 Okay, so good morning everyone. I'm Fong. I work for Ineria, Ceneres, and the University of Tokyo. And this is joint work with Yoshinori Aono from NICT in Japan. So I'm going to tell you about random sampling, revisited lattice enumeration with discrete pruning. So first I will try to motivate you not to leave this room. Then I will give you some background on lattices, enumeration, and pruning. And then I will finally get to the title of this talk, which is enumeration with discrete pruning. Okay, so let's relax a little bit, because after that it'll be a bit more painful. So a lot of people right now are asking for convincing security estimates for lattice-based cryptosystem. Because of the NIST competition, because of a fullyomorphic encryption, people are interested in concrete security estimates for this system. So there are actually a lot of estimates, and the problem is how convincing are there. And a good way to check your security estimates is to perform a sanity check using lattice challenges. So there's a lot of websites now that ask you to find short vectors or closed vectors in lattices. So here are a few ones. So if you want to make money, the only one is the entry challenges. And this is just for fun. So when you look at the highest record solved with these challenges, for the first two things go as expected. The best method is expected to be pruning enumeration with BKZ. And that's what happened. And we know the running time, everything behaves like expected. But for this one, something strange is going on. So what is going on? If you look at the largest SVP records, first of all, they use significant power. Close to RSA 768. I think it's about one-half of the power of RSA 768. And then they use a secret algorithm for which you can find only a partial description in a paper published in 2015. This is by Fukase and Kashiwabara. And if you read at the paper, it seems that the main tool, there's several differences, but the main tool seems to be an improved variant of an old algorithm due to Schnorr called random sampling. So invented in 2003. And unfortunately, this algorithm is not so well understood. So this is the topic of this paper. We're trying to revisit Schnorr's random sampling and all the variants that have been proposed, including the one using these records. And the way we do it is we're going to change the description of the algorithm. We're going to make it geometric. And we're going to really generalize it. And because of this geometric description, we can give a different analysis. And this is actually the first sound analysis. There's been a lot of analysis before. But before, there used to be a gap between analysis and experiments. And because of this description, we're also able to optimize the selection of parameters. So roughly what we're doing is we're unifying Schnorr's algorithm with Schnorr's algorithm. So what is it? So random sampling was invented by Schnorr. And 10 years before, Schnorr invented with his students another algorithm called prune enumeration, which is very known, very classical. It's used in many records. So we unify both of these algorithms. Okay. So that's what we're doing. Okay. So we, this is not the first study at EuroCrypt. So we know that a lattice is a discrete subgroup of R2DN, which means that every point is isolated. Or we can view a lattice as all the set of all the linear combination of vectors, whether vectors or linear independent, with integer coefficients. So typically you view it as a matrix. Okay. So we, we're familiar with this. So there's a lot of hard lattice problems. Essentially, it comes down to this generic problem. I give you a lattice and I've give you some n-dimensional ball. And you want to decide if the intersection between the lattice and the ball is non-trivial. And if it's non-trivial, you want to find a point. Okay. So there's essentially two settings, ever there's many solutions like here. So that's the case of SIS or ISIS. Or you end the unit setting where there's only actually one solution, a very special one, and you want to find it. So that's BDD, down the distance coding. There are many other problems like that. Okay. So these are the generic, this is the generic lattice problem. So enumeration, what is enumeration? Enumeration is just the simplest method to solve this hard lattice problem. And it goes back to the 70s. And if you didn't know anything about lattices, this is probably the, the algorithm you would come up with if you, if you think about it. So what is the setting? Again, you have a lattice and now it's time I'm going to restrict to a small ball. Okay. And I want the number of points in the intersection to be small. And what I want is with this enumeration, I'm going to find all the points in the intersection. So the good thing is it's very simple. It's widely used. The problem is that it's very expensive. It's super exponential. So in small dimension, it's okay. But in high dimension, you see it. And what is interesting, it's actually much larger than the number of solutions. Okay. So how does it work? I'm not going to describe. I'm just going to say the key idea behind enumeration is to project. So when you project, of course, you don't, you never increase the norms. Unfortunately, when you project lattice, it may not be a lattice anymore. However, if you project onto nice sub spaces, it's still a lattice. And it particularly has a lower dimension. So if you project, well, you come back to one dimensional lattice and then enumeration is very easy. So that's what you do. You do a depth first search of a jagged entry. And at the lower level, you have a one dimensional lattice. And then you lift it step by step. Okay. So what is pruning? So pruning is, as we see, I mean, enumeration is super exponential. So we want to just pick things up. So what is the main idea? Suppose that we don't need all the points in the dissections. Suppose that we only need one vector. Can we make enumeration faster? So the first, the first algorithm to do this goes back to the, to the 90s, with the work of Schnur and Urschner and Horner. So here's the setting, you have a lattice, you still have your ball. But this time, you have a third parameter, a pruning set. And this time, what you're going to do is you're going to intersect, you're going to enumerate a smaller set. So you're going to intersect your initial set, but with this pruning set. So what you do actually is you enumerate this set, and then you filter the points which are inside the ball. Okay. So why would you do that? You do that because with a special choice of set, this is going to be much faster than the initial enumeration. The downside, of course, is maybe you're going to find nothing. Maybe this intersection is now too small, it's going to give you maybe an empty set or zero. And then you found absolutely nothing. So how do you analyze this? So you want to make sure that you're finding something. So one of the big problems before in the early analysis is that the enumeration algorithm actually is deterministic. So when you want to talk about probability, success probability, you have to be very careful. So the magic is that this pruning set is actually randomized. It's a random variable. So it actually depends on your choice of radius basis. And now we can talk about success probability. So we're going to say that we get something if this intersection is non-trivial. So of course you could say, I mean, how do you compute this probability? It looks very difficult. So thanks to Gauss, we know how to heuristically count lattice point in set. So we know that when we have an intersection with a lattice, you can estimate the number of points by dividing volumes. So that's what Gauss did a long time ago. So we're going to do the same thing. So it comes back to computing volumes of sets. So if you do this, we have a very natural algorithm. So that goes back to 2010. You repeat by generating this pruning set, this random pruning set. I think you enumerate this small intersection. And even if the probability of success is tiny, maybe this is still much faster than the initial enumeration. And actually that was shown in 2010. So now we set. It's just now the matter is how do we select this set? So until now, I mean, we only knew one choice of set. It was to use the one of schnoir. And it's actually a cylinder intersection. So if you see this picture, this picture is not a ball, you can see that it's an intersection of several cylinders. Okay? So that was the initial, why do we choose this set? It's because of the way enumeration works. So that's a very natural choice. So today I'm going to describe another choice. So that's what I call discrete pruning. And here, the set will be completely different. It will not be a cylinder intersection. Instead, it's going to be a union of cells. And in particular, it's going to be a union of many boxes. Okay. So what is this animation with discrete pruning? So I'm not going to describe the early description of random sampling. What I'm going to say is that the problem with these analysis is they try to analyze the distribution of certain lattice points. Okay. And that was very tricky. And then it brings you to funny assumption. And we know they're not satisfied in practice. So that's why there was a gap between experiments analysis. So we're going to change off one of you. We're going to adopt a geometric point of view. I'm going to see that it's all about petitioning the space. Okay. So how do you do that? So I'm going to find, I'm going to consider a partition of the space in such a way that the cells, or disjoint, of course, and each cell can be open. What does it mean? It means that each cell only contains one, and only one lattice point, and I can find it in point of all time. So given any tag, I can compute this intersection. Okay. So intuitively, imagine when I was a kid, I love these chocolate eggs. So imagine you fill the space with these eggs, and every time you can take an egg, and inside is the lattice point. Okay. And you can find it. The problem is that you don't know beforehand how short it's going to be. So, I mean, you have to be lucky. So how do you do discrete pruning? Now it's very simple. You have these partitions. So the most natural thing to do is just to take a finite number of cells. So let's fix some cells, a finite set, and you rate each of the cell and filter the one which is, which are inside the bowl. Then it's obvious that when you do this, the running time of one pass is just the number of tags that you took up to a point of all time unit. And each iteration is going to succeed with the previous probability. So if I want to estimate this probability, I just need to compute this volume. But because I took a partition, the volume is very easy, the sum of the volume, because they disjoint. So if I want to compute the success probability, I just need to be able to compute this volume, the cell intersection volume with a ball. Okay. And notice something, now the running time of an iteration is linear in the number of points. Okay. If we don't consider the ball, okay. So it's, in some sense, it's optimal here. So there are many issues. I mean, now the algorithm is very simple, but how do we choose the parameters? So first of all, how do we choose the lattice partition? How do we compute this intersection volumes? And how do we select these cells? Right? So we're going to do something different from what was done before. We're going to choose the one maximizing the volume. But how can we really do it efficiently? So first is, which lattice partition? So if your family of lattices, you'll easily come up with partition coming from fundamental domain, and we'll see that in a minute. And that corresponds to the natural, to the integers, okay, to the n-dimensional integer vectors. You can do it with Babay's algorithm. And you can also do it now with positive integers. And that's quite a funny. And both of these partitions were implicit in early work. They didn't mention partition, but this is really what's happening. First is the trivial partition. So when you have the definition of lattice, you really want to split the most natural way to partition the spaces to do this. So you can tag, you can tag any lattice point by integer vector, and the cell opening is just a matrix vector product. Unfortunately, it's completely useless because you don't learn anything by doing this. So we want something interesting. So how do we do it? First, consider dimension one. So in dimension one, the lattice is just a multiple of some vector. So let's say it's one here too. So how do we partition the line in such a way that there's only one lattice point? So the most natural thing is to round here. So that would be the zero cell. This would be the one cell. This would be the minus one cell. You can see there's only one lattice point here, okay? So that corresponds to the one-dimensional Babay's partition. But you can also do it with integers like this. This is zero, one, two, three, and you see it's not connected anymore. The only thing you have to break ties, you have to be careful of minus one, only belongs to the green one, and one belongs to the yellow one, okay? So that's easy in dimension one. How do we do it in higher dimension? You generalize using projection. So the formal way to do it is use a Gram-Schmidt of organization, but you can see the picture, you just have to project nicely the lattice. So when you do that, the most natural thing to do is Babay's partition, and you get this thing, okay? So you see, I can tile the space with these boxes, and there's only one lattice point inside each box, and it corresponds to my one-dimensional example. How do I find this lattice point? Well, fortunately, a long time ago, Babay invented another algorithm to do this. It's actually a subroutine of LLL. So if you're familiar with my algorithm, you know what I'm talking about. So let's see it more with colors. What happens if I take now the natural partition? This is how it looks like. So when I was projecting, I was getting this non-connect cell, and here's what happening in dimension, in higher dimension. So you see here it's a union of four boxes, okay? And here's the formal definition using the Gram-Schmidt, and you do the opening the same way as before. Okay. So now we have a problem. We have chose the partition. We need to compute this intersection of volumes, where one is a ball, and the other one is a box, or a union of symmetric box, like in a natural partition. So the good thing is we can do it. It's a nice exercise. We get epsilonic formulas. We get infinite series formulas. And in practice, we use a fast inverse Laplace transform. So computing the volume of a ball with a box. Okay. So that's an application now. We understand why the FK-15 algorithm was better than schnau algorithm. They had much bigger volumes. So that's why these in the Japanese records, it was faster than schnau algorithm. Okay. So that's using this computation. How can we compute the best cells? So unfortunately, we cannot do it with our computation because it's too slow. But there's a good heuristics. We can use it by determining the cell, minimizing this expectation, because it's a box. When it's a box, it's very easy to compute this expectation. And it turns out it's possible to find all the cells, minimizing this value. And it turns out that they're almost the same cell as the one with larger volumes. So here is this curve. I take the largest volume cell and you can see, apart from a few one, these are the ones with minimal expectation. So that's very useful. How do we guess the success probability? And then we can do the same thing. So I was watching the US election like many people and I realized we don't need to compute each term to approximate the sum. We can just do it like in polling. We set up a few thousand cells and then we extrapolate. And they get one person margin and it's not as important as the US election, obviously. So if I make an error, it's not a big deal. One person error, I can tolerate it. And that's how we obtain sound success probabilities for this grouping. We can really estimate the number of points found in practice. So it matches for the first time the experiment. Okay, so now you're asking, is it better than the old pruning? So it turns out that it's not an easy question. So sometimes it's faster, sometimes it's lower. So it turns out it's faster when the number of tags is small, when the dimension is high, and the basis is not too strongly reduced. There are some benefits to the discrete pruning. It's very easy to parallelize. It means it's very easy to implement in GPU. It can very easily generate parameters with respect to cellular pruning. If you want to optimize the basis, you would like intuitively to minimize the sum of the Gram-Schmidt norms. So all I want to say is that the best basis for this pruning may not be the best basis for the old pruning. And that brings me to the conclusion. So what we did is we unified snore algorithms, one in the 90s, one in the 2000s. So we view random sampling as really an enumeration. So the name is actually not good. It should be really an enumeration. And we analyzed it in the same way as in 2010, under only the Gaussian arithmetic. So we get rid of these funny assumptions. And the only difference is that instead of cylinders, we have to deal with boxes. We introduced new tools, how to compute volume of bold box intersection, how to approximate a sum of many volumes. And we show how to generate nearly optimal parameters. So we find the best cells. There's a lot of interesting open problems. So sometimes you could ask, what is the best form of pruning? So now we can do concrete comparison for fixed parameters. But asymptotically, what is going on? Is it cylinder pruning? Is it discreet pruning? Is it something different? Is it a mixed? Now it's clear that we need to adapt block rise reduction to discreet pruning. Because discreet pruning allows you, as opposed to cylinder pruning, to tackle very large blocks. And so the big question is, what is the best reduction algorithm for discreet pruning? And that's all I wanted to say. Thank you for your attention.