Sieving for shortest vectors in ideal lattices: a practical perspective

摘要

The security of many lattice-based cryptographic schemes relies on the hardness of finding short vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm to compute such short vectors. It combines favourable properties of previous approaches resulting in reduced run time and memory requirement per node. Our publicly available implementation outperforms all previous Gauss sieve approaches for dimensions 80, 88, and 96. When computing short vectors in ideal lattices, we show how to reduce the number of multiplications and comparisons by using a symbolic Fourier transform. We computed a short vector in a negacyclic ideal lattice of dimension 128 in less than nine days on 1,024 cores, more than twice as fast as the recent record computation for the same lattice on the same computer hardware.