DOCSLIB.ORG

Fast Implementation of LSH with SIMD

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fast Implementation of LSH with SIMD Received July 13, 2019, accepted July 25, 2019, date of publication July 30, 2019, date of current version August 16, 2019. Digital Object Identifier 10.1109/ACCESS.2019.2932129 Fast Implementation of LSH With SIMD DONGYEONG KIM1, YOUNGHOON JUNG2, YOUNGJIN JU 1, AND JUNGHWAN SONG1 1Department of Mathematics, Research Institute for Natural Sciences, Hanyang University, Seoul 04763, South Korea 2The Affiliated Institute of ETRI, Daejeon 341293, South Korea Corresponding author: Junghwan Song ([email protected]) This work was supported by the Institute for Information and Communications Technology Planning and Evaluation (IITP) funded by the Korean Government (MSIT) under Grant 2017-0-00267. ABSTRACT In this paper, we propose a method of efficient software implementation for the cryptographic hash function LSH with single instruction multiple data (SIMD). The method is based on word-wise 0 D ◦ ◦ −1 0 permutations of LSH. Using the modified functions Stepj P Stepj P and MsgExp instead of the −1 original step function Stepj and message expansion function MsgExp, where P is a permutation and P is the inverse permutation of P, we show that the number of the SIMD instructions for implementing LSH is reduced. For efficient implementation of LSH in other environments (e.g., MIMD), various types of word permutations are listed. INDEX TERMS Software implementation, word-wise permutation, SIMD, hash function, LSH, ARX. I. INTRODUCTION 128, 256, and 512 bits. For a 128-bit resister, each resister Cryptographic hash functions are necessary for constructing has four 32-bit or two 64-bit sections of data. Thus, one a system of information security. Generally, they are used operation for an 128-bit resister is equivalent to four 32-bit for authentication, providing both data integrity and entity operations or two 64-bit operations. When implementing integrity [1]–[4]. A cryptographic hash function is a function cryptographic algorithms, SIMD is used for various pur- that maps an input to a fixed output satisfying the following poses such as resistance to side-channel attacks [9], [10] cryptographic resistance properties [5]. and efficient implementations [11]–[16]. There has not been 1. Preimage resistance: for essentially all pre-specified any research on overcoming weakness using SIMD with a outputs, it is computationally infeasible to find an input that cipher For these reasons, BLAKE2 [17] and LSH are crypto- hashes to that output. graphic algorithms having advantage of implementation with 2. 2nd preimage resistance: it is computationally infeasible SIMD. BLAKE2, SIMON/SPECK [18], and LEA [19] were to find another input that hashes the same output as a specified implemented using SIMD in [11]–[13]. However, to the best input. out knowledge, our research is the first to have an efficient 3. Collision resistance: it is computationally infeasible to implementation via SIMD by changing the representation find any two distinct inputs that hash to the same output. of a cryptographic algorithm. In this paper, we show how From the output of a cryptographic hash function, it should to implement a cryptographic hash function LSH efficiently be computationally difficult to find the corresponding input. with SIMD by representing the LSH using P and P−1, where Additionally, for a given input, it should be difficult to find P is a permutation and P−1 is the inverse of P. Note that com- another input that hashes to the same output. Because of plexity is considered as the number of SIMD instructions and these aspects, a cryptographic hash function is used in various their latency, not the number of XOR and modular additions. fields, such as a message authentication code (MAC), key This metric is necessary for finding conditions that reduce derivation function (KDF), and a pseudo-random number the number of SIMD instructions and use SIMD instructions generator. LSH [6] is a cryptographic hash function that with low latency when an algorithm is implemented. was designed by NSRI [7] (National Security Research For example, a case in which a permutation in a reg- Institute). SIMD [8] is a class of parallel computing. SIMD ister composed of four 32-bit words is implemented. If a is an instruction set that performs the same operations on word-wise permutation is operated in a register, then only a multiple data simultaneously. A core element of SIMD is a single SIMD instruction is needed, ``_mm_shuffle_epi32’'. register. SIMD has registers in with various lengths such as However, if the word-wise permutation is the identity, then there is no need for an SIMD instruction. In The associate editor coordinating the review of this manuscript and another example, assuming that two 64-bit words com- approving it for publication was Xiangxue Li. pose a register, if a word-wise permutation is operated 2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only. 107016 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 7, 2019 See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. D. Kim et al.: Fast Implementation of LSH With SIMD A. NOTATIONS W t : Set of t-word arrays X ⊕ Y : Bit-wise exclusive-or of X and Y . w X Y : X C Y mod 2 . X nr : r bits left rotation of word X. FIGURE 1. Wide-pipe merkle-damgard construction. M (i) VD (M (i)[0]; ··· ; M (i)[31]): The i-th 32-word array message block. in two mixed registers, then three SIMD instructions are M (i) VD (M (i)[0]; ··· ; M (i)[15]): The j-th 16-word array sub- needed as follows: ``_mm_unpacklo_epi64'', ``_mm_unpac- j j j message generated from the i-th message M (i): khi_epi64'', and ``_mm_shuffle_epi32’'. The instruction SC VD (SC [0]; ··· ; SC [7]): The j-th 8-word array step ``_mm_uppacklo_epi64'' extracts the left 64-bit word in the j j j constant. two registers, and ``_mm_unpackhi_epi64'' extracts the right T VD (T [0]; ··· ; T [15]): The 16-word array temporary vari- 64-bit word in the two registers. Additionally, the instruction able used in a step function. ``_mm_shuffle_epi32’' is used to permute in 32-bit units. P: A word-wise permutation on 16 words If each of the two 64-bit words still remain in their same registers, then ``_mm_unpacklo_epi64'' and P(T ) VD P(T [0]; ··· ; P[15]) VD (T [P(0)]; ··· ; T [P(15)]) ``_mm_unpackhi_epi64'' are not needed for a word-wise P(T [i]) VD T [P(i)] permutation. In this paper, conditions to reduce the number of SIMD instructions and implement SIMD instructions with Pi: A word-wise permutation on 4 words. lower latency are found. Notice that we define a permutation P that has the same This paper is organized as follows. Section II shows format for the input and output. If the input is an index i, then the specifications of LSH. Section III provides an efficient P(i) is also an index. Similarly, if the input is a word T [i], implementation method via SIMD for LSH. We demonstrate then the output is a word P(T [i]) D T [P(i)]. the method and permutation conditions needed for efficient B. MsgExp FUNCTION implementation. All permutations are categorized consider- The first two sub-messages M (i) and M (i) are defined as the ing those conditions. In Section IV, we show an optimal 0 1 first 16 words and the next 16 words of M (i), respectively. permutation for the best performance with LSH. Concluding Then the next sub-messages M (i) Ns are calculated by the remarks on the implementation performance with an optimal j jD2 following: permutation are given in Section V. For j D 2; 3; ··· ; Ns; II. SPECIFICATION OF LSH (i) (i) (i) ≤ Mj [l] Mj−1[l] Mj−2[τ(l)]; 0 l < 16 (1) In 2014, a hash function LSH was published by D. Kim et al. at International Conference on Information Security and Here, the permutation τ is defined by Table1. Cryptology, designed specifically to enhance software effi- ciency [6]. LSH was designed using wide-pipe Merkle TABLE 1. The permutation τ in MsgExp. Damgard construction (wide-pipe MD construction) [20]. The design of the compression function for LSH is based on ARX (Addition (), Rotation (n), and XOR (⊕)) [21]. The following describes the wide-pipe MD construction and C. Stepj FUNCTION compression function of LSH. Stepj is used Ns times repeatedly in the compression function As shown in Fig.1, the length of an internal state in a wide- f . Stepj is composed of three functions MsgAdd, Mixj, and pipe MD construction is 2n bits, which is twice the length of σ as an output with n bits. Let w be the number of bits in a word. Stepj D σ ◦ Mixj ◦ MsgAdd: (2) LSH-8w-n can represents any of the following LSHs: LSH- 256-224, LSH-256-256, LSH-512-224, LSH-512-256, LSH- MsgAdd: 512-384, and LSH-512-512. Each has a different initializing MsgAdd V W 16 × W 16 ! W 16 value IV . The generating method of IV is given in [6]. (i) D (i) The structure of the compression function f in an LSH is MsgAdd(T ; Mj ) (T [0] Mj [0]; ARX-based. The number of bits for the input of f is 48w, ··· (i) ; T [15] Mj [15]) (3) and that of the output is 16w. The compression function f transforms 16-word and 32-word messages into 16-word Mixj: messages. Each f contains the MsgExp function, Step (for 16 16 j Mixj V W ! W j D 1; ··· ; Ns), as well as the MsgAdd function. The number 0 0 Mixj(T ) D (T [0]; ··· ; T [15]); of steps Ns is selected as follows: where (T 0[l]; T 0[l C 8]) Mix (T [l]; T [l C 8]); Ns D 26 if the number of bits in w is 32, j;l Ns D 28 if the number of bits in w is 64.
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • BLAKE2: Simpler, Smaller, Fast As MD5
    BLAKE2: simpler, smaller, fast as MD5 Jean-Philippe Aumasson1, Samuel Neves2, Zooko Wilcox-O'Hearn3, and Christian Winnerlein4 1 Kudelski Security, Switzerland [email protected] 2 University of Coimbra, Portugal [email protected] 3 Least Authority Enterprises, USA [email protected] 4 Ludwig Maximilian University of Munich, Germany [email protected] Abstract. We present the hash function BLAKE2, an improved version of the SHA-3 finalist BLAKE optimized for speed in software. Target applications include cloud storage, intrusion detection, or version control systems. BLAKE2 comes in two main flavors: BLAKE2b is optimized for 64-bit platforms, and BLAKE2s for smaller architectures. On 64- bit platforms, BLAKE2 is often faster than MD5, yet provides security similar to that of SHA-3: up to 256-bit collision resistance, immunity to length extension, indifferentiability from a random oracle, etc. We specify parallel versions BLAKE2bp and BLAKE2sp that are up to 4 and 8 times faster, by taking advantage of SIMD and/or multiple cores. BLAKE2 reduces the RAM requirements of BLAKE down to 168 bytes, making it smaller than any of the five SHA-3 finalists, and 32% smaller than BLAKE. Finally, BLAKE2 provides a comprehensive support for tree-hashing as well as keyed hashing (be it in sequential or tree mode). 1 Introduction The SHA-3 Competition succeeded in selecting a hash function that comple- ments SHA-2 and is much faster than SHA-2 in hardware [1]. There is nev- ertheless a demand for fast software hashing for applications such as integrity checking and deduplication in filesystems and cloud storage, host-based intrusion detection, version control systems, or secure boot schemes.
    [Show full text]
  • Secure Multi Keyword Fuzzy with Semantic Expansion Based Search Over Encrypted Cloud Data
    SECURE MULTI KEYWORD FUZZY WITH SEMANTIC EXPANSION BASED SEARCH OVER ENCRYPTED CLOUD DATA ARFA BAIG Dept of Computer Science & Engineering B.N.M Institute of Technology, Bangalore, India E-mail: [email protected] Abstract— The initiation of cloud computing has led to ease of access in Internet-based computing and is commonly used for web servers or development systems where there are security and compliance requirements. Nevertheless, some of the confidential information has to be encrypted to avoid any intrusion. Henceforward as an attempt, a semantic expansion based multi- keyword fuzzy search provides solution over encrypted cloud data by using the locality-sensitive hashing technique. This solution returns not only the accurately matched files, but also the files including the terms semantically related to the query keyword. In the proposed scheme fuzzy matching is achieved through algorithmic design rather than expanding the index files. It also eradicates the need of a predefined dictionary and effectively supports multiple keyword fuzzy search without increasing the index or search complexity. The indexes are formed based on locality sensitive hashing (LSH), the result files are returned according to the total relevance score. Index Terms—Multi keyword fuzzy search, Locality Sensitive Hashing, Secure Semantic Expansion. support fuzzy search and also required the use of pre- I. INTRODUCTION defined dictionary which lacked scalability and Cloud computing is a form of computing that depends flexibility for modification and updation of the data. on sharing computing resources rather than having These drawbacks create the necessity of the new local servers or personal devices to handle technique of multi keyword fuzzy search.
    [Show full text]
  • Efficient Hashing Using the AES Instruction
    Efficient Hashing Using the AES Instruction Set Joppe W. Bos1, Onur Özen1, and Martijn Stam2 1 Laboratory for Cryptologic Algorithms, EPFL, Station 14, CH-1015 Lausanne, Switzerland {joppe.bos,onur.ozen}@epfl.ch 2 Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom [email protected] Abstract. In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockci- pher with AES, which allows us to exploit the recent AES instruction set (AES- NI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL- 256. Although we primarily target architectures supporting AES-NI, our frame- work has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multi- block-length hash functions in software. 1 Introduction Historically, the most popular way of constructing a hash function is to iterate a com- pression function that itself is based on a blockcipher (this idea dates back to Ra- bin [49]). This approach has the practical advantage—especially on resource-constrained devices—that only a single primitive is needed to implement two functionalities (namely encrypting and hashing). Moreover, trust in the blockcipher can be conferred to the cor- responding hash function. The wisdom of blockcipher-based hashing is still valid today. Indeed, the current cryptographic hash function standard SHA-2 and some of the SHA- 3 candidates are, or can be regarded as, blockcipher-based designs.
    [Show full text]
  • Lower Bounds on Lattice Sieving and Information Set Decoding
    Lower bounds on lattice sieving and information set decoding Elena Kirshanova1 and Thijs Laarhoven2 1Immanuel Kant Baltic Federal University, Kaliningrad, Russia [email protected] 2Eindhoven University of Technology, Eindhoven, The Netherlands [email protected] April 22, 2021 Abstract In two of the main areas of post-quantum cryptography, based on lattices and codes, nearest neighbor techniques have been used to speed up state-of-the-art cryptanalytic algorithms, and to obtain the lowest asymptotic cost estimates to date [May{Ozerov, Eurocrypt'15; Becker{Ducas{Gama{Laarhoven, SODA'16]. These upper bounds are useful for assessing the security of cryptosystems against known attacks, but to guarantee long-term security one would like to have closely matching lower bounds, showing that improvements on the algorithmic side will not drastically reduce the security in the future. As existing lower bounds from the nearest neighbor literature do not apply to the nearest neighbor problems appearing in this context, one might wonder whether further speedups to these cryptanalytic algorithms can still be found by only improving the nearest neighbor subroutines. We derive new lower bounds on the costs of solving the nearest neighbor search problems appearing in these cryptanalytic settings. For the Euclidean metric we show that for random data sets on the sphere, the locality-sensitive filtering approach of [Becker{Ducas{Gama{Laarhoven, SODA 2016] using spherical caps is optimal, and hence within a broad class of lattice sieving algorithms covering almost all approaches to date, their asymptotic time complexity of 20:292d+o(d) is optimal. Similar conditional optimality results apply to lattice sieving variants, such as the 20:265d+o(d) complexity for quantum sieving [Laarhoven, PhD thesis 2016] and previously derived complexity estimates for tuple sieving [Herold{Kirshanova{Laarhoven, PKC 2018].
    [Show full text]
  • NISTIR 7620 Status Report on the First Round of the SHA-3
    NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Andrew Regenscheid Ray Perlner Shu-jen Chang John Kelsey Mridul Nandi Souradyuti Paul Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director NISTIR 7620: Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
    [Show full text]
  • High-Speed Hardware Implementations of BLAKE, Blue
    High-Speed Hardware Implementations of BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein Version 2.0, November 11, 2009 Stefan Tillich, Martin Feldhofer, Mario Kirschbaum, Thomas Plos, J¨orn-Marc Schmidt, and Alexander Szekely Graz University of Technology, Institute for Applied Information Processing and Communications, Inffeldgasse 16a, A{8010 Graz, Austria {Stefan.Tillich,Martin.Feldhofer,Mario.Kirschbaum, Thomas.Plos,Joern-Marc.Schmidt,Alexander.Szekely}@iaik.tugraz.at Abstract. In this paper we describe our high-speed hardware imple- mentations of the 14 candidates of the second evaluation round of the SHA-3 hash function competition. We synthesized all implementations using a uniform tool chain, standard-cell library, target technology, and optimization heuristic. This work provides the fairest comparison of all second-round candidates to date. Keywords: SHA-3, round 2, hardware, ASIC, standard-cell implemen- tation, high speed, high throughput, BLAKE, Blue Midnight Wish, Cube- Hash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, Skein. 1 About Paper Version 2.0 This version of the paper contains improved performance results for Blue Mid- night Wish and SHAvite-3, which have been achieved with additional imple- mentation variants. Furthermore, we include the performance results of a simple SHA-256 implementation as a point of reference. As of now, the implementations of 13 of the candidates include eventual round-two tweaks. Our implementation of SIMD realizes the specification from round one. 2 Introduction Following the weakening of the widely-used SHA-1 hash algorithm and concerns over the similarly-structured algorithms of the SHA-2 family, the US NIST has initiated the SHA-3 contest in order to select a suitable drop-in replacement [27].
    [Show full text]
  • Reducing the Impact of Dos Attacks on Endpoint IP Security
    Reducing the Impact of DoS Attacks on Endpoint IP Security Joseph D. Touch and Yi-Hua Edward Yang USC/ISI [email protected] / [email protected] 1 Abstract some attack traffic. These results also indicate that this technique becomes more effective as the algorithm IP security is designed to protect hosts from attack, becomes more computationally intensive, and suggest but can itself provide a way to overwhelm the that such hierarchical intra-packet defenses are needed resources of a host. One such denial of service (DoS) to avoid IPsec being itself an opportunity for attack. attack involves sending incorrectly signed packets to a host, which then consumes substantial CPU resources 2. Background to reject unwanted traffic. This paper quantifies the impact of such attacks and explores preliminary ways Performance has been a significant issue for to reduce that impact. Measurements of the impact of Internet security since its inception and affects the DoS attack traffic on PC hosts indicate that a single IPsec suite both at the IKE (session establishment) and attacker can reduce throughput by 50%. This impact IPsec (packets in a session) level [10][11]. This paper can be reduced to 20% by layering low-effort nonce focuses on the IPsec level, i.e., protection for validation on IPsec’s CPU-intensive cryptographic established sessions. Previous performance analysis of algorithms, but the choice of algorithm does not have HMAC-MD5 (Hashed-MAC, where MAC means as large an effect. This work suggests that effective keyed Message Authentication Code), HMAC-SHA1, DoS resistance requires a hierarchical defense using and 3DES showed that the cost of the cryptographic both nonces and strong cryptography at the endpoints, algorithms dwarfs other IPsec overheads [6] [7] [15].
    [Show full text]
  • Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
    I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated.
    [Show full text]
  • Efficient (Ideal) Lattice Sieving Using Cross-Polytope
    Efficient (ideal) lattice sieving using cross-polytope LSH Anja Becker1 and Thijs Laarhoven2? 1 EPFL, Lausanne, Switzerland | [email protected] 2 TU/e, Eindhoven, The Netherlands | [email protected] Abstract. Combining the efficient cross-polytope locality-sensitive hash family of Terasawa and Tanaka with the heuristic lattice sieve algorithm of Micciancio and Voulgaris, we show how to obtain heuristic and prac- tical speedups for solving the shortest vector problem (SVP) on both arbitrary and ideal lattices. In both cases, the asymptotic time complex- ity for solving SVP in dimension n is 20:298n+o(n). For any lattice, hashes can be computed in polynomial time, which makes our CPSieve algorithm much more practical than the SphereSieve of Laarhoven and De Weger, while the better asymptotic complexities imply that this algorithm will outperform the GaussSieve of Micciancio and Voulgaris and the HashSieve of Laarhoven in moderate dimensions as well. We performed tests to show this improvement in practice. For ideal lattices, by observing that the hash of a shifted vector is a shift of the hash value of the original vector and constructing rerandomiza- tion matrices which preserve this property, we obtain not only a linear decrease in the space complexity, but also a linear speedup of the overall algorithm. We demonstrate the practicability of our cross-polytope ideal lattice sieve IdealCPSieve by applying the algorithm to cyclotomic ideal lattices from the ideal SVP challenge and to lattices which appear in the cryptanalysis of NTRU. Keywords: (ideal) lattices, shortest vector problem, sieving algorithms, locality-sensitive hashing 1 Introduction Lattice-based cryptography.
    [Show full text]
  • Murari Lal (India), Hideo Harasawa (Japan), and Daniel Murdiyarso (Indonesia)
    11 Asia MURARI LAL (INDIA), HIDEO HARASAWA (JAPAN), AND DANIEL MURDIYARSO (INDONESIA) Lead Authors: W.N. Adger (UK), S. Adhikary (Nepal), M. Ando (Japan), Y. Anokhin (Russia), R.V. Cruz (Philippines), M. Ilyas (Malaysia), Z. Kopaliani (Russia), F. Lansigan (Philippines), Congxian Li (China), A. Patwardhan (India), U. Safriel (Israel), H. Suharyono (Indonesia), Xinshi Zhang (China) Contributing Authors: M. Badarch (Mongolia), Xiongwen Chen (China), S. Emori (Japan), Jingyun Fang (China), Qiong Gao (China), K. Hall (USA), T. Jarupongsakul (Thailand), R. Khanna-Chopra (India), R. Khosa (India), M.P. Kirpes (USA), A. Lelakin (Russia), N. Mimura (Japan), M.Q. Mirza (Bangladesh), S. Mizina (Kazakhstan), M. Nakagawa (Japan), M. Nakayama (Japan), Jian Ni (China), A. Nishat (Bangladesh), A. Novoplansky (Israel), T. Nozawa (Japan), W.T . Piver (USA), P.S. Ramakrishnan (India), E. Rankova (Russia), T.L. Root (USA), D. Saltz (Israel), K.P. Sharma (Nepal), M.L. Shrestha (Nepal), G. Srinivasan (India), T.S. Teh (Malaysia), Xiaoping Xin (China), M. Yoshino (Japan), A. Zangvil (Israel), Guangsheng Zhou (China) Review Editors: Su Jilan (China) and T. Ososkova (Uzbekistan) CONTENTS Executive Summary 53 5 11. 2 . 4 . Oceanic and Coastal Ecosystems 56 6 11. 2 . 4 . 1 . Oceans and Coastal Zones 56 6 11. 1 . The Asian Region 53 9 11. 2 . 4 . 2 . Deltas, Estuarine, 11. 1 . 1 . Ba c k g r o u n d 53 9 and Other Coastal Ecosystems 56 7 11. 1 . 2 . Physical and Ecological Features 53 9 11.2.4.3. Coral Reefs 56 7 11. 1 . 2 . 1 . Regional Zonation 53 9 11.2.4.4.
    [Show full text]
  • Efficient Similarity Search Over Encrypted Data
    Efficient Similarity Search over Encrypted Data Mehmet Kuzu, Mohammad Saiful Islam, Murat Kantarcioglu Department of Computer Science, The University of Texas at Dallas Richardson, TX 75080, USA {mehmet.kuzu, saiful, muratk} @ utdallas.edu Abstract— In recent years, due to the appealing features of A similarity search problem consists of a collection of data cloud computing, large amount of data have been stored in the items that are characterized by some features, a query that cloud. Although cloud based services offer many advantages, specifies a value for a particular feature and a similarity metric privacy and security of the sensitive data is a big concern. To mitigate the concerns, it is desirable to outsource sensitive data to measure the relevance between the query and the data items. in encrypted form. Encrypted storage protects the data against The goal is to retrieve the items whose similarity against the illegal access, but it complicates some basic, yet important func- specified query is greater than a predetermined threshold under tionality such as the search on the data. To achieve search over the utilized metric. Although exact matching based searchable encrypted data without compromising the privacy, considerable encryption methods are not suitable to achieve this goal, there amount of searchable encryption schemes have been proposed in the literature. However, almost all of them handle exact query are some sophisticated cryptographic techniques that enable matching but not similarity matching; a crucial requirement similarity search over encrypted data [9], [10]. Unfortunately, for real world applications. Although some sophisticated secure such secure multi-party computation based techniques incur multi-party computation based cryptographic techniques are substantial computational resources.
    [Show full text]