Self-dual DeepBKZ for finding short lattice vectors

Abstract In recent years, the block Korkine-Zolotarev (BKZ) and its variants such as BKZ 2.0 have been used as de facto algorithms to estimate the security of a lattice-based cryptosystem. In 2017, DeepBKZ was proposed as a mathematical improvement of BKZ, which calls LLL with deep insertions (DeepLLL) as a subroutine alternative to LLL. DeepBKZ can find a short lattice vector by smaller blocksizes than BKZ. In this paper, we develop a self-dual variant of DeepBKZ, as in the work of Micciancio and Walter for self-dual BKZ. Like DeepBKZ, our self-dual DeepBKZ calls both DeepLLL and its dual variant as main subroutines in order to accelerate to find a very short lattice vector. We also report experimental results of DeepBKZ and our self-dual DeepBKZ for random bases on the Darmstadt SVP challenge.


Introduction
Since the US National Institute of Standards and Technology (NIST) began a process to develop new standards for post-quantum cryptography (PQC) in 2015 and called for proposals in 2016, it has rapidly accelerated to research lattice-based cryptography as a candidate of PQC. At the submission deadline of November 30, 2017 for the call, NIST received more than 20 proposals of lattice-based cryptosystems (see the web page of "Round 1 Submissions" of [13]). The security of such proposals relies on the hardness of lattice problems such as LWE and NTRU, and it is becoming more important to precisely evaluate the hardness.
Lattice basis reduction is a strong tool in cryptanalysis, and it has been used to estimate the security of lattice-based cryptosystems. In particular, BKZ [16] and its variants such as BKZ 2.0 [3] are de facto algorithms to estimate the security level (see [1]). Given β, BKZ repeatedly calls an SVP oracle in a β-dimensional lattice to find a short lattice vector. In security estimation, it is discussed which blocksizes β are required for BKZ to find a short lattice vector of target norm. A new improvement of BKZ, called DeepBKZ [18], was proposed, which calls DeepLLL [16,Section 3] before every SVP oracle to find a short lattice vector by smaller blocksizes than BKZ. In fact, DeepBKZ with around β = 40 had found new solutions for the SVP challenge [4] in most dimensions from 102 to 127.
In this paper, we develop a self-dual variant of DeepBKZ, emulating the self-dual BKZ by Micciancio and Walter [11]. The original self-dual BKZ calls SVP and dual SVP oracles in forward and backward tours, respectively, to find a reduced basis B = [b 1 , . . . , bn] with short b 1 and long b * n , where [b * 1 , . . . , b * n ] denotes the Gram-Schmidt orthogonalization of B. In our self-dual DeepBKZ, DeepLLL and dual DeepLLL [19] are respectively called to reduce [b 1 , . . . , b n−1 ] and [π 2 (b 1 ), . . . , π 2 (bn)] before every SVP and dual SVP oracles, where π 2 denotes the orthogonal projection. Our construction is similar to [11], but its mathematical background is based on classical proofs of Mordell's inequality as well as the slide reduction algorithm [6] (see also [12]).
Like DeepBKZ [18], we hope that DeepLLL and its dual variant could help to find a basis with shorter b 1 and longer b * n than the original self-dual BKZ [11] (as a result, we expect that a very short lattice vector could be found). To show practicality, we report experimental results of both DeepBKZ and our self-dual variant for random bases on [4]. Notation 1.1. The symbols Z and R denote the ring of integers and the field of real numbers, respectively. We represent all vectors in column format. For a vector a = (a 1 , . . . , an) ⊤ ∈ R n , let ‖a‖ denote its Euclidean norm. For a = (a 1 , . . . , an) ⊤ and b = (b 1 , . . . , bn) ⊤ , let ⟨a, b⟩ denote the inner product ∑︀ n i=1 a i b i .

Preliminaries
In this section, we review some definitions on lattices. We also introduce typical reduction algorithms and DeepBKZ [18], an improvement of BKZ.

Lattices (Primal) lattices and bases
Let b 1 , . . . , bn be linearly independent vectors in R n . The set of all integral linear combinations of the b i 's is a (full-rank) lattice For 2 ≤ ℓ ≤ n, let π ℓ denote the orthogonal projection over the orthogonal supplement of the R-vector space ⟨b 1 , . . . , b ℓ−1 ⟩ R (note that π ℓ depends on a basis, and set π 1 = id). For 1 ≤ i ≤ j ≤ n, we denote by B [i,j] the local projected block [π i (b i ), π i (b i+1 ), . . . , π i (b j )], and by L [i,j] the lattice spanned by B [i,j] . The first successive minimum is the length of a shortest non-zero vector in a lattice L, denoted by λ 1 (L).

Dual lattices and dual bases
The dual of a lattice L is defined aŝ︀ where span R (L) denotes the R-vector space spanned by the vectors in L. The dual of a full-rank lattice with basis B has a basis D = (︀ B −1 )︀ ⊤ . In other words, the relation D ⊤ B = I is always maintained, where I is the identity matrix. This tells how the dual basis D changes with respect to changes of the primal basis B.

Lattice Basis Reduction
Here we introduce some notions of reduction and algorithms to achieve them.

DeepLLL
It is a straightforward generalization of LLL, in which non-adjacent vectors can be changed; If the deep ex- This is called a deep insertion. Every output basis of DeepLLL satisfies the following condition; For 1 The notion of BKZ-reduction is a local block version of HKZ-reduction, defined as follows [14][15][16] [14,16]) if it is size-reduced and every local block The original BKZ algorithm [16] finds an almost β-BKZ-reduced basis, and it calls LLL to reduce every local block before enumeration of a shortest vector over the block lattice. Efficient variants of BKZ have been proposed such as BKZ 2.0 [3], and some of them have been implemented in software (e.g., [5]).

Self-dual BKZ
Motivated from the slide reduction algorithm [6], an elegant generalization of LLL (see also Section 3.3 below), the self-dual BKZ algorithm was proposed by Micciancio and Walter [11]. Their algorithm is based on a new notion [11, Definition 1] of block reduction using lattice duality (cf., the slide reduction algorithm is based on classical proofs of Mordell's inequality, see also [12] for details). The output quality of self-dual BKZ in the worst case is proven to be at least as the worst case behavior of BKZ [11,Theorem 1]. The self-dual BKZ algorithm calls primal SVP and dual SVP oracles over local blocks in forward and backward tours, respectively, and it calls forward and backward tours alternately. Like BKZ, self-dual BKZ is a proper block generalization of the LLL algorithm.

DeepBKZ
It was proposed in [18], which calls DeepLLL as a subroutine alternative to LLL in BKZ. Every output basis of DeepBKZ satisfies the following condition of reduction; For 1 4 < δ < 1 and β ≥ 2, a basis is called (δ, β)-DeepBKZ-reduced if it is both δ-DeepLLL-reduced and β-BKZ-reduced. In Algorithm 1, we give a detailed algorithm of DeepBKZ with early-abort strategy, adopted in BKZ 2.0; For an input basis B = [b 1 , . . . , bn] of a lattice L, we terminate DeepBKZ with blocksize β after tours, where C is a small constant. Since it is proven in [9] that the output basis of BKZ after N tours has an enough quality, we expect that a similar result would hold for DeepBKZ (we took different values for C in our experiments).

Dual DeepBKZ
It is a dual version of DeepBKZ proposed in [19]. It consists of the dual enumeration in self-dual BKZ [11] and a dual version of DeepLLL to reduce the dual basis of an input basis. In particular, in dual DeepLLL [19, Algorithm 1], a basis transformation is performed as called a dual deep insertion (this is opposite to the primal deep insertion (1)).

Self-dual DeepBKZ
In this section, we develop a self-dual variant of DeepBKZ.

Overview of algorithm
Algorithm 2 is our self-dual DeepBKZ. It consists of two parts of a forward tour and a backward tour, as in self-dual BKZ by Micciancio and Walter [11]. Let B = [b 1 , . . . , bn] be an input basis of self-dual DeepBKZ with blocksize 3 ≤ β ≤ n − 1. We describe an overview for each part as follows:

Forward tour
As in the original self-dual BKZ [11], we call SVP oracles in dimension β to reduce every local block B [j,j+β−1] from j = 1 to n − β. In our self-dual DeepBKZ, we additionally call DeepLLL for the sub-basis [b 1 , . . . , b n−1 ] before enumeration to find a shortest vector over every block lattice L [j,j+β −1] . Note that this part does not change the last basis vector bn.

Backward tour
As in [11], we call dual SVP oracles in dimension β to reduce the dual basis of every local block B [j−β+1,j] from j = n down to β + 1. Similarly to the above part, we call dual DeepLLL [19, Algorithm 1], a dual variant of DeepLLL, before the dual enumeration [11, Algorithm 2] (see also Appendix A for the dual enumeration). As in the above part, we restrict the index i in every dual deep insertion (3) from i = n − 1 to 2 in order not to change the first basis vector b 1 by dual DeepLLL. This means that it reduces the local block B [2,n] by dual DeepLLL, equivalently, it reduces its dual basis by (primal) DeepLLL.

Terminating condition
A mathematical terminating condition is given in [11,Lemma 1] for the original self-dual BKZ, but it is mentioned in [11] that such condition might never be met in practice. As in [11], we use the early-abort strategy (cf., the termination of the original self-dual BKZ depends on the behavior of GSA slopes). We count a pair of forward and backward tours as one tour of our self-dual DeepBKZ. After tours with the same constant C as in (2), we terminate self-dual DeepBKZ with blocksize β for an input basis B = [b 1 , . . . , bn] of a lattice L (we replace the denominator of (2) by 2β, see [11,Section 4] for details).
Mordell's reduction satisfies some important properties such as [12,Lemma 10], and the slide reduction algorithm [6] is designed to achieve a blockwise version of Mordell's reduction. In particular, the output quality of the slide reduction algorithm in the worst case is proven to be slightly better than that of BKZ for a fixed blocksize β. (However, from [11, Figure 2], the output quality of the slide reduction algorithm is worse than both BKZ and self-dual BKZ in practice.) In order to describe the basic idea of our self-dual DeepBKZ, consider b 1 b 2 · · · · · · b n−1 π 2 (b 2 ) π 2 (b 3 ) · · · · · · π 2 (bn).

Implementation
We implemented DeepBKZ (Algorithm 1) and self-dual DeepBKZ (Algorithm 2) in C++ programs with the NTL library [17]. We used the g++ complier with -O3 -std=c++11 option. We set a triple of B = [b 1 , . . . , bn], µ = (µ i,j ) 1≤j<i≤n and (B i ) 1≤i≤n as a class, where B is a basis, µ its GSO coefficients, and B i = ‖b * i ‖ 2 . We used the int data type for B, and long double for both µ and (B i ) 1≤i≤n . To keep track of the GSO information in DeepLLL and dual DeepLLL, we implemented pseudo-codes of [18,Algorithm 4] and [19, Algorithm 2], respectively. We also implemented [8, Algorithm 2] and Algorithm 3 in Appendix A for primal and dual enumerations, respectively. We took a full enumeration setting as in [18] for both enumerations. Our experiments ran on an Intel Xeon CPU E3-1225 v6@3.30GHz with 32.0 GB RAM (we run every reduction algorithm over a single thread).

Experimental results
Here we report experimental results of DeepBKZ and self-dual DeepBKZ for random bases on [4] in terms of both the output quality and performance.

Output quality
The Hermite factor is a good index to measure the (practical) output quality of a reduction algorithm [7]. The factor of an algorithm for a basis of an n-dimensional lattice L is defined as = ‖b‖ vol(L) 1/n , where b is a shortest non-zero basis vector output by the algorithm. Smaller means that the algorithm can find a shorter lattice vector. For practical algorithms such as LLL and BKZ, Gama and Nguyen [7] experimentally showed that the root Hermite factor 1 n converges a constant for high dimensions. In Table 1 (resp., Table 2), we show the average of the root Hermite factor of DeepBKZ (resp., self-dual DeepBKZ), for random Table 1: The average of the root Hermite factor 1 n of DeepBKZ with early-abort for some constants C, for the SVP challenge in dimensions n with seeds 0-9 (C = ∞ means the average factor without early-abort, which data are from [18]  bases on the SVP challenge [4] in dimensions from n = 100 to 115 with seeds 0-9. We took C = 1.0 and 4.0 for two different early-abort constants in (2) and (4) (cf., C = 0.25, 2.0 and 8.0 were taken in [20]). As in [18,19], we set δ = 0.99 as reduction parameters of both DeepLLL and its dual variant. We took as input bases reduced by BKZ with blocksize 20, implemented in the fplll library [5]. We increased blocksizes β by every 5 from 20 up to 45 for both DeepBKZ and its self-dual variant (it becomes very slow for β ≥ 50 since we did not use any pruning in [8]). We see from Tables 1 and 2 that the root Hermite factor (i.e., the output quality) of DeepBKZ is slightly better than that of self-dual DeepBKZ for β ≥ 30. In Table 1, we also show the average of the root Hermite factor of DeepBKZ without early-abort, which data are from [18, Table 2]. As seen from Table 1, the root Hermite factor of DeepBKZ with early-abort is pretty worse than without early-abort for β ≥ 30.

Performance
In Tables 3 (resp., Table 4), we show the average of the running time of DeepBKZ (resp., self-dual DeepBKZ) for the SVP challenge in dimensions from n = 100 to 115 with seeds 0-9. From Tables 3 and 4, our self-dual Deep-BKZ is at least 3 times slower than DeepBKZ for β ≥ 30. In particular, DeepBKZ is much faster for 20 ≤ β ≤ 30 due to that a DeepBKZ-reduced basis can be found by tours less than the terminating condition (2). Moreover, DeepBKZ with early-abort is much faster than without early-abort; For example, it took 5242 seconds ≈ about 1.5 hours to run DeepBKZ with early-abort constant C = 4.0 in n = 115 for blocksizes up to β = 45, while a few days are required to run DeepBKZ without early-abort.

Concluding remarks
In this section, we first compare reduction algorithms in terms of both the output quality and performance. We then conclude this work and give our future work.

Comparison of algorithms
Output quality A prediction of limiting value of the root Hermite factor 1 n achieved by BKZ is given in Chen's thesis [2] (it is based on Gaussian Heuristic, and it seems to hold for β ≥ 40 in practice); Actually, as seen from [11, Figure 2], the output quality of both BKZ and self-dual BKZ approximately follows the prediction (5) for β ≥ 40. As discussed in Subsection 3.5, the output quality of our self-dual DeepBKZ is slightly worse than that of DeepBKZ for every β ≥ 30. This is the same as the relation between BKZ and selfdual BKZ, shown in [11]. While the prediction (5) implies that β ≥ 85 is required for BKZ to achieve 1 n = 1.01, it requires only β ≥ 40 for both DeepBKZ and our self-dual DeepBKZ with early-abort from Tables 1 and 2 (cf., only β ≥ 30 is required for DeepBKZ without early-abort).

Performance
Since DeepLLL and dual DeepLLL are somewhat costly, DeepBKZ and our self-dual DeepBKZ are more costly than BKZ and self-dual BKZ. However, for blocksizes β ≥ 30, SVP and dual SVP oracles (i.e., enumerations) are dominant in DeepBKZ and our self-dual DeepBKZ. Hence DeepBKZ and its variants have comparable running time to BKZ and its variants for high blocksizes.

Conclusion and future work
We showed by experiments that DeepLLL [16] and dual DeepBKZ [19] can accelerate to find a short lattice vector in the framework of self-dual BKZ [11] even for small blocksizes. Furthermore, our self-dual DeepBKZ has comparable running time to self-dual BKZ for high blocksizes since the enumeration cost is dominant for β ≥ 30. However, DeepBKZ [18] is more efficient than our self-dual DeepBKZ in both the output quality and performance. Therefore, as a future work, we would like to improve DeepBKZ with pruning as in BKZ 2.0 [3], and analyze its practical output quality for high blocksizes β ≥ 50.

A Dual enumeration with modifications
In Algorithm 3, we show an algorithm of dual enumeration by [11,Algorithm 2] with modifications for efficiency. The modifications are based on [8,Appendix B] for primal enumeration. The strategy of dual enumeration is as follows; Let B = [b 1 , . . . , bn] be a basis of a lattice L, and v a short vector over the dual latticê︀ L. By definition of̂︀ L, we have from (x 1 , . . . , x i ) ∈ Z i as x 1 = x * 1 and x * i = x i + ∑︀ i−1 j=1 µ i,j x * j for 2 ≤ i ≤ n. On the other hand, for a search bound A > 0 with ‖v‖ 2 ≤ A, we have With these equations, we enumerate all coefficient vectors x = (x 1 , . . . , xn) ⊤ ∈ Z n of dual lattice vectors v ∈̂︀ L with ‖v‖ 2 ≤ A.