Next Article in Journal
A Chaotic Image Encryption Method Based on the Artificial Fish Swarms Algorithm and the DNA Coding
Next Article in Special Issue
A New Construction of Weightwise Perfectly Balanced Functions with High Weightwise Nonlinearity
Previous Article in Journal
Design Efficiency of the Asymmetric Minimum Projection Uniform Designs
Previous Article in Special Issue
Secure Authentication in the Smart Grid
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Lattice Enumeration with Discrete Pruning: Improvements, Cost Estimation and Optimal Parameters

1
Henan Key Laboratory of Network Cryptography Technology, Zhengzhou 450001, China
2
PLA Information Engineering University, Zhengzhou 450001, China
*
Author to whom correspondence should be addressed.
Mathematics 2023, 11(3), 766; https://doi.org/10.3390/math11030766
Submission received: 3 January 2023 / Revised: 24 January 2023 / Accepted: 28 January 2023 / Published: 3 February 2023
(This article belongs to the Special Issue Frontiers in Network Security and Cryptography)

Abstract

:
Lattice enumeration is a linear-space algorithm for solving the shortest lattice vector problem (SVP). Extreme pruning is a practical technique for accelerating lattice enumeration, which has a mature theoretical analysis and practical implementation. However, these works have yet to be applied to discrete pruning. In this paper, we improve the discrete pruned enumeration (DP enumeration) and provide a solution to the problem proposed by Léo Ducas and Damien Stehlé regarding the cost estimation of discrete pruning. We first rectify the randomness assumption to more precisely describe the lattice point distribution of DP enumeration. Then, we propose a series of improvements, including a new polynomial-time binary search algorithm for cell enumeration radius, a refined cell-decoding algorithm and a rerandomization and reprocessing strategy, all aiming to lift the efficiency and build a more precise cost-estimation model for DP enumeration. Based on these theoretical and practical improvements, we build a precise cost-estimation model for DP enumeration by simulation, which has good accuracy in experiments. This DP simulator enables us to propose an optimization method of calculating the optimal parameters of DP enumeration to minimize the running time. The experimental results and asymptotic analysis both show that the discrete pruning method could outperform extreme pruning, which means that our optimized DP enumeration might become the most efficient polynomial-space SVP solver to date. An open-source implementation of DP enumeration with its simulator is also provided.

1. Introduction

The shortest vector problem (SVP) and closest vector problem (CVP) are hard computing lattice problems, which have become central building blocks in lattice-based cryptanalysis. The security analysis of many lattice-based cryptographic primitives is usually reduced to solving the underlying mathematical problems, which are closely related to SVP and CVP. Some hard computing problems used in classical public-key cryptosystems can also be converted to a variant version of SVP or CVP, such as the knapsack problem [1,2,3], the hidden number problem [4] and the integer factoring problem [5].
Lattice enumeration is a general SVP solver with linear space complexity, which can be traced back to the early 1980s [6,7]. It outputs a lattice vector (or proves there is none) that is shorter than the given target length within superexponential time. Enumeration can also be used as the subroutine of the blockwise lattice basis reduction (BKZ) algorithm, and therefore plays an important role in the security analysis and parameter assessment of lattice-based cryptosystems [8,9,10].
Classical lattice enumeration can be traced back to the early 1980s. Kannan [6] proposed an algorithm to enumerate lattice points in a high-dimensional parallelepiped, which output the shortest vector, along with a well-reduced HKZ basis, at the cost of a huge time consumption. Fincke and Pohst [7,11] proposed using a lighter preprocessing method, such as LLL or BKZ algorithms, and spending more time on enumerating the lattice vector in a hyperellipsoid. Fincke–Pohst enumeration has a higher level of time complexity in theory, but it performs better than Kannan’s enumeration in practice.
Pruning is the most important technique to accelerate lattice enumeration. In the classical enumeration algorithm, all the coordinate vectors of lattice points are organized as an enumeration tree and are searched in a depth-first way. The pruning method cuts off the branch and stops searching in depth when the objective function value at the current node exceeds the bounding function. This might cut off the correct solution during searching; hence, enumeration becomes a probability algorithm. Gama, Nguyen and Regev [12] proposed the extreme pruning method, treating the bounding function as the solution to an optimization problem. The optimal bounding function can be regarded as an extreme point, which minimizes the expected total running time (with a given success probability). Therefore, the extreme pruning method is believed to be the most efficient pruning method for classical enumeration, which is also called GNR enumeration. The fplll library [13] provides an open-source implementation of GNR enumeration.
The classical pruned enumeration searches lattice vectors in a hypercylinder intersection, which is regarded as a continuous region in time analysis. Consequently, the computation of the expected running time of GNR enumeration is easy to handle, which implies that the upper bound on the cost of lattice enumeration is clear. Aono et al. also proved a lower bound on GNR enumeration [14].
The discrete pruning method is quite different. The discrete pruned enumeration (DP enumeration) originated from a heuristic “Sampling Reduction” algorithm [15], which iteratively samples lattice vectors under the restriction on their Gram–Schmidt coefficients and then rerandomizes the basis using lattice reduction. Ajtai, Buchmann and Ludwig [16,17] provided some analyses of the time complexity and success probability. Fukase and Kashiwabara [18] put forward a series of significant improvements, including the natural number representation (NNR) of lattice points, to make the sampling reduction method more practical and provided a heuristic analysis. Teruya et al. [19] designed a parallelized version of the Fukase–Kashiwabara sampling reduction algorithm and solved a 152-dimensional SVP challenge, which was the best record of that year. Other relevant studies include [20,21,22]. The Sampling Reduction algorithm shows good practicality but lacks sufficient theoretical support, especially regarding the parameter settings and estimation of running time. The conception of “discrete pruning” was formally put forward in EUROCRYPT’ 17 by Aono and Nguyen [23]. They proposed a novel conception named “lattice partition” to generalize the previous sampling methods, and they solved the problem of what kind of lattice points should be “sampled” using the classical enumeration technique. The success probability of discrete pruning can be described as the volume of “ball-box intersection”, and can be calculated efficiently using fast inverse Laplace transform(FILT). Aono et al. [24] made some modifications to DP enumeration and proposed a quantum variant. The theoretical foundation of DP enumeration was gradually developed, but some problems still remain.
  • A precise cost estimation: There is a gap between theoretical time complexity and the actual cost. It has been proved that each subalgorithm of DP enumeration has a polynomial-time complexity, but the actual running time is not in proportion with the theoretical upper bound, since subalgorithms with different structures are analyzed using different arithmetic operations.
  • The optimal parameter setting: The parameters of DP enumeration used to be set empirically, by hand. An important problem that [23,24] did not clearly explain is how many points should be enumerated in the iteration. The authors of [18,23] provided some examples of parameter selection, without further explanation. For a certain SVP instance, optimal parameter settings should exist to minimize the total running time. This is based on the solution to the first problem.
To solve the above problems, the whole work is carried out using two steps: First, we built a precise cost model for DP enumeration, called the “DP simulator”. During this procedure, some implementation details regarding DP enumeration are improved, and the cost model is based on these improvements. Second, we used the optimization method to find the optimal parameter of DP enumeration.
In the first step, to estimate the precise cost of DP enumeration, we studied and improved DP enumeration in terms of both mathematical theory and algorithm implementation. The main work was as follows:
  • Rectification of the theoretical assumption: It is generally assumed that the lattice point in participating “cells” follows the uniform distribution, but Ludwig [25] (Section 2.4) pointed out that this randomness assumption does not strictly hold for Schnorr’s sampling method, i.e., Schnorr’s partition. This defect also exists in the randomness assumption of natural number partition and leads to a paradox, where two symmetric lattice vectors with the same length have a different moment value and success probability. This will lead to inaccuracies in cell enumeration and success probability analyses; hence, we provided a rectified assumption to describe lattice point distribution in cells more cautiously and accurately, and consequently eliminate the defect.
  • Improvements in algorithm implementation: We propose a new polynomial-time binary search algorithm to find the cell enumeration radius, which guarantees a more precise output than [24] and is more conducive to building a precise cost model. We proposed using a lightweight rerandomization method and a truncated version of BKZ, “k-tours-BKZ”, as the reprocessing method when DP enumeration fails in one round and has to be repeated. This method takes both the basis of quality and controllable running time into consideration. We examined the stabilization of basis quality during repeated reprocessing and proposed a model to describe the relationship between orthogonal basis information and the parameters of DP enumeration.
  • A cost simulator of DP enumeration: Based on the above improvements, we provided an open-source implementation of DP enumeration. To describe the actual running time of DP enumeration, it is necessary to define a unified “basic operation” for all subalgorithms of DP enumeration and fit the coefficients of polynomials. We calculated the fitted time cost formula in CPU-cycles for each subalgorithm of our implementation. We also modified the calculation procedures of success probability according to the rectified randomness assumption. Then, we built a cost model, the DP simulator, to estimate the exact cost of DP enumeration under any given parameters. In addition, for random lattices with GSA assumption holding, this works in a simple and efficient way, without computing any specific lattice basis.
In the second step, to predict the optimal parameter for DP enumeration, we proposed an optimization model. In this model, the DP enumeration parameter is regarded as the input of the DP simulator, and the output of the DP simulator is the estimated running time. We found that the Nelder–Mead method is suitable for solving the optimization problem, since the DP simulator has no explicit expression and has unknown derivatives. As the cost model is accurate, the parameter that minimizes the output of the DP simulator can also be considered the optimal parameter of the DP enumeration algorithm.
Contributions of this work: We propose a systematic solution to the open problem of DP enumeration by combining the improved implementation of DP enumeration, DP simulator and the optimization method used to find optimal parameters. The experiment confirms that DP enumeration outperforms the state-of-art enumeration with extreme pruning and provides concrete crossover points for algorithm performance. Furthermore, the experimental result is extrapolated to higher dimensions, and we provided the asymptotic expression of the cost of DP enumeration. These results provide valuable references for lattice-based cryptography. We released our implementation as an open source (https://github.com/LunaLuan9555/DP-ENUM, accessed on 30 December 2022) to promote the development of lattice-based cryptography.
Roadmap:Section 2 introduces the fundamental knowledge of lattices and provides an overview of pruning technologies for lattice enumeration. Section 3 first rectifies the basic randomness assumption of lattice partition, and then describes the details of three improvements in discrete pruning enumeration. Section 4 shows the details of our DP enumeration cost simulator, including the runtime estimation of every subalgorithm and the rectified success probability model. Section 5 describes how to find the optimal parameter setting for DP enumeration using our cost simulator. Section 6 provides experimental results to verify the accuracy of our cost simulator, and compares the efficiency of our implementation with the extreme pruned enumeration in fplll library. Finally, Section 7 provides the conclusion and discusses some further works.

2. Preliminaries

2.1. Lattice

Lattice: Let R m denote the m-dimensional Euclidean space. Given n linear independent vectors b 1 , , b n R m ( m n ), a lattice  L is defined by a set of points in R m : L = i = 1 n x i b i : x i Z . The vector set { b 1 , , b n } is called a basis of lattice L and can be written in the form of column matrix B = b 1 , , b n . The rank of matrix B is n, which is also known as the dimension of lattice. From a computational perspective, we can only consider the case that b i Z m for i = 1 , , n for convenience, since the real number is represented by a rational number in the computer, and a lattice with a rational basis can always be scaled to one with an integral basis. The lattice is full-rank when m = n , which is a common case in lattice-based cryptanalysis. In the following, we only consider the case B Z n × n .
A lattice has many different bases. Given two bases B 1 , B 2 Z m × n of a lattice L , there exists a unimodular matrix U such that B 1 = B 2 U . A basis of the lattice corresponds to a fundamental parallelepiped P ( B ) = i = 1 n b i x i : 0 x i < 1 , i = 1 , , n . The shape of fundamental parallelepiped varies depending on the basis, but the volume of those fundamental parallelepipeds is an invariant of the lattice, which is denoted by vol ( L ) . This is also called the determinant det ( L ) of a lattice, and we have det ( L ) = vol ( L ) = det ( B T B ) .
Random lattice: The formal definition and generation algorithm of a random lattice can refer to Goldstein and Mayer’s work in [26]. The SVP challenge also adopts the Goldstein–Mayer lattice. The lattice of an n-dimensional SVP challenge instance has a volume of about  2 10 n .
Gaussian heuristic: For a lattice L and a measurable set S in R n , we intuitively expect that the set contains vol ( S ) / vol ( L ) fundamental parallelepipeds; therefore, there should be the same number of points in S L .
Assumption 1.
Gaussian heuristic.  Let L be a n-dimensional lattice in R n and S be a measurable set of R n . Then,
# { S L } vol ( S ) / vol ( L )
We note that the Gaussian heuristic should be used carefully, because in some “bad” cases, this assumption does not hold (see Section 2.1.2 in [27]). However, in random lattice, this assumption generally holds, especially for some “nice” set S; therefore, we can use the Gaussian heuristic to predict λ 1 ( L ) :
GH ( L ) = vol ( L ) 1 / n B n ( 1 ) 1 / n = 1 π Γ n 2 + 1 1 n vol ( L ) 1 n n 2 π e vol ( L ) 1 n
In fact, GH ( L ) is exactly the radius of an n-dimensional ball with volume vol ( L ) . It is widely believed that GH ( L ) is a good estimation of λ 1 ( L ) when n 45 .
Shortest vector problem (SVP): For a lattice L = L ( B ) with basis B Z m × n , one can find a lattice vector Bx with x Z n \ { 0 } such that Bx By for any y Z n \ { 0 } . The length of the shortest vector is denoted by λ 1 ( L ) .
It is of great interest to find the shortest nonzero vector of a lattice in the fields of complexity theory, computational algebra and cryptanalysis. However, a more common case in cryptanalysis is to find a lattice vector that is shorter than a given bound. In other words, researchers are more interested in finding an approximate solution to SVP. For example, the target of the SVP challenge [28] is to find a lattice vector v L such that v 2 1.05 · GH ( L ) 1.05 λ 1 ( L ) .
Orthogonal projection: The Gram–Schmidt orthogonalization can be considered a direct decomposition of lattice and is frequently used in lattice problems.
Definition 1.
Gram–Schmidt orthogonalization.  Let B = b 1 , b n Z m × n be a lattice basis, The Gram–Schmidt orthogonal basis B * = b 1 * , b n * Q m × n is defined with b i * = b i j = 1 i 1 μ i , j b j * , where the orthogonal coefficient μ i , j = b i , b j * b j * , b j * .
Definition 2.
Orthogonal projection.  Let π i : R m s p a n ( b 1 , , b i 1 ) be the i-th orthogonal projection. For  v R m , we define π i ( v ) = v j = 1 i 1 v , b j * b j * 2 b j * . Since any lattice vector v can be represented by the orthogonal basis B * as v = i = 1 n u i b i * , we also have π i ( v ) = j = i n u j b j * .
For lattice L ( B ) and i = 1 , , n , we can define the n i + 1 -dimensional projected lattice π i ( L ( B ) ) = L [ π i ( b i ) , π i ( b i + 1 ) , , π i ( b n ) ] . Note that the orthogonal basis of π i ( L ( B ) ) is exactly [ b i * , b i + 1 * , , b n * ] .

2.2. Discrete Pruning

In classical enumeration, we search for lattice points directly, according to their coordinates ( x 1 , , x n ) with respect to basis B , such that v = i = 1 n x i b i R . However, enumeration with discrete pruning behaves in a very different way.
Considering the representation v = j = 1 n u j b j * , it is intuitive to search for a lattice vector with a small | u j | , especially for index j, corresponding to a very large b j * . This idea is first applied in a heuristic vector sampling method proposed by Schnorr [15] and dramatically improved by Fukase and Kashiwabara [18]. These sampling strategies are summarized by Aono and Nguyen, and they defined lattice partition to generalize these sampling methods.
Definition 3.
(Lattice partition [23]). Let L to be a full-rank lattice in Z n . An  L -partition ( C ( ) , T ) is a partition of R n such that:
  • R n = t T C ( t ) and C ( t ) C ( t ) = . The index set T is a countable set.
  • There is exactly one lattice point in each cell C ( t ) , and there is a polynomial time algorithm to convert a tag t to the corresponding lattice vector v C ( t ) L .
A nontrivial partition is generally related to the orthogonal basis B * . Some examples are given in [23]. Here, we only introduce natural partition, which was first proposed by Fukase and Kashiwabara [18], since it has smaller moments than other lattice partitions such as Babai’s and Schnorr’s, implying that enumeration with natural partition tends to have more efficiency. In this paper, we only discuss discrete pruning based on natural partition, following the work of [18,23,24].
Definition 4.
Given a lattice L with the basis B Z n × n , and a lattice vector v = j = 1 n u j b j * , the natural number representation (NNR) of v is a vector t = ( t 1 , , t n ) N n such that u j t j + 1 2 , t j 2 t j 2 , t j + 1 2 for all j = 1 , , n . Then, natural number representation t N n leads to the natural partition ( C ( ) , N n ) by defining
C ( t ) = i = 1 n x i b i * , t i + 1 2 < x i t i 2 or t i 2 < x i t i + 1 2
The shape of C ( t ) = i = 1 n x i b i * , t i + 1 2 < x i t i 2 or t i 2 < x i t i + 1 2 R n is a union of 2 j hypercuboids (boxes), which are centrosymmetric and disjoint, where j is the number of nonzero coefficients in t .
Given a certain cell, the lattice vector lying in it can be determined by the tag and lattice basis; however, if we randomly pick some cells, the position of the lattice vector in C ( t ) always shows a kind of randomness. We can naturally assume that the lattice point belonging to C ( t ) follows a random uniform distribution. The prototype of this assumption was first proposed by Schnorr [15] and generalized by Fukase and Kashiwabara [18]. Aono, Nguyen and Shen [23,24] also use this assumption by default.
Assumption 2.
(Randomness Assumption [18]). Given a lattice L ( B ) Z n × n with orthogonal basis B * and a natural number vector t N n , for the lattice vector v = j = 1 n u j b j * contained in C ( t ) , the Gram–Schmidt coefficients u j ( j = 1 , , n ) are uniformly distributed over t j + 1 2 , t j 2 t j 2 , t j + 1 2 and statistically independent with respect to j.
In such an ideal situation, by considering the GS coefficients u j of v as random variables, one can compute the expectation and variance value of v 2 , since v 2 can also be considered a random variable. They are also defined as the first moment of cell C ( t ) [23]:
E [ C ( t ) ] = 1 12 j = 1 n ( 3 t j 2 + 3 t j + 1 ) b j * 2
This means that, for a given tag t , we can predict the length of the lattice vector v C ( t ) immediately without converting t to v , which is precise but takes a rather long time. This leads to the core idea of the discrete pruning method: we first search for a batch of cells t S C ( t ) that are “most likely” to contain very short lattice vectors; then, we decode them to obtain the corresponding lattice vectors and check if there is a v such that v R . The pruning set is P = t S C ( t ) . If the randomness assumption and Gaussian heuristic hold, the probability that P contains a lattice vector shorter than R can be easily described by the volume of the intersection vol ( B a l l n ( R ) P ) = t S vol B a l l n ( R ) C ( t ) .
The outline of discrete pruned enumeration is given in Algorithm 1.
Algorithm 1 Discrete Pruned Enumeration
 Require:
well-reduced lattice basis B , number of tags M, target vector length R
 Ensure:
v L ( B ) such that v < R = 1.05 · GH ( L )
1:
Reduce lattice basis B
2:
while true do
3:
     S
4:
    Use binary search to find bound r such that there are M tags t satisfying f ( t ) < r ;
5:
    Enumerate all these M tags and save them in set S
6:
    for  t S  do
7:
         Decode t to recover the corresponding v such that v C ( t ) ;
8:
         if  v 2 < R 2  then return  v ;                                                     / / Find a solution
9:
         end if
10:
    end for
11:
    Rerandomize B by multiplying a unimodular matrix Q Z n × n , i.e., B BQ
12:
    Reprocess B using lattice reduction algorithms such as BKZ or LLL
13:
end while

3. Improvements in Discrete Pruning Method

3.1. Rectification of Randomness Assumption

Most of the studies on discrete pruning take randomness assumption as a foundation of their analyses; therefore, they can apply Equation (2) to predict vector length. However, we can easily point out a paradox if the following assumption holds: for two cells with tag t = [ t 1 , , t k 0 , 0 , , 0 ] and t = [ t 1 , , t k + 1 0 , 0 , , 0 ] , if  t k is odd; then, it is easy to verify that the corresponding lattice vectors of t and t are in opposite directions with the same length. However, the Equation (2) indicates E [ C ( t ) ] < E [ C ( t ) ] . In fact, we also have vol B a l l n ( R ) C ( t ) vol B a l l n ( R ) C ( t ) , which means these two cells have different success probabilities, while the lattice vectors contained in them are essentially the same.
This paradox implies that the distribution of lattice points in cells is not completely uniform. As a matter of fact, for a tag t = [ t 1 , , t k 0 , 0 , , 0 ] , GS coefficient u k , u k + 1 , , u n of the corresponding lattice vector, v C ( t ) are fixed integers rather than uniformly distributed real numbers. The exact values of u k , u k + 1 , , u n are given in Proposition 1.
Proposition 1.
Given a lattice L ( B ) with orthogonal basis B * and a tag t = [ t 1 , , t k 0 , 0 , , 0 ] , the corresponded lattice vector is denoted by v = j = 1 n u j b j * C ( t ) , then
u k = t k 2 , if t k is even t k + 1 2 , if t k is odd u k + 1 = = u n = 0
Proof. 
We can verify the proposition through the procedures of decoding algorithm, and a brief theoretical proof is also provided. For lattice vector v = i = 1 n x i b i = i = 1 n u i b i * C ( t ) , where u k = x k + i = k + 1 n μ i , k x i , the last nonzero coefficient of x is x k if, and only if, u k is the last nonzero coefficient of u , and u k = x k . Then, according to Definition 4, we have t j = 0 for all j > k ; u k is non-negative if, and only if, t k = 2 x k 1 is odd; u k < 0 if and only if t k = 2 x k is even. For brevity, the tags with odd and even numbers in the last nonzero coefficient are called the “odd-ended tag” and “even-ended tag”, respectively.    □
Based on Proposition 1, the rectified randomness assumption is given below, and the moments of natural partition are also modified.
Assumption 3.
(The Rectified Randomness Assumption). Let L ( B ) be an n-dimensional lattice with orthogonal basis B * . Given a tag t with corresponding lattice vector v = j = 1 n u j b j * C ( t ) , suppose the last nonzero coefficient of t is t k ; then, for  j < k , we assume that u j is uniformly distributed over t j + 1 2 , t j 2 t j 2 , t j + 1 2 and independent with respect to j, for j k , u j can be directly given by proposition (3).
Then, the moments of lattice partition should also be modified, since the last several coefficients are not random variables after the rectification. For a tag t = [ t 1 , , t k 0 , 0 , , 0 ] , the expectation of the corresponding v 2 is
E [ C ( t ) ] = 1 12 j = 1 k 1 ( 3 t j 2 + 3 t j + 1 ) b j * 2 + u k 2 b k * 2
where u k is defined by Equation (3).
After the rectification, for two tags t , t , which only differ by 1 in the last nonzero coefficient, we have E [ C ( t ) ] = E [ C ( t ) ] , and the paradox mentioned in the beginning of this subsection is eliminated.

3.2. Binary Search and Cell Enumeration

A crucial step of Algorithm 1 is called cell enumeration (line 5), aiming to find the “best” M cells. We use the objective function f ( t ) to measure how good the cells are. E [ C ( t ) ] (Equation (2)) is a tacit indicator for searching for the proper t , since it is exactly the expected squared length of lattice vector v C ( t ) . Aono and Gama [23] directly use E [ C ( t ) ] as the objective function f ( t ) in cell enumeration, and Aono et al. [24] use a modified version of E [ C ( t ) ] to guarantee its polynomial runtime. They require the function f ( t ) = i = 1 n f ( i , t i ) satisfying f ( i , 0 ) = 0 and f ( i , j ) f ( i , j ) for all i and j > j , which means we have to drop the constants in E [ C ( t ) ] , i.e., let f ( i , j ) = 1 4 ( j 2 + j ) b i * 2 . Based on their work and the rectification above, we propose a modified objective function. Given a tag vector t = [ t 1 , , t k 0 , 0 , , 0 ] as input, we first define
f ( i , t i ) = def 0 , for i > k u i 2 b i * 2 , for i = k 1 4 ( t i 2 + t i ) b i * 2 , else
where u i is defined by Equation (3). Then, the objective function of cell enumeration is
f ( t ) = def i = 1 n f ( i , t i ) = 1 4 i = 1 n ( t i 2 + t i ) b i * 2 = 1 4 i = 1 k ( t i 2 + t i ) b i * 2 + u k 2 b k * 2
The complete cell enumeration procedure is given below:
Remark 1.
Remark. Considering the symmetry of the lattice vector, we only search for even-ended tags (line 17 and line 31).
The time complexity of Algorithm 2 is similar to that of [24]: the number of times that Algorithm 2 enters the loop is, at most, ( 2 n 1 ) · M / 2 , where M is the number of tags such that f ( t ) r . For each loop iteration, the number of arithmetic operations performed is O ( 1 ) , and the number of calls to f ( ) is exactly one. The proof is essentially the same as that of theorem 11 in [24]. (Note that, although we change the definition of f ( i , t i ) , and therefore change the value calculated in line 3, this does not affect the total number of while loops in the asymptotic sense. Furthermore, the modification of f ( t ) does not change the key step in the proof: each partial assignment i = i 0 n f ( i , t i ) R of a middle node can be expanded to a larger sum i = 1 n f ( i , t i ) R . )
In cell enumeration, a bound r should be determined as in the previous section, such that there are exactly M tags satisfying f ( t ) r . Aono and Nugyen [23] first proposed the idea to use the binary search method to find a proper r. Aono et al. [24] gave a detailed binary search algorithm (Algorithm 5 in [24]), which was proved to have a polynomial running time O ( n ( n + 1 ) M ) + n O ( 1 ) + O ( log 2 M ) . Their algorithm uses the input (radius r) precision to control the termination of the binary search, but a slight vibration of the radius r will cause a large disturbance to the number of valid tags, since the number of tags is t , such that f ( t ) < r grows exponentially with r. Therefore, their binary search method could only guarantee an output of N tags with N [ M , ( n + 1 ) M ] , which is a relatively large interval. Then, it would be intractable to estimate the precise cost of the subsequent tagwise calculation, such as in the decoding algorithm.
Since the current termination condition in the binary search of DP enumeration will bring uncertainty into the total cost-estimation model, we provide a more practical and stable polynomial-time binary search strategy to determine the parameter r for cell enumeration. The essential difference with ANS18 [24] is that we use the number of output tags as the bisection indicator of binary search. This method guarantees that cell enumeration algorithm (Algorithm 1, line 5) outputs about ( 1 ϵ ) M to ( 1 + ϵ ) M tags t , satisfying f ( t ) < r . When ϵ is small, the number of output tags can be approximately counted as M.
Algorithm 2 CellENUM
 Require:
Orthongonal basis B * = [ b 1 * , , b n * ] , r
 Ensure:
All t N n such that f ( t ) r where f ( t ) , as defined in Equation (6), and  t is even-ended
  1:
S
  2:
t 1 = t 2 = = t n = 0 ;
  3:
c 1 = c 2 = = c n + 1 = 0 ;
  4:
k 1
  5:
while true do
  6:
    if  t k = t k + 1 = t n = 0  then
  7:
         c k 0
  8:
    else if  t k is the last nonzero component of t  then
  9:
         c k u k 2 b k * 2                                                 / / u k is calculated using Equation (3)
  10:
    else
  11:
         c k c k + 1 + 1 4 ( t i 2 + t i ) b i * 2 ;
  12:
    end if                                                    / / calculating f ( k , t k ) , defined by Equation (5)
  13:
    if  c k < r  then
  14:
        if  k = 1  then
  15:
            S S { t = ( t 1 , t 2 , , t n ) }
  16:
           if  t k + 1 = = t n = 0  then
  17:
                t k t k + 2                                                 / / Only output “even-ended” tags
  18:
           else
  19:
                t k t k + 1
  20:
           end if
  21:
        else
  22:
            k k 1
  23:
            t k 0
  24:
        end if
  25:
    else
  26:
         k k + 1
  27:
        if  k = n + 1  then
  28:
           exit
  29:
        else
  30:
           if  t k + 1 = = t n = 0 or k = n  then
  31:
                t k t k + 2 ;
  32:
           else
  33:
                t k t k + 1 ;
  34:
           end if
  35:
        end if
  36:
    end if
  37:
end whilereturnS
Remark 2.
In Algorithm 3,CellENUM in line 3 is actually a variant of the original Algorithm 2. It only needs to count the number of qualified tags and return early when # S > ( 1 + ϵ ) M , and it has no need to store the valid tags.
Algorithm 3ComputeRadius
 Require:
M , ϵ , B *
 Ensure:
r R such that # { t : f ( t ) < r } M
1:
R l i = 1 n f ( i , 0 ) = 0
2:
R r i = 1 n f ( i , M 1 n )
3:
while R l < R r do
4:
       R m R l + R r 2
5:
       S CellENUM ( B , R m )
6:
      if  # S < ( 1 ϵ ) M  then
7:
         R l R m                                                                   / / R m is too small
8:
    else if  # S > ( 1 + ϵ ) M  then
9:
         R r R m                                                                      / / R m is too large
10:
    elsereturn  r R m                                                 / / R m is acceptable
11:
    end if
12:
end while
Theorem 1 gives the asymptotic time complexity of Algorithm 3:
Theorem 1.
Given lattice L ( B ) , M, a relaxation factor ϵ, Algorithm 3 ends within O log n + log 1 ϵ + n log n det ( L ) 2 n loops and output the enumeration parameter r, such that ( 1 ϵ ) M # { t N n : f ( t ) < R } ( 1 + ϵ ) M . In each loop, subalgorithmcellENUM is called exactly once.
The approximate proof of Theorem 1 is given in Appendix A. In the following experiments, we set ϵ = 0.005 .

3.3. Lattice Decoding

The decoding algorithm converts a tag t N n to a lattice vector v L ( B ) R n . The complete algorithm is described both in [18,23]. However, in discrete pruned enumeration, almost all the tags we process do not correspond to the solution for SVP, and there is no need to recover the coordinates of those lattice vectors. Instead, inspired by classical enumeration, we use an intermediate result, the partial sum of the squared length of lattice vector (line 14 in Algorithm 4), as an early-abort indicator: when the projected squared length of lattice vector ρ = k = i n | x k + i = k + 1 n μ i k x i | 2 b k * 2 is larger than the target length of SVP, we stop the decoding, since it is not a short lattice vector. Therefore, we avoid a vector–matrix multiplication with time O ( n 2 ) .
Algorithm 4 has O ( n ) loops and, in each loop, there are about O ( n ) arithmetic operations, which are mainly organized by line 7. Therefore, the time complexity of Algorithm 4 is O ( n 2 ) . During experiments, we noticed that, for the SVP challenge, decoding terminates at index i 0.21 n on average, which means that the early-abort technique works and saves decoding time.
Space complexity of DP enumeration. We note that Decode can be embedded into line 15 in CellENUM. In other words, the decoding procedure can be instantly determined when a candidate tag is found, and then we can decide whether to output the final solution to SVP or throw out the tag. This indicates that DP enumeration essentially has polynomial space complexity, since it has no need to store any tags.
Algorithm 4Decode
 Require:
tag t N n , SVP target length R = 1.05 · GH ( L ) , orthogonalization information U = ( μ i , j ) n × n , B * R n × n ;
 Ensure:
lattice vector v such that v 2 < R 2 or output
1:
ρ 0
2:
Δ 1                                                   / / to indicate whether we should stop decoding;
3:
for i = i tondo
4:
     u i = 0
5:
end for
6:
for i = n to 1 do
7:
     y = j = i + 1 n u j μ j , i
8:
     u i = y + 0.5
9:
    if  u i y  then
10:
         u i = u i ( 1 ) t i t i / 2
11:
    else
12:
         u i = u i + ( 1 ) t i t i / 2
13:
    end if
14:
     ρ ρ + ( u i y ) 2 b i * 2                 / / ρ = k = i n | x k + i = k + 1 n μ i k x i | 2 b k * 2
15:
    if  ρ > R  then
16:
         Δ 0
17:
        exit
18:
    else
19:
         Δ 1                                                              / / find a solution to SVP
20:
    end if
21:
end for
22:
if Δ = 1 then return v = Bu
23:
elsereturn
24:
end if

3.4. Lattice Reduction for Reprocessing

3.4.1. Rerandomization and Reduction

To solve an SVP instance, the DP enumeration should be repeatedly run on many different bases, which means that the lattice basis should be rerandomized when DP enumeration restarts; hence, it should be reprocessed to maintain good quality. A plain reduction method is to use the polynomial-time LLL reduction as the reprocessing method, which only guarantees some primary properties and is not as good as BKZ reduction. However, a complete BKZ reduction will take a long time, and the estimation of its runtime requires a sophisticated method. Additionally, the BKZ algorithm produces diminishing returns: after the first dozens of iterations, the quality of the basis, such as the root Hermite factor, changes slowly during iterations, as illustrated in [29,30].
A complete reduction is unnecessary, since our DP enumeration algorithm does not require that the lattice basis is strictly BKZ-reduced. The key point of reprocessing for DP enumeration is to achieve a compromise between time consumption and basis quality. An early-abort strategy called terminating BKZ [31] is a good attempt to decrease the number of iterations of BKZ reduction while maintaining some good properties. However, the runtime of BKZ is still hard to estimate, since the number of iterations is not fixed, and those properties mainly describe the shortness of b 1 , providing little help for our cost estimation.
Another idea is to use a BKZ algorithm with limited tours of reduction, which is convenient for runtime analysis and also efficiently produces a well-reduced basis. This is what we call the “k-tours-BKZ” algorithm (Algorithm 5), which restricts the total number of “tours” (lines 4–18 in Algorithm 5) of BKZ within k. Given BKZ blocksize β and k, the time consumption of Algorithm 5 can be approximately estimated by multiplying k ( n β ) and the cost of solving a single β -dimensional SVP oracle. This is explained in Section 4.
Algorithm 5 k-tours-BKZ
 Require:
Lattice basis B ; BKZ blocksize β , k
 Ensure:
a reprocessed lattice basis B
1:
Z 0 ; i 0 ;               / / Z is used to judge the termination condition for original BKZ;
2:
K 0 ;                                                                                                   / / K records the tours;
3:
LLL( b 1 , , b n );
4:
while Z < n 1 or K < k do
5:
     K + +
6:
    for  i = 1 to n 1 do
7:
         j min ( i + β 1 , n ) ;
8:
         h min ( j + 1 , n ) ;
9:
         v ENUM ( π i ( b i ) , , π i ( b j ) ) ;                                      / / call the SVP oracle
10:
        if  v 0  then
11:
            Z 0 ;
12:
           LLL( b 1 , , b i 1 , s = i j v s b s , b i , , b h );
13:
        else
14:
            z + + ;
15:
           LLL( b 1 , , b h );
16:
        end if
17:
    end for
18:
end while
The value of k is tightly related to the rerandomization; hence, the rerandomization method should also be cautiously discussed. The essence of this idea is to generate a unimodular matrix Q as the elementary column transformation performed on B ; therefore, BQ will become the new basis waiting to be reprocessed. A very “heavy” matrix Q means the basis is transformed with high intensity, which implies that the basis will lose many good properties after rerandomization, e.g., some very short basis vectors, which were achieved by the previous reduction, and the reprocessing procedure needs a long time to reach the well-reduced status. However, a very sparse Q may lead to insufficient randomness during transformation, which may not guarantee a very different basis. To balance the randomness and reprocessing cost, we heuristically require a Hamming distance between Q and an identity matrix I satisfying
d 1 ( Q , I ) = d e f 1 i n 1 j n | Q i j I i j | O ( n )
A practical way to generate such a Q is to randomly select n position ( i , j ) with i < j and let Q i j { ± 1 , ± 2 , } as a small integer, as well as let Q i i = 1 for all 1 i n . This forms an upper-triangular unimodular matrix and immediately satisfies the above formula.
In practice, we find that this method can guarantee a new basis after reprocessing and will not destroy or reduce the basis quality too much; therefore, this can help the k-tours-BKZ to achieve a stable basis quality again in only few tours (see Figure 1, Figure 2 and Figure 3). The experiments in the next subsection suggest that we can set a very small k to save time in the reprocessing procedure. There is a broad consensus that “the most significant improvements of BKZ reduction only occurs in the first few rounds” [27], and this is proved in [31]. Some cryptanalyses also use an optimistically small constant c as the number of BKZ tours used to estimate the attack overhead (like c = 8 in [32]). Considering the previous literature and the following experiments, we set k = 8 for our k-tours-BKZ method.

3.4.2. Average Quality of Lattice Basis During Reprocessing

Even when using the same parameters, DP enumeration will have different runtimes and probabilities of success when used on different bases of a lattice. We expect the basis to have a stable quality that will remain largely unchanged by the reprocessing operation and can be easily simulated or predicted without conducting a real lattice reduction. The very first work aims to define the quality of the lattice basis and study how it changes during enumeration loops. We chose three indicators to describe the quality of the basis and observe their behavior during reprocessing.
Gram–Schmidt Sum.
For DP-enumeration, its success probability is tightly related to the lengths of the Gram–Schmidt basis vectors { b 1 * , , b n * } , and Fukase et al. [18] proposed using Gram–Schmidt Sum as a measurement of lattice basis quality and also gave an intuitive and approximate analysis of the strong negative correlation between GSS ( B ) and the efficiency of finding a short lattice vector: the larger the Gram–Schmidt Sum is, the smaller the success probability becomes. The Gram–Schmidt Sum is defined as
GSS ( B ) = d e f i = 1 n b i * 2
We generated an n = 120 dimensional SVP challenge basis at random and showed how the k-tours-BKZ change the GSS ( B ) of the basis during reprocessing. They started to form a BKZ β -reduced basis; then, the lattice basis was rerandomized and reprocessed by k-tours-BKZ for every k = 8 tours with blocksize β . As shown in Figure 1, the peak that comes up before every k = 8 tours of BKZ reduction corresponds to the GSS ( B ) of the rerandomized basis without reprocessing. The peak indicates that the lattice basis is evidently disturbed by our rerandomization method and GSS ( B ) becomes worse, while, in the following k tours, the value of GSS ( B ) quickly returns to a similar state to the well-reduced initial state and hardly changes again. In general, when the lattice basis is iteratively reprocessed, the value of GSS ( B ) only shows mild fluctuations, which implies that the success probability when finding very short lattice vectors is quite stable.
Geometry Series Assumption and GS Slope.
For a well-reduced basis of a random lattice, such as the lattice of the SVP challenge, the Gram–Schmidt orthogonal basis generally has a regular pattern, which is called the Geometry Series Assumption (GSA). For an n-dimensional lattice with a BKZ β -reduced basis B , GSA means there is a q ( 0 , 1 ) , such that
log b i * = ( i 1 ) · log q + log b 1 , i = 1 , , n
If GSA holds, the points { ( i , log b i * ) } i = 1 n form a straight line with a slope of log q . In other words, q defines the “shape” of Gram–Schmidt sequence { b i * } i = 1 n . In the following, we call q ( 0 , 1 ) the GS slope. In the real case of lattice reduction, the points ( i , log b i * ) i = 1 n do not strictly lie on a straight line, and the approximate value of q can be obtained by least square fitting. Generally, a q closer to 1 means that the basis is more reduced and vice versa. Figure 2 shows the evolution of fitted q in reprocessing. The value of q sharply decreases after each rerandomization and returns in the next few reprocessing tours, showing a stable trend during the iterative rerandomization and BKZ tours.
Root Hermite Factor.
In the studies of BKZ algorithm, the root Hermite factor δ is used to describe the “ability” of BKZ to find a short lattice vector, which is given as the first basis vector b 1 in the output basis:
δ = def b 1 * ( vol ( L ) 1 / n ) 1 / n
Gama and Nguyen [8] pointed out the phenomenon that, for BKZ algorithm, when blocksize parameter β n , the root Hermite factor is only affected by the blocksize parameter β but has no relationship with the lattice dimension. Additional observations of root Hermite factor are given by Table 2 of [29].
As in G S S ( B ) and GS slope q, Figure 3 shows the evolution of the root Hermite factor δ of the reprocessed basis. The peaks arising before reprocessing tours also indicate that the first basis vector b 1 is frequently changed by our rerandomization method, and in the following k tours, the value of δ quickly returns to a similar state to the well-reduced initial state and hardly changes again.
Based on the above observations, we believe that, during the reprocessing stage, only a few BKZ reduction tours can stabilize the properties of the lattice bases.

4. Precise Cost Estimation of DP-ENUM

The precise cost estimation of DP enumeration is a great concern and remains an open problem for cryptanalysis. However, there are several obstacles to building a good runtime model that is consistent with the experimental results of a viable dimension and can be extrapolated to a very high dimension.
First, DP enumeration contains many subalgorithms with different structures, such as binary search, cell enumeration, decoding and reprocessing. Although the asymptotic time complexity expression of each part is clearly discussed in Section 3, the real runtime of the DP enumeration still needs to be handled carefully. These subalgorithms involve a variety of arithmetic operations and logic operations, which make it hard to define a universal “basic operation” for all the DP enumeration procedures. To build a runtime model for DP enumeration, our key idea is to use CPU cycles as the basic operation unit, since this can avoid the differences caused by different types of operations and is also easy to count.
Second, the searching space of DP enumeration is a union of many discrete boxes irregularly distributed in R n . It is quite hard to compute the volume of the pruning set, which directly determines the probability for pruning success. Aono et al. proposed using FILT to compute the volume of its pruning set [23], but this calculation model should be modified to achieve better accuracy, according to the rectification of the original randomness assumption we made in Section 3.
According to Algorithm 1, the cost of each loop in DP enumeration can be divided into four parts:
  • T b i n : Use binary search to determine cell enumeration parameter r (Algorithm 3)
  • T c e l l : Enumerate all the tags of candidate cells (Algorithm 2)
  • T d e c o d e : Decode a tag and check the length of the corresponding lattice vector (Algorithm 4)
  • T r e p r o : If there is no valid solution to SVP, rerandomize the lattice basis and reprocess it by k-tours-BKZ algorithm (Algorithm 5)
Denote the success probability when finding a lattice vector shorter than R in a single loop of DP enumeration by p s u c c and assume that p s u c c is stable during rerandomizing; then, the expected number of loops is about 1 p s u c c according to geometric distribution, and the total runtime T t o t a l of DP enumeration can be estimated by
T t o t a l = T p r e + T r e p r o + T b i n + T c e l l + M · T d e c o d e p s u c c
We assume that the preprocessing time for T p r e , which denotes the time for a full-tour BKZ β reduction on the initial lattice basis, is far less than the time spent in the main iteration and can be ignored when β n . In this section, our aim is to determine the explicit expression of T r e p r o , T b i n , T c e l l and T d e c o d e , as well as provide an accurate estimation of  p s u c c .
For all the experiments in this paper, the computing platform is a server with Intel Xeon E5-2620 CPUs, with eight physical cores running at 2.10 GHz, and 64GB RAM. To obtain accurate CPU cycles for the DP enumeration algorithm, we fixed the CPU basic frequency and set the CPU affinity, and all the time data for fitting were obtained from our single-thread implementation.

4.1. Simulation of Lattice Basis

Some parts in the total time cost model Equation (10) are hugely dependent on the quality of the basis: more precisely, the vector lengths of Gram–Schmidt orthogonal basis { b i * } i = 1 n . Based on the reprocessing method and the stability analysis in Section 3.4, we can reasonably assume the Gram–Schmidt sequence { b i * } i = 1 n will not severely change in the loops of DP enumeration. Then, the issue is to simulate an “average” GS sequence for a BKZ β -reduced basis.
BKZ simulator [29,30] is a universal method, especially when β is quite large, since the Gaussian heuristic generally holds in β -dimensional blocks where β 45 . In this case, the probabilistic BKZ simulator proposed by Bai et al. [30] is an appropriate model due to its reliable depiction of the “head concavity” phenomenon. Based on Algorithm 3 in [30], we provide this BKZ simulator in C++ as a component of our implementation.
However, the BKZ simulator does not work well for small- and medium-sized β ( β < 45 ), because the keystone of the BKZ simulator is to estimate the shortest vector length in a β -dimensional sublattice (block) L [ i , j ] by computing G H ( L [ i , j ] ) , which will decrease in accuracy when β < 45 . This is rarely the case with asymptotic cryptanalysis. However, this is a prevailing case in preprocessing and also needs investigation; hence, we have to propose a method that considers this case and fills the vacancy in GS sequence simulation.
If we combine
vol ( L ) = i = 1 n b i *
and Equation (8), then we have
n · log b 1 + n ( n 1 ) 2 log q = log vol ( L )
Using Equation (11), we can approximately calculate the whole Gram–Schmidt sequence { b i * } i = 1 n if GSA holds and one of b 1 or q is known. Here, we prefer to use the GS slope q rather than the value of b 1 , since it contains more information on the Gram–Schmidt orthogonal basis. Additionally, using b 1 = δ n vol ( L ) 1 / n to recover the Gram–Schmidt sequence might lead to an overly optimistic estimation, since the “head concavity” phenomenon [30] indicates that the b 1 might significantly deviate from the prediction given by GSA. Then, the feasible approach is to give an average estimation of q for a given lattice and BKZ parameter β .
We find that the GS slope has similar properties to the root Hermite factor: when β n , the GS slope of a reduced basis is mostly related to its blocksize β but not its lattice dimension. For each parameter set ( n , β ) { 120 , , 180 } × { 11 , 13 , , 45 } , we generate 50 random SVP challenge instances and apply BKZ β on the n-dimensional lattice basis to verify this phenomenon. Then, we use the least square method to fit the log q of reduced bases. Figure 4 shows the relationship between q and lattice dimension n, indicating that q is hardly dependent on lattice dimension n and mostly varies with β .
Figure 5 illustrates the positive correlation of q and β , which is consistent with the idea that a larger blocksize β makes the lattice basis better, and the GS slope is milder, which means that q < 1 is closer to 1.
Table 1 gives an estimated value of q β .
By using the empirical data of q β , we can generate a virtual GS sequence { B 1 , B 2 , , B n } to simulate the real behavior of the Gram–Schmidt orthogonal basis of a BKZ β -reduced lattice basis by solving the following equations:
vol ( L ) = i = 1 n B i n · log B 1 + n ( n 1 ) 2 log q β = log vol ( L ) log B i = ( i 1 ) · log q β + log B 1 , i = 1 , , n
Remark 3.
All the explicit values of q β for β 45 are given in our open-source implementation. Note that the method proposed above only takes effect when β 45 , while we still give an extrapolation as an alternative reference. Since q < 1 holds for all β > 0 and q β is an increasing function of β, which implies a trend q β 1 , we heuristically assume this function has a form of q = 1 exp ( a β + b ) ; then, the fitting result of Table 1 is
q β = 1 exp ( 0.0092200 β 3.3919 )
The fitting curve is also illustrated in Figure 5.

4.2. Cost of Subalgorithms

Cost of Binary Search and Cell Enumeration.
For the cell enumeration algorithm (Algorithm 2), the asymptotic time complexity is O ( ( 2 n 1 ) · M ) . We take n = 60 , , 160 , M = 1.0 × 10 4 , 1.5 × 10 4 , , 1.0 × 10 5 and, for each parameter set ( n , M ) , we generate 100 SVP lattices at random. The fitting result is
T c e l l 2.4339 n M + 108.74 M 17455 n + 1334139
For the binary search algorithm (Algorithm 3), Theorem 1 indicates that the asymptotic time complexity has an asymptotic upperbound log n + log 1 ϵ + n log ( n det ( L ) 2 n ) × ( 2 n 1 ) M . To simplify the fitting function and retain accuracy, we only take the dominant term of the complete expansion, which is n log n det ( L ) 2 n · ( 2 n 1 ) M . For the SVP challenge lattice, we have vol ( L ) 2 10 n . Then, the fitting function of T b i n is
T b i n 0.11341 M n 2 + 13.155 M n log n + 265.65 M 84679 n + 15455380
Both fitting functions obtained by the least square method have a coefficient of determination (R-squared) larger than 0.95 .
Cost of Decoding.
To decode one tag by running Algorithm 4, the number of times to enter the for loop is O ( n ) , and in each loop, this performs O ( n ) arithmetic operations. Therefore, T d e c o d e can be regarded as a quadratic function of n. We take n = 60 , , 160 and fix M = 1.0 × 10 5 , and we generate 100 SVP lattices at random for each n. The expected runtime T d e c o d e of decoding algorithm is fitted by
T d e c o d e = 0.39045 n 2 + 167.06 n 4350.4
Figure 6 shows that the fitting curve of T d e c o d e is almost strictly consistent with the experimental data. The fitting function also has a coefficient of determination (R-squared) larger than 0.95 .
Cost of Reprocessing.
The cost of the k-tours-BKZ algorithm is a little complicated, since it iteratively calls an O ( β ) -dimensional SVP oracle. Our implementation of k-tours-BKZ is based on the BKZ 2.0 algorithm in fplll library [13]. In one tour of BKZ β , the total runtime is composed of the processing time on n 1 blocks. For each block L [ i , j ] = L ( b i , , b j ) with i = 1 , , n 1 and j = min ( n , i + β 1 ) , the main steps are classical enumeration and LLL reduction for updating:
BlockCost ( i , j ) = BlockProcess ( j , n , log A ) + C n o d e · EnumCost ( i , j )
Then, the cost of k-tours-BKZ can be estimated by
BKZCost ( L ) = k · i = 1 n 1 BlockCost ( i , j ) , j = min ( n , i + β 1 )
In Equation (17), BlockProcess ( j , n , log A ) is the cost of updating basis (Algorithm 5, line 12). The asymptotic time complexity of this part is O ( j 3 m log A ) , which is mainly donated by LLL reduction [33], where A 2 10 n for the SVP challenge lattice. When β is small, the cost of updating cannot be ignored. For the cost of classical pruned enumeration, C n o d e is the CPU cycles for processing a single node in the enumeration tree, which is said to be C n o d e 200 [34]; EnumCost ( i , j ) is the total amount of nodes that needs to be traversed to find a short vector on L [ i , j ] .
Let n = 60 , , 150 , β = 11 , 13 , , 43 and k = 8 , we record the cost of each stage (including runtime and the number of nodes) of k-tours-BKZ β on 50 random lattices. The least squares fitting shows C n o d e 205.45 , and 
BlockProcess ( j , n , log A ) 0.000904381 × j 3 n 2 + 28752188
The remaining part is EnumCost ( i , j ) , which is the number of nodes of enumeration on block L [ i , j ] . For a full enumeration of L [ i , j ] , the total number of nodes can easily be derived from the Gaussian heuristic, which can be considered a baseline enumeration cost:
FullEnumCost ( i , j ) = 1 2 k = 1 j i + 1 V k ( b i * ) = j k + 1 j b *
where V k ( R ) denotes the volume of a k-dimensional ball with radius R.
However, in our implementation of k-tours-BKZ, the SVP oracle uses extreme pruning and heuristic enumeration radius c = min ( 1.1 GH ( L [ i , j ] ) , b i * ) for acceleration. We assume that, for classical enumeration on a β = j i + 1 dimensional block L [ i , j ] , these methods offer a speedup ratio of r β in total, and  r β is independent with the block index i and lattice dimension n. The key point is obtaining an explicit expression of r β . (An alternative (lowerbound) estimation of enumeration cost is provided by Chen and Nguyen [29]. The coefficients of their model are given in LWE estimator [35]. However, their model is more suitable for when β is very high and is not very precise when the blocksize is small).
r β = FullEnumCost β ExtremeEnumCost β
The value of FullEnumCost β can be calculated by Equation (20) with GS sequence { b i * } i = 1 n , and the actual number of enumeration nodes ExtremeEnumCost β is obtained from experiments. We recorded the number of enumeration nodes ExtremeEnumCost β to calculate the speedup ratio data. To fit r β , we run k-tours-BKZ β on BKZ β -reduced bases with n = 60 , , 150 and β = 11 , 13 , , 43 ; then, all the data of the same blocksize were gathered and averaged. It is well known that extreme pruning can offer an exponential speedup [12], and tightening the radius also leads to a superexponential speedup. We assume r β exp O ( β log β ) , and by fitting, we can obtain
log r β = 0.35461 β log β 1.5331 β + 4.8982 log β 2.9084
Figure 7 shows the fitting results and the value of r β in experiments, reflecting that the assumptions we made are reasonable.
To predict EnumCost ( i , j ) without any information on a specific lattice basis, the GS sequence contained Equation (21) should be replaced by the simulated values { B 1 , B 2 , , B n } derived by equations set using the (12) or BKZ simulator.
Algorithm 6 gives the procedures of calculating T r e p r o , i.e., the cost of reprocessing.
Algorithm 6 Calculating T r e p r o
 Require:
β , lattice dimension n, k, vol ( L )
 Ensure:
The running time T r e p r o of reprocessing with k-tours-BKZ β
1:
if β < 45 then
2:
    Find q corresponding to β                                                / / See Table 1 or Equation (13)
3:
     log B 1 1 n log vol ( L ) 1 2 n ( n 1 )                             / / Equation (11)
4:
     B 1 exp ( log B 1 )
5:
    for  i = 2 to n do
6:
         log B i ( i 1 ) · log q + log B 1                                       / / Equation (8)
7:
         B i exp ( log B i )
8:
    end for
9:
else
10:
     { B i } i = 1 n BKZSim()                       / / Use BKZ simulator in [30], Algorithm 3
11:
end if
12:
i 0
13:
C o s t 0
14:
while i = 1 to n 1 do
15:
     β = min ( β , n i + 1 )
16:
     r β exp 0.35461 β log β 1.5331 β + 4.8982 log β 2.9084                                    / / Equation (22)
17:
     C o s t = C o s t + 1 r β · FullENUMCost ( B i , , B i + β 1 ) + BlockProcess( i + β 1 , n )              / / by replacing b i * with B i in Equation (20)
18:
end while
19:
return k · C n o d e · C o s t

4.3. Success Probability

Under a Gaussian heuristic, the success probability of pruned enumeration can be directly reduced to computing the volume of the pruning set. For discrete pruning, the shape of the pruning set has always been considered a union of “ball-box intersections”, which is not easy to compute. Aono et al. [23] proposed an efficient numerical method based on fast inverse Laplace transform (FILT) to compute the volume of a single “ball-box intersection” C ( t ) Ball n ( R ) and used stratified sampling to deduce the total volume of the union.
However, the imperfections in original randomness assumption (Assumption 2) lead to reduced accuracy of the success probability model for discrete pruning. For two cells with tag t = [ t 1 , , t k 0 , 0 , , 0 ] and t = [ t 1 , , t k + 1 0 , 0 , , 0 ] , if  t k is odd, i.e.,  t is odd-ended and t is the corresponding even-ended tags, they will have different success probabilities according to the model given by [23]. However, the lattice vectors contained in C ( t ) and C ( t ) have exactly the same length.
Figure 8 illustrates the gap at a larger scale. For the parameter settings n = 60 , , 84 , M = 50,000 and β = 20 , 30 , we used 30 BKZ β -reduced n-dimensional lattice bases to compute the average value of theoretical success probability p s u c c , o d d of M odd-ended cells enumerated by Algorithm 2, as well as compute p s u c c , e v e n of their corresponding even-ended cells, both using the method provided by [23]. Then, we ran a complete DP enumeration on each lattice basis using the same parameters and recorded the number of iteration rounds. Figure 8 shows that the actual number of rounds of DP enumeration is in the apparent gap between expectation value 1 / p s u c c , o d d and 1 / p s u c c , o d d , which were estimated using odd-ended and even-ended cells, respectively.
This phenomenon calls for a proper rectification of the success probability model. As a matter of fact, in Section 3.1, Proposition 1 and the rectified Assumption 3 indicate that lattice point is actually randomly distributed in an hyperplane contained in C ( t ) Ball n ( R ) , which can be described by the assumption below:
Assumption 4.
Given lattice basis B and its orthogonal basis B * , for a tag vector t = [ t 1 , , t k 0 , 0 , , 0 ] , the lattice vector of C ( t ) can be considered to be uniformly distributed over C ( t ) C ( t ) , where
C ( t ) = d e f i = 1 n x i b i * , x i R and { x i t i + 1 / 2 , t i / 2 t i / 2 , t i + 1 / 2 for i < k x k = u k as defined in Equation ( 3 ) x k + 1 = x n = 0
This assumption gives a more precise distribution of the lattice vector in the cell. In fact, C ( t ) is the union of a 2 k 1 k 1 -dimensional “box”, which is formally denoted by
C k 1 ( t ) = d e f i = 1 k 1 x i b i * , x i t i + 1 2 , t i 2 t i 2 , t i + 1 2
Based on Proposition 1 and the new assumption of lattice vector distribution, we redefine the success probability of DP enumeration on a single cell. For a C ( t ) with t = [ t 1 , , t k 0 , 0 , , 0 ] , denoting the lattice vector v C ( t ) by v = j = 1 n u j b j * , the probability that v R is defined by  
p s u c c ( t ) = d e f Prob v C ( t ) v 2 R 2 = Prob v C ( t ) i = 1 k 1 u i 2 b i * 2 < ( R 2 u k 2 b k * 2 ) = vol B a l l k 1 ( R 2 u k 2 b k * 2 ) C k 1 ( t ) vol ( C k 1 ( t ) ) = vol B a l l k 1 ( R 2 u k 2 b k * 2 ) C k 1 ( t ) i = 1 k 1 b i * 2
Let R = R 2 u k 2 b k * 2 , α i = t i 2 R b i * and β i = t i + 1 2 R b i * ; then, the numerator part in Equation (24) can be written as
vol B a l l k 1 ( R ) C k 1 ( t ) = 2 k 1 · R k 1 · i = 1 k 1 ( β i α i ) · P r ( x 1 , , x k 1 ) i = 1 k 1 [ α i , β i ] i = 1 k 1 x i 2 1
Then, the calculation of p s u c c ( t ) is reduced to computing the sum distribution of k 1 independent and identically distributed variables x 1 2 , , x k 1 2 , which can be approximated by the FILT method combined with Euler transformation. The details of these methods are given in Appendix B.
For a set of tags U , which is the output of cellENUM (Algorithm 2), the total success probability of finding a short lattice vector among U is
p s u c c min 1 , t U p s u c c ( t )
To extrapolate the probability model to higher-dimensional SVP instances without performing any time-consuming computation of real lattice reduction, the concrete value of the GS sequence involved in the calculation of p s u c c should be replaced by the simulated GS sequence { B 1 , B 2 , , B n } .
Figure 9 verifies the accuracy of the rectified success probability model (Equations (24) and (26)). We take the SVP instances with n = 60 , , 84 , β = 20 , 30 and M = 50,000 as examples, and we run the DP enumeration algorithm to solve the SVP challenge on each SVP instance to record the total iteration rounds. The experiment was repeated 30 times on each parameter set to obtain the average value. The dashed line shows the expected iteration rounds 1 / p s u c c calculated using the original { b i * } i = 1 n of the real reduced basis, and the dotted line was only calculated with the simulated GS sequence { B i } i = 1 n . The results illustrate that the rectified model gives a more precise estimation of success probability than the original method provided in [23].

4.4. Simulator for DP Enumeration

Based on all the works in this section, the runtime of DP enumeration can be estimated by Algorithm 7, shown below. This simulator only needs minimal information for a lattice  L .
Algorithm 7 DP-simulator
 Require:
Lattice dimension and volume n , vol ( L ) , k , β , M, target length R of SVP
 Ensure:
Expected runtime (CPU cycles) to find v L such that v R by DP enumeration
1:
if β < 45 then
2:
    Generate the simulated GS sequence B 1 , , B n by solving Equation (12)
3:
else
4:
    Generate the simulated GS sequence B 1 , , B n by BKZ simulator
5:
end if
6:
Calculate r β by Equation (22)
7:
Calculate T r e p r o by calling Algorithm 6 with parameters ( β , n , k , vol ( L ) ) as input
8:
Calculate T c e l l by Equation (14) with M , n
9:
Calculate T b i n by Equation (15) with M , n
10:
Calculate T d e c o d e by Equation (16) with n
11:
Call Algorithms 2 and 3 with B 1 , , B n as the GS sequence and output the M tags with minimal value of f ( t )
12:
Calculate the total success probability p s u c c on the M tags, with GS sequence B 1 , , B n  return  T r e p r o + T b i n + T c e l l + M · T d e c o d e p s u c c
Remark 4.
The simulating method of GS sequence (line 1) only works for lattice bases that meet GSA. For those lattices that lack good “randomness” and do not satisfy GSA, one has to use a real B K Z β reduction algorithm on several lattice bases and compute an averaged GS sequence B 1 , , B n as a good simulation of { b i * } i = 1 n .

5. The Optimal Parameters for DP-ENUM

To solve a certain SVP instance, the parameters of DP enumeration that need to be manually determined are as follows: β of BKZ reduction algorithm, k of preprocessing and M of cell enumeration.
It should be noted that k could be a fixed constant. There is no need to set a very large k because of the “diminishing returns” of lattice reduction, which means the improvement in basis quality would slow down with an increase in k. We heuristically set k = 8 for SVP instances with n 200 , which is also roughly consistent with the observation of  [32] (see Section 2.5 of [32] ). Then, only β and M should be determined with restrictions 0 < β n and M > 0 . The two parameters should minimize the total cost of DP enumeration, i.e., the expression value of (10). This value is calculated by Algorithm 7 and can barely be represented by a differentiable function. The Nelder–Mead simplex method is an effective method to solve this type of optimization problem. Since there are only two independent variables, it is reasonable to believe that the Nelder–Mead method can quickly converge to the optimal solution.
Algorithm 8 gives the optimal values of β , M for a certain SVP instance based on the standard version of the Nelder–Mead method.
Table 2 gives some concrete values of optimal parameter sets for solving medium-size SVP challenges ( R = 1.05 GH ( L ) ) and the corresponding estimation of running time. For the medium-size SVP challenges, the optimal parameter set basically follows M 10 5 and β < n / 2 . Neither of them increase very rapidly with the growth of n.
Algorithm 8 Finding optimal parameters for DP enumeration
 Require:
lattice dimension n, lattice volume vol ( L ) and the target vector length R of SVP
 Ensure:
( β , M ) that minimizes the output of DP-simulator ( n , β , M , R )
1:
S ( β , M ) := DP-simulator ( n , β , M , R ) + P ( β , M )   / / P ( β , M ) is a penalty function to avoid parameters exceeding the feasible region, i.e.,  β > n or M < 0 .
2:
N 2                                                             / / 2 independent variables
3:
Select initial points x 1 = [ β 1 , M 1 ] , , x N + 1 = [ β N + 1 , M N + 1 ] at random
4:
while true do
5:
    reorder the N + 1 points, such that S ( x 1 ) < < S ( x N + 1 )
6:
     y 1 S ( x 1 ) , , y N + 1 S ( x N + 1 )
7:
    if  | β 1 β N + 1 | < 2 and | M 1 M N + 1 | < 1000  then
8:
        break;
9:
    end if
10:
     x m 1 N i = 0 N x i                                                         / / calculate the centroid (midpoint)
11:
     x r 2 x m x N + 1                                                                                        / / reflection
12:
     y r S ( x r )
13:
    if  y 1 y r < y N  then
14:
         x N + 1 x r
15:
        continue;
16:
    else if [then expansion] y r < y 1
17:
         x e x m + 2 ( x r x m )
18:
        if  S ( x e ) < y r  then
19:
            x N + 1 x e
20:
        else
21:
            x N + 1 x r
22:
        end if
23:
    else if [ then contraction] y N y r < y N + 1
24:
         x c x m + ( x r x m ) / 2
25:
        if  S ( x c ) < y r  then
26:
            x N + 1 x c
27:
           continue;
28:
        end if
29:
    else
30:
         x c x m + ( x N + 1 x m ) / 2
31:
        if  S ( x c ) < y r  then
32:
            x N + 1 x c
33:
           continue;
34:
        end if
35:
    end if
36:
    for [do shrink] i = 2 to N + 1
37:
         x i x 1 + ( x i x 1 ) / 2
38:
    end for
39:
end whilereturn The optimal parameters x m i n x 1 = [ β 1 , M 1 ] and the corresponding cost estimation S ( x m i n )

6. Experiments and Analysis

We compared the performance of our optimized DP enumeration with different SVP solvers, including the polynomial-space extreme pruned enumeration and exponential-space sieving. For each n, the experiments were repeated on 40 different SVP challenge instances. We ran our optimized DP enumeration with parameters given by Algorithm 8. The lattice dimension n ranged from 60 to 110, and the time cost predicted by DP simulator is also provided. The extreme pruned enumeration was implemented by fplll library [13] with the default pruning function up to n = 90 . The data of sieving were implemented by G6K library [36] with the dimension-for-free method, i.e., G6K’s WorkOut ( s = 0 , f + = 1 ) from n = 60 to 110. Figure 10 illustrates the prediction of the DP simulator, as well as the experimental results of our optimized DP enumeration, extreme pruning and G6K sieving.
The experiments confirm the accuracy of our cost model proposed in Section 4. The prediction (orange dotted line) is quite consistent with the actual performance of DP enumeration (orange broken line). For n 75 , the DP enumeration algorithm sometimes finds a solution before the first round ends; therefore, the actual running time is slightly smaller than the simulated time. However, n > 80 shows that our implementation of DP enumeration (with optimal parameter set) coincides with the DP simulator very well.
Compared with extreme pruning, Figure 10 shows that when n 67 , the optimized DP enumeration has a shorter runtime than the state-of-the-art extreme pruning enumeration. As for sieving, Albrecht et al. [37] has observed that the state-of-the-art sieving algorithm outperforms classical enumeration at dimension n 70 , which is also verified in our experiments. The experimental results reveal that the crossover point of DP enumeration and sieving is around n 82 , which is an update of the crossover dimension between enumeration and sieving.
In addition to the experimental performance, we also compared the asymptotic behavior of extreme pruned enumeration, G6K sieving and our implementation.
A commonly accepted cost model of extreme pruned enumeration originates from the work of Chen and Nguyen in ASIACRYPT’11 [29]. An explicit fitting function is given by LWE estimator estimator.BKZ.CheNgu12 [35]:
T CN 11 = C n o d e × 2 0.27019 n ln ( n ) 1.0192 n + 16.103
However, a more recent work [38] (denoted by [ABF+20] in Figure 11) suggests that the fitting formula should strictly follow the form 2 1 / ( 2 e ) n log ( n ) + a n + b , and their fitting result of [29] is
T extreme = C n o d e × 2 1 2 e n log ( n ) 0.995 n + 16.25
The time complexity of sieving is believed to be 2 0.292 + o ( n ) [10], and G6K gives an even better result by fitting [37]:
T sieve = 2 0.249 n 14.7 * CPUfreq
Here, CPUfreq = 2.3 × 10 9 according to their implementation; thus, the metric of T sieve is unified to CPU cycles.
Since the cost model of (optimized) DP enumeration can accurately estimate the actual runtime in a high dimension, we used the DP simulator with an optimal parameter set to predict the runtime of discrete pruning during SVP challenge (from n = 80 to n = 160 ) and provide an asymptotic prediction. We required the fitting function to have a fixed form 2 1 / ( 2 e ) n log ( n ) + a n + b to be consistent with [38]. The fitting result is
T d i s c r e t e = 2 1 2 e n log ( n ) 1.0232 n + 24.590
Figure 11 shows the asymptotic behavior of extreme pruned enumeration ( T e x t r e m e ), sieved with the dimension-for-free technique ( T s i e v e ), and the fitting function of DP simulator ( T d i s c r e t e ). Both the experimental and asymptotic comparison indicate that the discrete pruned enumeration might have more practical potential than the (classical) extreme pruning in solving high-dimensional SVP, and it might become the most efficient polynomial-space SVP solver known to date.

7. Conclusions

In this paper, the discrete pruned enumeration algorithm for solving SVP was thoroughly studied and improved. We refined the mathematical theory underlying DP enumeration and propose some improvements to the DP enumeration algorithm to make it more practical. The most valuable part is that our discrete pruning simulator combined theoretical analysis and many numerical techniques. The experimental results verify that the DP simulator can precisely predict the performance of DP enumeration. For a certain SVP instance, we can use the DP simulator to find optimal parameters to minimize the DP enumeration runtime. The explicit time and space consumption is also given by the simulator. Using simulation experiments, we believe that the time complexity of DP enumeration is still superexponential, and the space complexity is still linear, which does not change the conclusion of the enumeration algorithm.
When comparing the performance of our implementation and extreme pruned enumeration, we show that DP enumeration, under optimal parameter settings, could outperform extreme pruning when n 67 . By comparing this with the state-of-the-art exponential-space SVP algorithm, sieving with dimension for free [36,37], we report an updated crossover point of enumeration and sieving at n 82 , which is slightly higher than previously observed. Then, at a higher dimension ( 80 < n < 300 ), we compared the asymptotic behavior of DP enumeration, extreme pruned enumeration and sieving, which also shows the advantage of the discrete pruning method compared with other polynomial-space SVP solvers.
We provide the analytical cost formula of DP enumeration as an asymptotic estimation for cryptanalysis reference, and we hope that the open-source implementation of this work could help cryptologists to further develop the algorithm.
There are several possible directions for improvement:
  • Using a stronger reduction algorithm: As the results indicate, when n 67 , DP enumeration outperforms classical enumeration with extreme pruning, which means that the BKZ algorithm for preprocessing and reprocessing should use DP enumeration as an SVP oracle to achieve higher efficiency, and sieving is also an alternative SVP oracle. The structure of progressive BKZ algorithm [34] also shows high power, although it has a very complicated runtime estimator.
  • Discussing the efficiency of many heuristic methods: Fukase and Kashiwabara [18] tried to improve the quality of the basis by inserting short lattice vectors into the basis, but this barely has theoretical proof. Since this method will influence the p s u c c in every round, the success probability model of the FK algorithm should be modified.
  • A parallelized implementation of DP enumeration, as well as an adaptive optimization model.

Author Contributions

Conceptualization and methodology, L.L.; writing—original draft preparation, L.L.; supervision, C.G.; writing—review and editing, Y.Z. and Y.S.; All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Publicly available data was analyzed in this study. These data can be found here: http://www.latticechallenge.org/svp-challenge/, accessed on 30 December 2022.

Acknowledgments

The authors would like to thank Léo Ducas of CWI Amsterdam for his useful comments on this work. We also thank Hao Liang of IHEP (The Institute of High Energy Physics of the Chinese Academy of Sciences) for helping us improve the numerical calculation skills.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. Proof of Theorem 1

Let f ¯ ( t ) = i = 1 n f ¯ ( i , t i ) = i = 1 n ( t i 2 + t i ) b i 2 be the original objective function proposed in [24]. We only prove Theorem 1 in the case that Algorithm 3 uses f ¯ ( t ) as objective function. When GSA holds, f ¯ ( t ) f ( t ) , and we assume the conclusion of f ( t ) is asymptotically the same with the f ¯ ( t ) case.
We note that the initial value R 1 i = 1 n f ¯ ( i , M 1 n ) guarantees that there are at least M tags, such that f ¯ ( t ) < R 1 , which is a necessary condition of the correctness of Algorithm 3.
Proof. 
Let R 0 = 0 , R 1 = i = 1 n f ¯ ( i , M 1 n ) , and denote an n-dimensional ellipsoid by
E n ( a , R ) = x R n : i = 1 n x i 2 a i 2 R
In Algorithm 3, for any R [ R 0 , R 1 ] , the inequality f ¯ ( t ) R is equivalent to
i = 1 n f ( i , t i ) = i = 1 n ( t i + 1 2 ) 2 b i 2 1 4 i = 1 n b i 2 R ,
i.e.,
i = 1 n ( t i + 1 2 ) 2 b i 2 R + 1 4 i = 1 n b i 2
The number of tags t Z n , such that satisfies the inequality above, is exactly the number of integer points in an n-dimensional ellipsoid centered on ( 1 2 , , 1 2 ) . To simplify the problem, we assume that a translation operation on the ellipsoid would not change the total number of integer points in it, and then we can focus on a centrosymmetric ellipsoid E n ( a , R ) , where a i = 1 b i and R = R + 1 4 i = 1 n b i 2 . Then, we define
M ( R ) = d e f # { t : f ¯ ( t ) R } # E n ( a , R ) Z n
It is obvious that M ( R ) is a monotone undecreasing function of R. Assume that binary search Algorithm 3 terminates at the k-th iteration, and denote the upper bound and lower bound of radius by R l k and R r k , then we have ( 1 ϵ ) M 0 M ( R r k + R l k 2 ) ( 1 + ϵ ) M 0 , with M 0 being the input of Algorithm 3. The target of our proof is to find a Δ R such that R r k R l k > Δ R holds for all possible terminating values of ( R l k , R r k ) . Then, it is easy to prove that the binary search ends in log R 1 R 0 Δ R rounds of iteration.
Now, assume R l k , R r k satisfying M ( R l k ) < ( 1 ϵ ) M 0 M ( R r k + R l k 2 ) ( 1 + ϵ ) M 0 < M ( R r k ) . Then we have
M ( R r k ) M ( R l k ) > 2 ϵ M 0
Let A n ( R ) = # E n ( a , R = R + 1 4 i = 1 n b i 2 ) Z n ; we can investigate the asymptotic behavior of M ( R ) by estimating the value of A n ( R ) .
There are some mature conclusions on the estimation of A n ( x ) [39,40]. A n ( x ) can be written as
A n ( x ) = V ( B n ) i = 1 n b i x n / 2 + P n ( x )
where P n ( x ) x n 2 · n 1 n + 1 and can be written as P n ( x ) = O ( x n ) , and V ( B n ) is the volume of n-dimensional unit sphere:
V ( B n ) = π n / 2 Γ ( 1 2 + 1 ) 2 π e n n 2
Although M ( R ) is a discrete function of R, we can use the value of A n ( x ) at x = R + 1 4 i = 1 n b i 2 as an approximation. In this case A n ( x ) = O ( 2 x n / 2 ) in an asymptotic sense, and then according to the Lagrange mean value theorem, for x l k = R l k + 1 4 i = 1 n b i 2 , x r k = R r k + 1 4 i = 1 n b i 2 , there exists x ξ ( x l k , x r k ) such that
A n ( x r k ) A n ( x l k ) x r k x l k = A n ( x ξ ) n x ξ n 2 1 < n x r k n 2 1
Combining Equations (A1) and (A3), we have
R r k R l k = x r k x l k = A n ( x r k ) A n ( x l k ) A n ( x ξ ) 2 ϵ M 0 n x r k n / 2 1
Therefore, the total rounds of iterations of Algorithm 3 is at most
log R 1 R 0 R r k R l k < log n + n 2 log ( R 1 + 1 4 i = 1 n b i 2 ) log 2 ϵ M 0 = log n + n 2 log M 0 1 n + 1 2 2 GSS ( B ) log 2 ϵ M 0
where GSS ( B ) = i = 1 n b i 2 n det ( L ) 2 n . By further approximation and simplification, we can know that the algorithm ends in at most O log n + log 1 ϵ + n log n det ( L ) 2 n rounds. □

Appendix B. Calculating Success Probability by FILT and Euler Transformation

In this part, we introduce some detailed derivation of the numerical methods for computing success probability.
Let x i be uniformly distributed on [ α i , β i ] , then the probability density function of x i 2 is
ρ x i 2 ( z ) = 1 2 ( β i α ) z , z [ α i 2 , β i 2 ] 0 , else
Therefore, the p.d.f. of i = 1 n x i 2 is
ρ i = 1 n x i 2 ( z ) = ρ x 1 2 * ρ x 2 2 * * ρ x n 2 ( z )
where “*” denotes the convolution operation f * g ( z ) d e f 0 z f ( τ ) g ( z τ ) d τ .
To estimate the success probability of DP enumeration, our goal is to calculate P r i = 1 n x i 2 1 .
Step 1. Fast inverse Laplace transform
Theorem A1.
If the random variable X is non-negative and has p.d.f. p ( x ) , then the c.d.f of X is
D ( x ) = L 1 1 s L { p } ( s ) ( x )
Here, the symbol L specially refers to the Laplace transform, which satisfies
L ρ i = 1 n x i 2 ( z ) = L { ρ x 1 2 } · · L { ρ x n 2 }
Then, our goal is to calculate the value
D ( 1 ) = P r i = 1 n x i 2 1 = L 1 1 s L { ρ i = 1 n x i 2 } ( s ) ( t ) t = 1
Note that s C , since Laplace inverse transform is an integral in a complex field with an integral path perpendicular to the x-axis.
To calculate D ( 1 ) in Equation (A6), we first perform the Laplace transform
F ( s ) = d e f 1 s L { ρ i = 1 n x i 2 } ( s ) = 1 s L { ρ x 1 2 } · · L { ρ x n 2 } = π n / 2 s n 2 + 1 i = 1 n erf ( β i s ) erf ( α i s ) 2 ( β i α i )
and then apply inverse Laplace transform
D ( 1 ) = P r i = 1 n x i 2 1 = 1 2 π i c i c + i F ( s ) e s t d s t = 1 = 1 2 π i c i c + i F ( s ) e s d s = 1 2 π i c i c + i π n 2 s n 2 + 1 · j = 1 n erf ( β j s ) erf ( α j s ) 2 ( β j α j ) · e s d s
Step 2. Approximate integral calculation with series
Put the approximation of e s in complex field
e s E e c ( s , a ) = d e f e x p ( a ) 2 cosh ( a s ) = e a 2 m = + i ( 1 ) m s a ( m 1 2 ) π i
into Equation (A7), (here, the value of a should guarantee the convergence of series. For example, Hosono [41] claimed that the error is very small when a 1 , and Aono and Nugyen [23] recommended to use a = max ( 50 , 30 + 3 n ) ); now, notice that the integral has singularity points s m = a + ( m 1 2 ) π i , m = 1 , , (in Equation (A7), the integral path should be to the right of all singularities, i.e., c > a . Additionally, for the s in F ( s ) , since s is a complex variable, the argument of s should satisfy | arg ( z ) | < π 4 to be consistent with the integration path).
According to the residue theorem and Jordan theorem, Equation (A7) can be approximated by
D ( 1 ) e a · m = 1 + Im F a + ( m 1 2 ) π i
Step 3. Using Euler transformation to accelerate the convergence of series
Since the series in Equation (A8) converges slowly, the Euler transformation is a practical method to accelerate the convergence. Therefore, we can use fewer terms to approximate the infinite series.
Let F m = Im F a + ( m 1 2 ) π i , then the value of Equation (A8) can be calculated by finite terms:
m = 1 + ( 1 ) m F m m = 1 K ( 1 ) m F m + ( 1 ) K j = 1 J ( 1 ) j Δ j 1 F K + 1 2 j
where Δ j 1 F K + 1 = i = 0 j 1 ( 1 ) j j 1 i F j + K 1 is the “forward difference” that can be iteratively computed by van Wijingaarden transformation. In our implementation, we set K = 40 , J = 30 by default.
Remark A1.
Remarks. The computation of Im F ( s ) at s = a + ( m 1 2 ) π i is a time-consuming procedure. It involves the computation of erf ( · ) over complex field C , which also needs to be approximated by series expansion. In the original computation model, since α i and β i only have a few fixed values only related with the GS sequence, we can accelerate the computation by building an “erf table” to record some values of erf ( α i s ) and erf ( β i s ) that would be repeatedly used in the calculation. However, for the rectified success probability model, the values of α i and β i are also connected with the explicit value of cell tag t , which makes the “erf table” invalid, and the running time could be very long. Fortunately, we still find that the original computation model could help us to estimate the rectified success probability. In our implementation of DP enumeration, in addition to the step-by-step computation, we also provide a heuristic method using the harmonic average of p s u c c , o d d and p s u c c , e v e n , which can be calculated efficiently, to roughly estimate the actual success probability.
[custom]

References

  1. Coster, M.; Joux, A.; Lamacchia, B.; Odlyzko, A.; Schnorr, C.; Stern, J. Improved Low-Density Subset Sum Algorithms. Comput. Complex. 1999, 2, 111–128. [Google Scholar] [CrossRef]
  2. Schnorr, C.P.; Euchner, M. Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems. Math. Program. 1994, 66, 181–199. [Google Scholar] [CrossRef]
  3. Nguyen, P.Q.; Stern, J. Adapting Density Attacks to Low-Weight Knapsacks. In Advances in Cryptology—ASIACRYPT 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 41–58. [Google Scholar] [CrossRef]
  4. Li, S.; Fan, S.; Lu, X. Attacking ECDSA Leaking Discrete Bits with a More Efficient Lattice. In Proceedings of the Inscrypt 2021; Springer: Cham, Switzerland, 2021. [Google Scholar]
  5. Schnorr, C.P. Fast Factoring Integers by SVP Algorithms, Corrected. Cryptology ePrint Archive, Report 2021/933. 2021. Available online: https://ia.cr/2021/933 (accessed on 30 December 2022).
  6. Kannan, R. Improved Algorithms for Integer Programming and Related Lattice Problems. In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing; Association for Computing Machinery: New York, NY, USA, 1983; pp. 193–206. [Google Scholar] [CrossRef]
  7. Fincke, U.; Pohst, M. Improved methods for calculating vectors of short length in a lattice, including a complexity analysis. Math. Comput. 1985, 44, 463–471. [Google Scholar] [CrossRef]
  8. Gama, N.; Nguyen, P.Q. Predicting Lattice Reduction. In Proceedings of the Advances in Cryptology—EUROCRYPT 2008; Smart, N., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 4965, pp. 31–51. [Google Scholar] [CrossRef]
  9. Lindner, R.; Peikert, C. Better Key Sizes (and Attacks) for LWE-Based Encryption. In Topics in Cryptology—CT-RSA 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 319–339. [Google Scholar] [CrossRef]
  10. Alkim, E.; Ducas, L.; Pöppelmann, T.; Schwabe, P. Post-quantum Key Exchange—A New Hope. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; USENIX Association: Austin, TX, USA, 2016; pp. 327–343. [Google Scholar]
  11. Pohst, M. On the Computation of Lattice Vectors of Minimal Length, Successive Minima and Reduced Bases with Applications. SIGSAM Bull. 1981, 15, 37–44. [Google Scholar] [CrossRef]
  12. Gama, N.; Nguyen, P.Q.; Regev, O. Lattice Enumeration Using Extreme Pruning. In Proceedings of the Advances in Cryptology—EUROCRYPT 2010; Gilbert, H., Ed.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 257–278. [Google Scholar]
  13. Lattice Algorithms Using Floating-Point Arithmetic(fplll). Available online: https://github.com/fplll/fplll (accessed on 30 December 2022).
  14. Aono, Y.; Nguyen, P.Q.; Seito, T.; Shikata, J. Lower Bounds on Lattice Enumeration with Extreme Pruning. In Proceedings of the Advances in Cryptology—CRYPTO 2018; Shacham, H., Boldyreva, A., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 608–637. [Google Scholar]
  15. Schnorr, C.P. Lattice Reduction by Random Sampling and Birthday Methods. In Proceedings of the Annual Symposium on Theoretical Aspects of Computer Science (STACS 2003); Alt, H., Habib, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2003; pp. 145–156. [Google Scholar]
  16. Ajtai, M. The Worst-Case Behavior of Schnorr’s Algorithm Approximating the Shortest Nonzero Vector in a Lattice. In Proceedings of the Thirty-Fifth Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, 9–10 June 2003; Association for Computing Machinery: New York, NY, USA, 2003; pp. 396–406. [Google Scholar] [CrossRef]
  17. Buchmann, J.; Ludwig, C. Practical Lattice Basis Sampling Reduction. In Proceedings of the Algorithmic Number Theory; Hess, F., Pauli, S., Pohst, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2006; pp. 222–237. [Google Scholar]
  18. Fukase, M.; Kashiwabara, K. An accelerated algorithm for solving SVP based on statistical analysis. J. Inf. Process. 2015, 23, 67–80. [Google Scholar] [CrossRef] [Green Version]
  19. Teruya, T.; Kashiwabara, K.; Hanaoka, G. Fast Lattice Basis Reduction Suitable for Massive Parallelization and Its Application to the Shortest Vector Problem. In Proceedings of the Public-Key Cryptography—PKC 2018; Abdalla, M., Dahab, R., Eds.; Springer International Publishing: Cham, Switzerland, 2018; pp. 437–460. [Google Scholar]
  20. Fukase, M.; Yamaguchi, K. Analysis of the Extended Search Space for the Shortest Vector in Lattice. In Proceedings of the IMETI 2010—3rd International Multi-Conference on Engineering and Technological Innovation, Proceedings, Orlando, FL, USA, 29 June–2 July 2010; Volume 2. [Google Scholar]
  21. Fukase, M.; Yamaguchi, K. Finding a Very Short Lattice Vector in the Extended Search Space. Trans. Inf. Process. Soc. Jpn. 2012, 53, 11. [Google Scholar] [CrossRef]
  22. Ding, D.; Zhu, G. A Random Sampling Algorithm for SVP Challenge based on y-Sparse Representations of Short Lattice Vectors. In Proceedings of the 2014 Tenth International Conference on Computational Intelligence and Security, Kunming, China, 15–16 November 2014. [Google Scholar] [CrossRef]
  23. Aono, Y.; Nguyen, P.Q. Random Sampling Revisited: Lattice Enumeration with Discrete Pruning. In Proceedings of the Advances in Cryptology—EUROCRYPT 2017; Coron, J.S., Nielsen, J.B., Eds.; Springer International Publishing: Cham, Switzerland, 2017; pp. 65–102. [Google Scholar]
  24. Aono, Y.; Nguyen, P.Q.; Shen, Y. Quantum Lattice Enumeration and Tweaking Discrete Pruning. In Proceedings of the Advances in Cryptology—ASIACRYPT 2018; Peyrin, T., Galbraith, S., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 405–434. [Google Scholar]
  25. Ludwig, C. Practical Lattice Basis Sampling Reduction. Ph.D. Thesis, der Technischen Universität Darmstadt, Darmstadt, Germany, 2005. [Google Scholar]
  26. Goldstein, D.; Mayer, A. On the equidistribution of Hecke points. Forum Math. 2003, 15, 165–189. [Google Scholar] [CrossRef]
  27. Chen, Y. Réduction de Réseau et Sécurité Concrète du Chiffrement Complètement Homomorphe. Ph.D. Thesis, Université Paris Diderot (Paris 7), Paris, France, 2013. [Google Scholar]
  28. TU Darmstadt, SVP Challenge. Available online: https://www.latticechallenge.org/svp-challenge/ (accessed on 30 December 2022).
  29. Chen, Y.; Nguyen, P.Q. BKZ 2.0: Better Lattice Security Estimates. In Advances in Cryptology—ASIACRYPT 2011; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7073, pp. 1–20. [Google Scholar] [CrossRef]
  30. Bai, S.; Stehlé, D.; Wen, W. Measuring, Simulating and Exploiting the Head Concavity Phenomenon in BKZ. In Proceedings of the Advances in Cryptology—ASIACRYPT 2018; Peyrin, T., Galbraith, S., Eds.; Springer International Publishing: Berlin/Heidelberg, Germany, 2018; pp. 369–404. [Google Scholar]
  31. Hanrot, G.; Pujol, X.; Stehlé, D. Analyzing Blockwise Lattice Algorithms Using Dynamical Systems. In Proceedings of the Advances in Cryptology—CRYPTO 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 447–464. [Google Scholar]
  32. Albrecht, M.R. On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL. In Advances in Cryptology—EUROCRYPT 2017; Springer International Publishing: Berlin/Heidelberg, Germany, 2017; pp. 103–129. [Google Scholar]
  33. Stehlé, D. Floating-Point LLL: Theoretical and Practical Aspects. In The LLL Algorithm: Survey and Applications; Nguyen, P.Q., Vallée, B., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 179–213. [Google Scholar] [CrossRef]
  34. Aono, Y.; Wang, Y.; Hayashi, T.; Takagi, T. Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator. In Proceedings of the Advances in Cryptology—EUROCRYPT 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 789–819. [Google Scholar] [CrossRef]
  35. Albrecht, M.; Göpfert, F.; Lefebvre, C.; Owen, J.; Player, R. LWE Estimator’s Documentation. Online. Available online: https://lwe-estimator.readthedocs.io/en/latest/index.html (accessed on 25 December 2022).
  36. The General Sieve Kernel. Available online: https://github.com/fplll/g6k (accessed on 25 December 2022).
  37. Albrecht, M.R.; Ducas, L.; Herold, G.; Kirshanova, E.; Postlethwaite, E.W.; Stevens, M. The General Sieve Kernel and New Records in Lattice Reduction. In Proceedings of the Advances in Cryptology—EUROCRYPT 2019, Kobe, Japan, 8–12 December 2019; pp. 717–746. [Google Scholar]
  38. Albrecht, M.R.; Bai, S.; Fouque, P.A.; Kirchner, P.; Stehlé, D.; Wen, W. Faster Enumeration-Based Lattice Reduction: Root Hermite Factor k1/(2k) Time kk/8+o(k). In Proceedings of the Advances in Cryptology—CRYPTO 2020, Santa Barbara, CA, USA, 17–21 August 2020; pp. 186–212. [Google Scholar]
  39. Müller, W. Lattice Points in Large Convex Bodies. Monatshefte Math. 1999, 128, 315–330. [Google Scholar] [CrossRef]
  40. Krätzel, E. A sum formula related to ellipsoids with applications to lattice point theory. Abh. Aus Dem Math. Semin. Der Univ. Hambg. 2001, 71, 143–159. [Google Scholar] [CrossRef]
  41. Hosono, T. Numerical inversion of Laplace transform and some applications to wave optics. Radio Sci. 1981, 16, 1015–1019. [Google Scholar] [CrossRef]
Figure 1. The Evolution of GSS ( B ) During reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Figure 1. The Evolution of GSS ( B ) During reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Mathematics 11 00766 g001
Figure 2. The evolution of GS slope q during reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Figure 2. The evolution of GS slope q during reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Mathematics 11 00766 g002
Figure 3. The evolution of δ during reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Figure 3. The evolution of δ during reprocessing, n = 120 , k = 8 , β = 25 , 30 , 35 , 40 .
Mathematics 11 00766 g003
Figure 4. The relation between q and lattice dimension n.
Figure 4. The relation between q and lattice dimension n.
Mathematics 11 00766 g004
Figure 5. The relation between q and BKZ blocksize β .
Figure 5. The relation between q and BKZ blocksize β .
Mathematics 11 00766 g005
Figure 6. The relation between T d e c o d e and dimension n.
Figure 6. The relation between T d e c o d e and dimension n.
Mathematics 11 00766 g006
Figure 7. Speedup ratio of extreme pruning.
Figure 7. Speedup ratio of extreme pruning.
Mathematics 11 00766 g007
Figure 8. The difference of p s u c c estimated with odd-ended cells and even-ended cells.
Figure 8. The difference of p s u c c estimated with odd-ended cells and even-ended cells.
Mathematics 11 00766 g008
Figure 9. Verification of the rectified success probability model.
Figure 9. Verification of the rectified success probability model.
Mathematics 11 00766 g009
Figure 10. The performance of optimized discrete pruning and other SVP solvers.
Figure 10. The performance of optimized discrete pruning and other SVP solvers.
Mathematics 11 00766 g010
Figure 11. The asymptotic behavior of DP enumeration and other SVP solvers.
Figure 11. The asymptotic behavior of DP enumeration and other SVP solvers.
Mathematics 11 00766 g011
Table 1. The estimated GS slope q of BKZ β -reduced lattice basis.
Table 1. The estimated GS slope q of BKZ β -reduced lattice basis.
β 111315171921232527
q0.96980.97030.97080.97130.97180.97230.97270.97330.9737
β 293133353739414345
q0.97420.97460.97510.97550.97590.97630.97670.97720.9776
Table 2. Optimal parameters of DP-ENUM for solving SVP challenge.
Table 2. Optimal parameters of DP-ENUM for solving SVP challenge.
n β MExpected Time (CPU Cycles)
803965,0009.08 × 10 10
8242110,0001.22 × 10 11
844295,0001.96 × 10 11
8642175,0002.92 × 10 11
8842155,0004.83 × 10 11
9042100,0008.90 × 10 11
9239150,0001.52 × 10 12
9442150,0002.09 × 10 12
9639170,0006.88 × 10 12
9842180,0001.08 × 10 13
10042145,0002.15 × 10 13
10239195,0004.16 × 10 13
10439190,0001.11 × 10 14
10642130,0001.34 × 10 14
10842175,0004.24 × 10 14
11044190,0001.23 × 10 15
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Luan, L.; Gu, C.; Zheng, Y.; Shi, Y. Lattice Enumeration with Discrete Pruning: Improvements, Cost Estimation and Optimal Parameters. Mathematics 2023, 11, 766. https://doi.org/10.3390/math11030766

AMA Style

Luan L, Gu C, Zheng Y, Shi Y. Lattice Enumeration with Discrete Pruning: Improvements, Cost Estimation and Optimal Parameters. Mathematics. 2023; 11(3):766. https://doi.org/10.3390/math11030766

Chicago/Turabian Style

Luan, Luan, Chunxiang Gu, Yonghui Zheng, and Yanan Shi. 2023. "Lattice Enumeration with Discrete Pruning: Improvements, Cost Estimation and Optimal Parameters" Mathematics 11, no. 3: 766. https://doi.org/10.3390/math11030766

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop