)‖= λ1(L(b(i)

i , · · · , b(i)min(n,i+β−1))).

4: if ‖b∗i ‖> λ1(L(b(i)i , · · · , b(i)

min(n,i+β−1))) then5: LLL-reduce(b1, · · · , bi−1, b, bi , · · · , bmin(n,i+β)).6: else7: LLL-reduce(b1, · · · , bmin(n,i+β)).8: end if9: end for


• [Line 3] In practice, SVP solver can be pruned enumeration orsieving.

SVP Challenge. https://www.latticechallenge.org/svp-challenge/.5 / 21

https://www.latticechallenge.org/svp-challenge/

Quality of BKZ-β reduced basisA concrete cryptanalysis relies on the BKZ simulator of Chen and Nguyen(ASIACRYPT’11).

It uses the Gaussian heuristic on local blocks, with a modification for thetail blocks.Gaussian heuristicFor any random n-dimensional lattice L, we have

λ1(L) ≈ GH(L) = 1v1/n

n· det(L)1/n

where vn is the volume of a unit n-ball.

Y. Chen and P.Q. Nguyen. BKZ 2.0: Better lattice security estimates. In ASIACRYPT’11.6 / 21

(Simplified) Chen-Nguyen simulator

Algorithm 2 (Simplified) Chen-Nguyen simulator.Input: G-S norms (‖b∗

1‖, · · · , ‖b∗n‖), a block size β.

Output: Simulated G-S norms of BKZβ-reduced basis of L(B).1: repeat2: for i = 1 to n − 1 do3: SVPβ: find b such that ‖b(i)‖= λ1(L(b(i)

i , · · · , b(i)min(n,i+β−1))).

4: if ‖b∗i ‖> GH(L((b(i)i , · · · , b(i)

min(n,i+β)))) then

5: Update ‖b∗i ‖= GH(L((b(i)i , · · · , b(i)

min(n,i+β)))).6: else7: Keep ‖b∗i ‖ unchanged.8: end if9: end for


7 / 21

Practical behavior of Chen-Nguyen’s simulator

20 40 60 80 100

−1.00

−0.50

0.00

0.50

1.00

Index i

log‖

b∗ i‖

Experimental log‖b∗i ‖

Chen–Nguyen simulator

1

Gram–S. log-norms of BKZ45 at tour 50.

2 4 6 8 10

0.9

1

1.1

1.2

Index i

log‖

b∗ i‖



1

Same as left hand side, but zoomed in.

Such “head concavity” phenomenon has been reported in

I experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11);I and modeled by Yu and Ducas (SAC’17).

Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17.

8 / 21


20 40 60 80 100

−1.00

−0.50

0.00

0.50

1.00

Index i

log‖

b∗ i‖



1


2 4 6 8 10

0.9

1

1.1

1.2

Index i

log‖

b∗ i‖



1



I experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11);

I and modeled by Yu and Ducas (SAC’17).

Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17.

8 / 21


20 40 60 80 100

−1.00

−0.50

0.00

0.50

1.00

Index i

log‖

b∗ i‖



1


2 4 6 8 10

0.9

1

1.1

1.2

Index i

log‖

b∗ i‖



1



I experiments of BKZ 2.0 (Chen and Nguyen, ASIACRYPT’11);I and modeled by Yu and Ducas (SAC’17).

Y. Yu and L. Ducas. Second Order Statistical Behavior of LLL and BKZ. In SAC’17.8 / 21

A better simulator using the distribution of λ1 in random lattices.

9 / 21

Tools

Let Γn = {L ∈ Rn | vol(L) = 1} be the set of all full rank-n lattices withunit volume.

Chen [Cor. 3.1.4] and Sodergren [Thm. 1]:

Distribution of minimum in random latticesSample L uniformly in Γn. The distribution of vn · λ1(L)n converges indistribution to Expo(1/2) as n→∞.

Take λ1(L) as a random variable Y , then Y = X 1/n ·GH(L) for Xsampled from Expo(1/2).

Y. Chen. Reduction de reseau et securite concrete du chiffrement completement homomorphe. PhD thesis, Universite ParisDiderot, 2013.A. Sodergren. On the poisson distribution of lengths of lattice vectors in a random lattice. Mathematische Zeitschrift, 2011.

10 / 21

A probabilistic BKZ simulator

Algorithm 3 The new BKZ simulator (simplified)Input: G-S norms (‖b∗

1‖, · · · , ‖b∗n‖), a block size β.

Output: Simulated G-S norms of BKZ-β-reduced basis of L(B).1: repeat2: for i = 1 to n − 1 do3: Sample X from Expo[1/2].4: if ‖b∗i ‖> X1/β ·GH(L(b(i)

i , · · · , b(i)min(n,i+β−1))) then

5: Update ‖b∗i ‖= X1/β ·GH(L(b(i)i , · · · , b(i)

min(n,i+β))).6: else7: Keep ‖b∗i ‖ unchanged.8: end if9: end for


11 / 21

Quality of our simulator

20 40 60 80 100

−1.00

−0.50

0.00

0.50

1.00

Index i

log‖

b∗ i‖


Chen–Nguyen simulatorNew simulator

1


2 4 6 8 10

0.9

1

1.1

1.2

Index ilo

g‖b∗ i‖



1


12 / 21

Quality of our simulator (more)

20 40 60 80 100 120 140

−1

0

1

Index i

log‖

b∗ i‖



1


2 4 6 8 101.3

1.4

1.5

1.6

1.7

1.8

Index ilo

g‖b∗ i‖



1


13 / 21

Quality of our simulator (RHF)

0 10 20 30 40

1.012

1.014

1.016

1.018

t-th tour

Root

Her

mite

fact

or



Evolution of RHF during BKZ45 (nopruned enumeration) on SVP-100.

0 20 40 60 80 1001.010

1.012

1.014

1.016

1.018

t-th tour

Root

Her

mite

fact

or



Evolution of RHF during BKZ60(pruned enumeration) on SVP-150.

Given a lattice L(B) of rank n, the Root Hermite Factor of B is

RHF(B) =(‖b1‖/det(L)1/n

)1/n.

14 / 21

Limit of the head concavity

50 100 150 200 250 3001.002

1.004

1.006

1.008

1.010

1.012

Block-size

Root

Her

mite

fact

or


Simulated RHF for β ∈ {50, 60, · · · , 300}.Here the dimension is ≥ 4β.

50 100 150 200 250 3001.002

1.004

1.006

1.008

1.010

1.012

Block-size

Root

Her

mite

fact

or


Simulated RHF for β ∈ {50, 60, · · · , 300}.Here the dimension is 3β.

For large block sizes, the discrepancy vanishes: both simulators convergeto the same root Hermite factors.

15 / 21

Exploit the head concavity phenomenon!

16 / 21

A new BKZ variant: “Pressed BKZ”

Algorithm 4 The pressed-BKZ algorithmInput: A basis B = (b1, · · · ,bn), a block size β.Output: A pressed-BKZ-β reduced basis of L(B).

1: for start = 1 to n − β + 1 do2: Re-randomize L(b(start)

start , · · · ,b(start)n ).

3: BKZ-β on the block from start to n.4: end for

17 / 21

Experiments: BKZ-60

20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖

BKZ60

1

Gram–Schmidt log-norms of BKZ60.

2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖

BKZ60

1


18 / 21

Experiments: Pressed-BKZ-60 (2− n)

20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖

BKZ60pressed-BKZ60 (2–n)

1

Gram–Schmidt log-norms of(Pressed-)BKZ60.

2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21


20 40 60 80 100 120

−1

0

1

Index i

log‖

b∗ i‖


1


2 4 6 8 101

1.1

1.2

1.3

1.4

1.5

Index ilo

g‖b∗ i‖


1


18 / 21

Comparison with standard BKZ (in preprocessing)Input: a SVP-120 challenge

I Quality of pressed-BKZ-60 ≈ BKZ-80 ∼ 90 (after certain #tours).Pressed-BKZ-60 takes less time;

I Solving SVP-120 using the preprocessed pressed-BKZ-60 and avariant of progressive-BKZ in the bkz2 sweet spot branch of fplll.Faster (in experiments) than the lower-bound estimates in theProgressive BKZ (Aono et al. EUROCRYPT’16).

Limitation: strategy is not guaranteed to be optimal.

Y. Aono, Y. Wang, T. Hayashi, and T. Takagi. Improved progressive BKZ algorithms and their precise cost estimation by sharpsimulator. EUROCRYPT’16.https://github.com/fplll/fpylll/tree/bkz2_sweet_spot

19 / 21

https://github.com/fplll/fpylll/tree/bkz2_sweet_spot

Conclusion

Impacts:

I Better estimate for concrete cryptanalysis;I No impact for NIST security parameters.I Pressed-BKZ improves quality for limited block-sizes;

Future work:I Better strategies for Pressed-BKZ?I Impact of Pressed-BKZ for larger blocks?I Rigorous (or less heuristic) analysis of practical behavior of BKZ?

20 / 21

Conclusion

Impacts:

I Better estimate for concrete cryptanalysis;

I No impact for NIST security parameters.I Pressed-BKZ improves quality for limited block-sizes;


20 / 21

Conclusion

Impacts:

I Better estimate for concrete cryptanalysis;I No impact for NIST security parameters.

I Pressed-BKZ improves quality for limited block-sizes;


20 / 21

Conclusion

Impacts:



20 / 21

Conclusion

Impacts:


Future work:

I Better strategies for Pressed-BKZ?I Impact of Pressed-BKZ for larger blocks?I Rigorous (or less heuristic) analysis of practical behavior of BKZ?

20 / 21

Conclusion

Impacts:


Future work:I Better strategies for Pressed-BKZ?

I Impact of Pressed-BKZ for larger blocks?I Rigorous (or less heuristic) analysis of practical behavior of BKZ?

20 / 21

Conclusion

Impacts:


Future work:I Better strategies for Pressed-BKZ?I Impact of Pressed-BKZ for larger blocks?

I Rigorous (or less heuristic) analysis of practical behavior of BKZ?

20 / 21

Conclusion

Impacts:



20 / 21

Thank you!

21 / 21

Documents

Measuring, simulating and exploiting the head concavity ...The Blockwise-Korkine-Zolotarev (BKZ) lattice reduction algorithm is central in cryptanalysis for lattice-based cryptography