High performance algorithms for lattice-based cryptanalysis

With quantum-computing, classical cryptosystems, such as RSA, can easily be broken. Today, lattice-based cryptography stands out as one of the most promising and prominent post-quantum type of cryptosystems. The cryptanalysis of new types of cryptography is a crucial part of their development, as it allows one to understand and improve the degree of security of these systems. The same way the security of RSA is deeply connected to the factorization of large integers, the security of lattice-based cryptography revolves around lattice problems such as the Shortest Vector Problem (SVP). While the cryptography community has developed in-depth knowledge of the algorithms that solve these problems (which we also refer to as attacks), from a theoretical point of view, the practical performance of these algorithms is commonly not well understood. In particular, the practical performance of many classes of attacks is not congruent with theoretical expectations. This gap in knowledge is problematic because the security parameters of cryptosystems are selected based on the asymptotic complexity of the available attacks, but only those that are proven to be practical and scalable are considered. Therefore, if some theoretically strong algorithms are erroneously ruled out from this process, because they are believed to be impractical or not scalable, the security parameters of cryptosystems may not be appropriate. In particular, overly strong parameters lead to inefficient cryptosystems, while overly weak parameters render cryptosystems insecure. This is the reason why one must determine the real potential of attacks in practice. The key to understanding is to consider the underlying computer architecture and its influence on the performance of these algorithms, so an effective map between the algorithm and the architecture can be done. This means in particular, to develop appropriate parallelization methods for these algorithms, as all modern computer architectures employ parallel units of various flavours. This thesis aims to fill this gap in knowledge, by describing computational analyses and techniques to parallelize and optimize attacks, with focus on sieving algorithms, in modern, parallel computer architectures. In particular, we show that (i) lattice basis reduction algorithms can benefit largely from cache friendly data structures and scale well, if the right parameters are used, (ii) enumeration algorithms can scale linearly and super-linearly if appropriate mechanisms are employed and (iii) sieving algorithms can be implemented in such a way that very good scalability is achieved, even for high core counts, if the properties of the algorithms are slightly relaxed. Throughout the thesis, we also provide heuristics to enhance the practical performance of specific algorithms, and various optimizations in practice, especially related to memory access.