Memory adds no cost to lattice sieving for computers in 3 or more spatial dimensions

CryptoDB

Memory adds no cost to lattice sieving for computers in 3 or more spatial dimensions

Authors:	Samuel Jaques , University of Waterloo
Download:	DOI: 10.62056/ay4fbn2hd URL: https://cic.iacr.org//p/1/3/6 Search ePrint Search Google
Abstract:	The security of lattice-based crytography (LWE, NTRU, and FHE) depends on the hardness of the shortest-vector problem (SVP). Sieving algorithms give the lowest asymptotic runtime to solve SVP, but depend on exponential memory. Memory access costs much more in reality than in the RAM model, so we consider a computational model where processors, memory, and meters of wire are in constant proportions to each other. While this adds substantial costs to route data during lattice sieving, we modify existing algorithms to amortize these costs and find that, asymptotically, a classical computer can achieve the previous RAM model cost of $2^{0.2925d+o(d)}$ to sieve a $d$-dimensional lattice for a computer existing in 3 or more spatial dimensions, and can reach $2^{0.3113d+o(d)}$ in 2 spatial dimensions, where “spatial dimensions” are the dimensions of the physical geometry in which the computer exists. Since this result implies an increased cost in 2 spatial dimensions, we make several assumptions about the constant terms of memory access and lattice attacks so that we can give bit security estimates for Kyber and Dilithium. These estimates support but do not increase the security categories claimed in the Kyber and Dilithium specifications, at least with respect to known attacks.

Authors:

Samuel Jaques , University of Waterloo

Download:

DOI: 10.62056/ay4fbn2hd

URL: https://cic.iacr.org//p/1/3/6

Search ePrint

Search Google

Abstract:

The security of lattice-based crytography (LWE, NTRU, and FHE) depends on the hardness of the shortest-vector problem (SVP). Sieving algorithms give the lowest asymptotic runtime to solve SVP, but depend on exponential memory. Memory access costs much more in reality than in the RAM model, so we consider a computational model where processors, memory, and meters of wire are in constant proportions to each other. While this adds substantial costs to route data during lattice sieving, we modify existing algorithms to amortize these costs and find that, asymptotically, a classical computer can achieve the previous RAM model cost of $2^{0.2925d+o(d)}$ to sieve a $d$-dimensional lattice for a computer existing in 3 or more spatial dimensions, and can reach $2^{0.3113d+o(d)}$ in 2 spatial dimensions, where “spatial dimensions” are the dimensions of the physical geometry in which the computer exists.
Since this result implies an increased cost in 2 spatial dimensions, we make several assumptions about the constant terms of memory access and lattice attacks so that we can give bit security estimates for Kyber and Dilithium. These estimates support but do not increase the security categories claimed in the Kyber and Dilithium specifications, at least with respect to known attacks. 

BibTeX

@article{cic-2024-34817,
  title={Memory adds no cost to lattice sieving for computers in 3 or more spatial dimensions},
  journal={cic},
  publisher={International Association for Cryptologic Research},
  volume={1, Issue 3},
  url={https://cic.iacr.org//p/1/3/6},
  doi={10.62056/ay4fbn2hd},
  author={Samuel Jaques},
  year=2024
}

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

Memory adds no cost to lattice sieving for computers in 3 or more spatial dimensions

BibTeX

International Association
for Cryptologic Research