Generating cryptographically-strong random lattice bases and recognizing rotations of $\mathbb{Z}^n$

TL;DR

This paper evaluates methods for generating random lattice bases in cryptography, revealing that some commonly used algorithms produce weak instances susceptible to efficient recognition of lattice rotations, while proposing stronger alternatives.

Contribution

It compares various algorithms for sampling random elements of GL(n,Z), identifying weaknesses in standard methods and introducing more secure alternatives for cryptographic applications.

Findings

Standard algorithms can be efficiently broken at high dimensions.

NIST PQC submission's basis generation is vulnerable at 256-bit security.

Some older and newer algorithms produce stronger, more secure bases.

Abstract

Lattice-based cryptography relies on generating random bases which are difficult to fully reduce. Given a lattice basis (such as the private basis for a cryptosystem), all other bases are related by multiplication by matrices in $GL(n,\mathbb{Z})$. We compare the strengths of various methods to sample random elements of $GL(n,\mathbb{Z})$, finding some are stronger than others with respect to the problem of recognizing rotations of the $\mathbb{Z}^n$ lattice. In particular, the standard algorithm of multiplying unipotent generators together (as implemented in Magma's RandomSLnZ command) generates instances of this last problem which can be efficiently broken, even in dimensions nearing 1,500. Likewise, we find that the random basis generation method in one of the NIST Post-Quantum Cryptography competition submissions (DRS) generates instances which can be efficiently broken, even at its 256-bit security settings. Other random basis generation algorithms (some older, some newer) are described which appear to be much stronger.