Introduction AKS List-Sieve Birthday paradox Conclusion
Sieve algorithms for the Shortest Vector Problem
Xavier Pujol, Damien Stehle
ENSL, LIP, CNRS, INRIA, Universite de Lyon, UCBL
February 2nd, 2010
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 1/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Introduction
AKS
List-Sieve
Birthday paradox
Conclusion
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 2/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Shortest Vector Problem
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Any lattice L contains non-zero vectors of minimal norm.
• Finding such vectors is NP-hard.
• Applications:• Integer Linear Programming (Lenstra 83).• Strong lattice reduction for cryptanalysis.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 3/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Shortest Vector Problem
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Any lattice L contains non-zero vectors of minimal norm.
• Finding such vectors is NP-hard.
• Applications:• Integer Linear Programming (Lenstra 83).• Strong lattice reduction for cryptanalysis.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 3/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Shortest Vector Problem
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Any lattice L contains non-zero vectors of minimal norm.
• Finding such vectors is NP-hard.
• Applications:• Integer Linear Programming (Lenstra 83).• Strong lattice reduction for cryptanalysis.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 3/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Shortest Vector Problem
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Any lattice L contains non-zero vectors of minimal norm.
• Finding such vectors is NP-hard.
• Applications:• Integer Linear Programming (Lenstra 83).• Strong lattice reduction for cryptanalysis.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 3/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Solving SVP
Enumeration-based deterministic algorithms:
• Fincke-Pohst (1983). Cost: 2O(n2).
• With preprocessing: Kannan (1983). Cost: 2O(n log n).
Both algorithms use polynomial space.
Probabilistic sieve algorithms:Time Space
AKS 23.4n 22.0n
List-Sieve 23.2n 21.4n
List-Sieve with 22.5n 21.3n
birthday paradox
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 4/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Introduction
AKS
List-Sieve
Birthday paradox
Conclusion
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 5/19
Introduction AKS List-Sieve Birthday paradox Conclusion
History of AKS
• First version by Ajtai, Kumar and Sivakumar (2001).
• Simplified presentation by Regev (2004).
• Refined analysis, implementation by Nguyen and Vidick(2008).
• Improved analysis with sphere-packing arguments byMicciancio and Voulgaris (2010).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 6/19
Introduction AKS List-Sieve Birthday paradox Conclusion
History of AKS
• First version by Ajtai, Kumar and Sivakumar (2001).
• Simplified presentation by Regev (2004).
• Refined analysis, implementation by Nguyen and Vidick(2008).
• Improved analysis with sphere-packing arguments byMicciancio and Voulgaris (2010).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 6/19
Introduction AKS List-Sieve Birthday paradox Conclusion
History of AKS
• First version by Ajtai, Kumar and Sivakumar (2001).
• Simplified presentation by Regev (2004).
• Refined analysis, implementation by Nguyen and Vidick(2008).
• Improved analysis with sphere-packing arguments byMicciancio and Voulgaris (2010).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 6/19
Introduction AKS List-Sieve Birthday paradox Conclusion
History of AKS
• First version by Ajtai, Kumar and Sivakumar (2001).
• Simplified presentation by Regev (2004).
• Refined analysis, implementation by Nguyen and Vidick(2008).
• Improved analysis with sphere-packing arguments byMicciancio and Voulgaris (2010).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 6/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
bb
b
b
b
b b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
bb
b
b
b
b b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
bb
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
bb
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
b
b
b
b
b
b
b
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
bb
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
bb
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
AKS algorithm for SVP
b
bb
b
b
0
• Step 1: sample randomlattice vectors.
• Step 2: repeat the sieveuntil vectors are shortenough.
• Step 3: return the closestpair of vectors.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 7/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Perturbations
Problem: the final set S of vectors may be {0}.• Solution: apply a small random perturbation to each sampled
vector.
• Some information is hidden to the sieve algorithm: severallattice vectors might correspond to a given perturbed vector.
• Pr[‖u − v‖ = λ(L)] for some u, v ∈ S
> 2−O(n)Pr[u = v] for some u, v ∈ S .
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 8/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Perturbations
Problem: the final set S of vectors may be {0}.• Solution: apply a small random perturbation to each sampled
vector.
• Some information is hidden to the sieve algorithm: severallattice vectors might correspond to a given perturbed vector.
• Pr[‖u − v‖ = λ(L)] for some u, v ∈ S
> 2−O(n)Pr[u = v] for some u, v ∈ S .
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 8/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Perturbations
Problem: the final set S of vectors may be {0}.• Solution: apply a small random perturbation to each sampled
vector.
• Some information is hidden to the sieve algorithm: severallattice vectors might correspond to a given perturbed vector.
• Pr[‖u − v‖ = λ(L)] for some u, v ∈ S
> 2−O(n)Pr[u = v] for some u, v ∈ S .
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 8/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Perturbations
Problem: the final set S of vectors may be {0}.• Solution: apply a small random perturbation to each sampled
vector.
• Some information is hidden to the sieve algorithm: severallattice vectors might correspond to a given perturbed vector.
• Pr[‖u − v‖ = λ(L)] for some u, v ∈ S
> 2−O(n)Pr[u = v] for some u, v ∈ S .
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 8/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R
> R/20
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R/40
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R/40
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R/40
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R/40
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of AKS
How many vectors are lost duringthe sieve?→ fewer than (R+R/4)n
(R/4)n = 2O(n)
aai at each step.→ polynomial number of steps.2O(n) vectors are enough.Time complexity quadratic inspace complexity.With a finer analysis: 23.4n
b
b
b
b
b
b
b
b
b
b
R/40
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 9/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Introduction
AKS
List-Sieve
Birthday paradox
Conclusion
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 10/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve
• Algorithm introduced by Micciancio and Voulgaris (2010).
• Idea: create a set of short vectors by subtractions, as in AKS.
• Vectors are sampled one by one.
• All previous vectors are used to reduce a new vector.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 11/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve
• Algorithm introduced by Micciancio and Voulgaris (2010).
• Idea: create a set of short vectors by subtractions, as in AKS.
• Vectors are sampled one by one.
• All previous vectors are used to reduce a new vector.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 11/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve
• Algorithm introduced by Micciancio and Voulgaris (2010).
• Idea: create a set of short vectors by subtractions, as in AKS.
• Vectors are sampled one by one.
• All previous vectors are used to reduce a new vector.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 11/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve
• Algorithm introduced by Micciancio and Voulgaris (2010).
• Idea: create a set of short vectors by subtractions, as in AKS.
• Vectors are sampled one by one.
• All previous vectors are used to reduce a new vector.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 11/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
bb
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
b
b b
b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
List-Sieve: example
bb b
b
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 12/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
b b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
b b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
> 60◦
b b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
> 60◦
b b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
bb
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
bb
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
b
bb
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
b
bb b
b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
b
bb b
b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
bb
b
b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Complexity of List-Sieve
bb
b
b
b
• Lower bound for the angle between two vectors
• Without perburtations: 20.4n vectors in the worst case.
• With perturbations: 21.4n vectors (more vectors around 0).
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 13/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Introduction
AKS
List-Sieve
Birthday paradox
Conclusion
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 14/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox
• Among 23 people, two of them have the same birthday withprobability > 1
2 .
• If items are sampled from a set S and i.i.d., a collision occurswith high probability after O(
√
|S |) steps.
• The uniform law is the worst case.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 15/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox
• Among 23 people, two of them have the same birthday withprobability > 1
2 .
• If items are sampled from a set S and i.i.d., a collision occurswith high probability after O(
√
|S |) steps.
• The uniform law is the worst case.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 15/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox
• Among 23 people, two of them have the same birthday withprobability > 1
2 .
• If items are sampled from a set S and i.i.d., a collision occurswith high probability after O(
√
|S |) steps.
• The uniform law is the worst case.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 15/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Applying the birthday paradox to AKS
• There must be enough vectors to ensure that the probabilityof collision is high at the end of the sieve.
b
bb
b
b
0
• First solution: pigeonhole principle → N = 2O(d) vectors.
• All vectors in the final set are independent.
• Birthday paradox →√
N vectors suffice.
• Time complexity: 22.7n instead of 23.4n.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 16/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Applying the birthday paradox to AKS
• There must be enough vectors to ensure that the probabilityof collision is high at the end of the sieve.
b
bb
b
b
0
• First solution: pigeonhole principle → N = 2O(d) vectors.
• All vectors in the final set are independent.
• Birthday paradox →√
N vectors suffice.
• Time complexity: 22.7n instead of 23.4n.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 16/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Applying the birthday paradox to AKS
• There must be enough vectors to ensure that the probabilityof collision is high at the end of the sieve.
b
bb
b
b
0
• First solution: pigeonhole principle → N = 2O(d) vectors.
• All vectors in the final set are independent.
• Birthday paradox →√
N vectors suffice.
• Time complexity: 22.7n instead of 23.4n.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 16/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Applying the birthday paradox to AKS
• There must be enough vectors to ensure that the probabilityof collision is high at the end of the sieve.
b
bb
b
b
0
• First solution: pigeonhole principle → N = 2O(d) vectors.
• All vectors in the final set are independent.
• Birthday paradox →√
N vectors suffice.
• Time complexity: 22.7n instead of 23.4n.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 16/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Applying the birthday paradox to AKS
• There must be enough vectors to ensure that the probabilityof collision is high at the end of the sieve.
b
bb
b
b
0
• First solution: pigeonhole principle → N = 2O(d) vectors.
• All vectors in the final set are independent.
• Birthday paradox →√
N vectors suffice.
• Time complexity: 22.7n instead of 23.4n.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 16/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox for List-Sieve
• Non-independent vectors.
• Solution:• Apply ListSieve,
discarding all pointsthat fall outside of thecorona.
• Sample smallindependent points byreducing random pointsw.r. to the first list.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 17/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox for List-Sieve
• Non-independent vectors.
• Solution:• Apply ListSieve,
discarding all pointsthat fall outside of thecorona.
• Sample smallindependent points byreducing random pointsw.r. to the first list.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 17/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox for List-Sieve
b
b
b
b b
• Non-independent vectors.
• Solution:• Apply ListSieve,
discarding all pointsthat fall outside of thecorona.
• Sample smallindependent points byreducing random pointsw.r. to the first list.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 17/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Birthday paradox for List-Sieve
b
b
b
b b
b
b
b b
• Non-independent vectors.
• Solution:• Apply ListSieve,
discarding all pointsthat fall outside of thecorona.
• Sample smallindependent points byreducing random pointsw.r. to the first list.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 17/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Introduction
AKS
List-Sieve
Birthday paradox
Conclusion
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 18/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Conclusion
• The modifications of List-Sieve to apply the birthday paradoxseem to be artefacts.
• In practice, perturbations do not seem to be necessary either.
• It is claimed in [MiVo10] that a heuristic version of List-Sieveoutperforms enumeration-based algorithms.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 19/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Conclusion
• The modifications of List-Sieve to apply the birthday paradoxseem to be artefacts.
• In practice, perturbations do not seem to be necessary either.
• It is claimed in [MiVo10] that a heuristic version of List-Sieveoutperforms enumeration-based algorithms.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 19/19
Introduction AKS List-Sieve Birthday paradox Conclusion
Conclusion
• The modifications of List-Sieve to apply the birthday paradoxseem to be artefacts.
• In practice, perturbations do not seem to be necessary either.
• It is claimed in [MiVo10] that a heuristic version of List-Sieveoutperforms enumeration-based algorithms.
X. Pujol, D. Stehle Sieve algorithms for the Shortest Vector Problem 19/19
