Solving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle
|
|
- Gilbert Carr
- 6 years ago
- Views:
Transcription
1 Tian CL, Wei W, Lin DD. Solving closest vector instances using an approximate shortest independent vectors oracle. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 306): Nov DOI /s Solving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle Cheng-Liang Tian 1 ), Wei Wei ï å), and Dong-Dai Lin 1 üò), Senior Member, CCF 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Beijing , China Institute for Advanced Study, Tsinghua University, Beijing , China tianchengliang@iie.ac.cn; wei-wei08@mails.tsinghua.edu.cn; ddlin@iie.ac.cn Received April 1, 014; revised July 9, 015. Abstract Given an n-dimensional lattice L and some target vector, this paper studies the algorithms for approximate closest vector problem CVP γ) by using an approximate shortest independent vectors problem oracle SIVP γ). More precisely, if the distance between the target vector and the lattice is no larger than c λ1l) for arbitrary large but finite γn constant c > 0, we give randomized and deterministic polynomial time algorithms to find a closest vector, while previous 1 reductions were only known for λ1l). Moreover, if the distance between the target vector and the lattice is larger γn than some quantity with respect to λ nl), using SIVP γ oracle and Babai s nearest plane algorithm, we can solve CVP γ n in deterministic polynomial time. Specially, if the approximate factor γ 1,) in the SIVP γ oracle, we obtain a better reduction factor for CVP. Keywords lattice, closest vector problem, shortest independent vectors problem, reduction 1 Introduction Lattices are discrete subgroups of R n. They are powerful mathematical objects that have been used to efficiently solve many important problems in computer science, most notably in the areas of cryptography and combinatorial optimization. In lattice theory, the most important and widely studied computational problems are shortest vector problem SVP) and closest vector problem CVP). Given a lattice L R n, SVP γ is the problem of finding a non-zero lattice vector of length at most γλ 1 L), where λ 1 L) denotes the length of shortest non-zero lattice vector. Given a lattice L R n and a target vector t R n, CVP γ is the problem of finding a v L such that v t γdistt,l), where distt,l) = min{ u t : u L} denotes the distance between t and L. In 1999, Goldreich et al. [1] first studied the relationship between these two problems and gave a deterministic polynomial-time rankpreserving reduction from SVP γ to CVP γ for any approximate factor γ 1, which implies that SVP γ is not harder than CVP γ. It is natural to ask whether CVP γ is strictly harder than SVP γ. In terms of known computational complexity results, the answer may be Yes. For any constant c and approximate factor γ = n c/loglogn, CVP γ is NP-hard under deterministic reductions [] ; while the proof of that SVP γ is NP-hard with the same approximate factor is randomized and under a strong complexity assumption [3]. A possible way to derandomize is giving a deterministic reduction from CVP γ to SVP γ. Using an exact SVP oracle, Kannan [4] presented a deterministic polynomial time algorithm for solving approximate closest vector problem CVP n. Ajtai et al. [5] generalized Kannan s reduction technique and proposed a O1+1/ǫ)n time algorithm for solving CVP 1+ǫ by sampling short vectors. In another survey paper [6], using dual lattice and trans- Regular Paper This work is partially supported by the National Basic Research 973 Program of China under Grant No. 011CB30400, the National Natural Science Foundation of China under Grant Nos and , and the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No. XDA Springer Science + Business Media, LLC & Science Press, China
2 Cheng-Liang Tian et al.: Solving CVP Instances Using an SIVP Oracle 1371 ference theorem in the geometry of numbers [7], Kannan proved that CVP γ n can be reduced to SVP 3/ γ in deterministic polynomial time. Recently, combining Kannan s lattice-embedding technique [4] with the reduction from BDD 1/γ to usvp γ given by Lyubashevsky and Micciancio [8], Dubey and Holenstein [9] improved Kannan s result [6] and obtained a deterministic polynomial-time rank-preserving reduction from CVP γ n to SVP γ. Ajtai s groundbreaking work [10] which connects the worst-case and the average-case complexity of certain computational problems on lattices has opened the door to cryptography based on worst-case hardness. Regev s results [11] further broadened the foundation of latticebased cryptography. Their studies show that the security of all the cryptographic protocols based on SIS Small Integer Solution) and LWE Learning with Errors) depends on the worst-casehardness of SIVP γ the definition will be given in Section ). Therefore it is essential to compare the harness among SIVP γ, SVP γ and CVP γ. In order to study the hardness of SIVP γ, Blömer and Seifert [1] first gave a deterministic polynomial time reduction from the exact CVP to the exact SIVP,butthereductiondidnotpreservetherankoflattices. Combining the lattice-embedding technique with the relationship of primal-dual lattices, Micciancio [13] improved their result [1] and obtained a deterministic polynomial-time rank-preserving reduction. Furthermore, through constructing sublattice skillfully, the reference [13] also gave a deterministic polynomial-time rank-preservingreduction from SIVP γ to CVP γ for any approximate factor γ 1, which implies that the exact CVP and the exact SIVP are equivalent and SIVP γ is not harder than CVP γ. Naturally, we also want to know whether CVP γ is strictly harder than SIVP γ. In SODA 008, Micciancio [13] proposed the followingopen problem. Open Problem. Is there a deterministic polynomial time reduction from CVP γ to SIVP γ that preserves the rank of the lattice and approximation factor? Our Results. Stemming from the efforts to solve the open problem, we give a helpful exploration about the relationships between SIVP γ and some special CVP γ instances. More precisely, if the distance between the target vector and the lattice is less than some quantity with respect to λ 1 L), we give randomized and deterministic polynomial time reductions from BDD c to γn SIVP γ for any constant c > 0, which improves the known result by a factor of c. Moreover, if the distance between the target vector and the lattice is lager than some quantity with respect to λ n L), using SIVP γ oracle and Babai s nearest plane algorithm [14], we can solvecvp γ n indeterministicpolynomialtime, andfor a uniformly chosen target vector, its distance from the lattice satisfies this constraint with probability not less than 1/. Specially, if the approximatefactor γ 1,) in the SIVP γ oracle, we obtain a better result. Road Map. In Section, we review necessary concepts and notations, and then give some useful lemmas for our proofs. Our main results are stated and proved in Section 3 andsection 4. Using the SIVP γ oracle, two algorithms for finding a closest vector when the target is close to the lattice are presented in Section 3. Section 4 gives polynomial time algorithms to approximate a closest vector when the target is far from the lattice. Finally, we conclude the paper in Section 5. Preliminaries In this section, we will give some necessary concepts on lattices and some useful lemmas for our proofs. First, we give some notations. For any real x, x denotes the largest integer not larger than x and x denotes the smallest integer not smaller than x. The n-dimensional Euclidean space is represented by R n. denotes the Euclidean norm. We use bold lower letters e.g., x) to denote vectors, and bold upper case letters e.g., M) to denote matrices. The i-th coordinate of x is denoted by x i. For a set S R n, r R, rs = {ry : y S} denotes the scaling of S by r..1 Lattices and Lattice Problems Lattices. A lattice consists of all linear combinations with integer coefficients of some set of linearly independent vectors in the Euclidean space. If b 1,,b n R m are linearly independent, then the lattice spanned by these vectors is given by { n } L = LB) = z i b i : z i Z, where the matrix B = b 1,,b n ) R m n is called a basis of the lattice. Usually, the basis of a lattice L is not unique. The number m is called the dimension of the lattice L and n is called the rank of the lattice L. If m = n, the lattice is called full rank. In the Euclid space, every non-full rank lattice is isomorphic to a full rank lattice. Hence without loss of generality, in the rest of our paper, we assume that all the lattices
3 137 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 are full rank. The fundamental parallelepiped of B is defined as { n } PB) = x i b i : x i [0,1). We denote the volume of the fundamental parallelepiped as detl), which is independent of the choice of the basis. Minkowski s Minima. For any 1 i n, the i- th successive minimum with respect to a lattice L is defined as λ i L) = inf{r > 0 : dimspanl rb0,1))) i}, where B0,1) denotes the open unit ball in the Euclidean norm. Specially, λ 1 L) = min{ v : v L,v 0} denotes the length of the shortest non-zero lattice vector. Covering Radius. The covering radius associated to alatticelisdefinedtobeρl) = max t R n min v L v t. Gram-Schmidt Orthogonalization. Let b 1,,b n R n be linearly independent vectors. Let π i denote the projection over the orthogonal supplement of the linear span of b 1,,b i 1. The Gram-Schmidt orthogonalization GSO) is the family b 1,..., b n ) defined as: b 1 = b 1 and for i, bi = π i b i ). Then i 1 b i = b i µ i,j bj, j=1 where µ i,j = b i, b j / b j for 1 j < i n. Duality. Given a lattice L = LB), the dual lattice of L is the lattice L = {w spanl) : w,v Z, v L}. It is easy to verify that B T ) 1 is a basis of L, which is called the dual basis of B. Lattice Problems. For computational purpose, it is usually assumed that all lattices vectors have integer entries, namely, the lattice basis is given by an integer matrix B Z n n. There are several important computational problems in lattice theory. Here we give their strict definitions as follows. Definition 1 Shortest Vector Problem SVP γ )). Given a basis B Z n n for a lattice L = LB), find a lattice vector v L such that v γλ 1 L). Definition Closest Vector Problem CVP γ )). Given a basis B Z n n for a lattice L = LB) and some vector t R n generally not in L), find a lattice vector v L such that v t γdistt,l), where distt,l) = min u L u t denotes the distance between t and L. Definition 3 Bounded Distance Decoding BDD γ )). Given a basis B Z n n for a lattice L = LB) and a target point t R n such that distt,l) γλ 1 L), output a lattice vector v LB) such that v t = λ 1 L). Definition 4 Shortest Independent Vectors Problem SIVP γ )). Given a basis B Z n n for a lattice L = LB) and our goal is to find n linearly independent vectors v 1,,v n L such that max i v i γλ n L).. Useful Lemmas In this subsection, we will give some useful lemmas for our reductions. Since we study lattices from a computational point of view, without loss of generality, we assume that lattices are represented by a basis with integer coordinates. By the definition of Gram-Schmidt orthogonalization, the following lemma bounds the bit size of the representation of any Gram-Schmidt orthogonalization vector. Lemma 1 [15]. For a sequence of n linearly independent vectors b 1,,b n, their Gram-Schmidt orthogonalization is the sequence of vectors b 1,, b n. Then the representation of any vector b i as a vector of quotients of natural numbers takes at most polym) bits for M = max{n,logmax i b i )}. Clearly, any set of n linearly independent lattice vectors is not necessary a lattice basis. The following useful lemma says that any full-rank set of vectors in a lattice can be efficiently converted into a basis of the lattice, without increasing the length of the Gram-Schmidt vectors. Lemma [15]. There is a deterministic polynomial time algorithm ConverttoBasisB, S) that inputting a lattice basis B and linearly independent lattice vectors S = {s 1,,s n } LB) such that s 1 s s n, outputs a basis R equivalent to B such that r k max{ k/) s k, s k } for all k = 1,,n. Moreover, the new basis satisfies spanr 1,,r k ) = spans 1,,s k ) and the length of their Gram-Schmidt orthogonalization vectors satisfying r k s k for all k = 1,,n. About the relationships between primal lattice and its dual, we have the following two important results. Lemma 3 shows that in appropriate order, the Gram- Schmidt orthogonalization vectors of the dual basis are
4 Cheng-Liang Tian et al.: Solving CVP Instances Using an SIVP Oracle 1373 in the same direction as that of the Gram-Schmidt orthogonalization vectors of the primal basis. Lemma 4 is well known as transference theorem. It reflects the properties of the successive minima between a lattice and its dual. Lemma 3 1. Let b 1,,b n be some basis of L and b 1,, b n be its Gram-Schmidt orthogonalization. Let d 1,,d n be the dual basis of b 1,,b n and let d n,, d 1 be its Gram-Schmidt orthogonalization in reverse order. In other words, dn = d n, di = d i j>i ν d i,j j, where ν i,j = di, d j d j, d for 1 i < j n. j Then 1 i n, di = b i b i. Lemma 4 [7]. For any n-dimensional lattice L, λ 1 L)λ n L ) n. In SODA 000, Klein [16] proposed a randomized algorithm to find the closest vector when the target vector is unusually close to the lattice. Actually, it is a randomized version of Babai s algorithm [14]. The algorithm randomly samples lattice points from a Gaussian-like distribution and chooses the closest points among all the samples. Lemma 5 [16]. There is a randomized algorithm KleinB, t) that, when given an n-dimensional lattice L generated by basis vectors b 1,,b n and a target t R n that is at distance D away from L, will find the closest lattice vector to t, in time n D /min i b i, where b 1,, b n are Gram-Schmidt orthogonalization vectors of b 1,,b n. 3 Find a Closest Lattice Vector When It Is Close to the Lattice In this section, we shall study the algorithms for special CVP instance BDD γ problem with an SIVP γ oracle. We improve the presented result in two different algorithms, randomized and deterministic. First, we review some previous work as following. Lemma 6 [8]. For any γ 1, there is a polynomial time Cook-reduction from BDD 1/γ) to usvp γ. Lemma 7 [17]. For any γ 1, there is a probabilistic polynomial time reduction from usvp γn to SIVP γ. Combining the above two lemmas, we have the following result which is also shown in [18]. Lemma 8. For any γ 1, there is a probabilistic polynomial time reduction from BDD 1/γn) to SIVP γ. Combining Klein s algorithm [16] and the relationship between primal and dual lattices, we first improve Lemma 8 using a randomized reduction algorithm. Namely, we prove the following result. Theorem 1. For any γ 1 and any constant c > 0, there exists a randomized polynomial time reduction from BDD c/γn to SIVP γ. Proof. Given an SIVP γ oracle and any constant c > 0, we only need to show that Algorithm 1 will output alatticevectorv Lsuchthat v t = distt,l) in polyn) time. In fact, in step, for any 1 i n, s i s i γλ n L ). In step 3, by Lemma, the n linearly independent vectors s 1,,s n can be converted into a basis of dual lattice L : d 1,,d n satisfying d i max { } i s i, s i, d i s i, where 1 i n, and d 1,, d n and s 1,, s n are Gram-Schmidt orthogonalization vectors of d 1,,d n and s 1,,s n, respectively. Algorithm 1. BDD Algorithm: BDD B, t) Input: a lattice basis B Z n n, a target vector t such that distt,l) < c γn λ 1L) and an SIVP γ oracle O, where 1 < γ polyn), c > 0 is any constant. Output: a lattice vector v L such that distt,l) = v t. 1: Compute the dual basis of B: W = w 1,,w n) = B T ) 1, which is a basis of L. : Invoke SIVP γ oracle on the lattice L, output S = s 1,,s n) SIVP γl ). 3: Compute a basis of L : D = d 1,,d n) ConverttoBasisW, S). 4: Compute a basis of the original lattice L: R = r 1,,r n) = D T ) 1. 5: Return v KleinR,t). Assume that r n, r n 1,, r 1 are the Gram- Schmidt orthogonalization of r 1,r,,r n in reverse order. Then, by Lemma 3 and Lemma 4, for all 1 i n, r i = d i d i and r i = 1 d i 1 s i 1 γλ n L ) λ 1L) γn. Combining with Lemma 5, we can find the closest lattice vector to t in time n D /min i r i = On c ). Furthermore, we can improve the above algorithm in a deterministic way. 1 This lemma can be found in Regev s lecture Dual Lattices. regev/teaching/lattices fall 009/, April 014.
5 1374 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 Theorem. For any γ 1 and any constant c > 0, there exists a deterministic polynomial time reduction from BDD c/γn to SIVP γ. Proof. We give our algorithm in two steps. Firstly, we show how to reduce BDD 1/γn) to SIVP γ, which, in fact, is a derandomization of Lemma 8. Secondly, for arbitrary but finite constant c > 1, we give a selfreduction from BDD c/γn to BDD with an c 1/4/γn SIVP γ oracle. Step 1. Reducing BDD 1/γn) to SIVP γ. Our reduction is shown in Algorithm. Clearly, using Gaussian elimination, Algorithm will output a lattice vector efficiently. We only need to prove the correctness of Algorithm. Let LB), t) be an instance of BDD 1/γn) with distt,l) < λ 1 L)/γn). Let v be a lattice vector in L such that t v = distt,l). For 1 i n, since s i γλ n L ) and v,s i Z, then, by Lemma 4, v,s i t,s i = v t,s i v t s i < λ 1L) γn γλ nl ) 1. It implies that v,s i t,s i 1/, t,s i + 1/). Since there exists at most one integer in this interval, the lattice vector v satisfying the system of linear equations v,s i = t,s i, 1 i n. Algorithm. BDD 1/γn) B,t) Input: a lattice basis B Z n n, a target vector t such that distt,l) < 1 γn λ 1L) and an SIVP γ oracle, where 1 < γ polyn). Output: a lattice vector v L such that distt,l) = v t. 1: Invoke the SIVP γ oracle on the lattice L, output S = s 1,,s n) SIVP γl ). : Solve the linear equations v,s i = t,s i for 1 i n and output v. Step. Solving BDD c/γn) instances using BDD and SIVP c 1/4/γn γ oracles. The algorithm is described in Algorithm 3. Firstly, we shall prove the correctness of Algorithm 3. Let LB),t) be an instance of BDD c/γn) with distt,l) < cλ 1 L)/γn). Let v be a lattice vector in L such that t v = distt,l). Invoke the SIVP γ oracle on the dual lattice L and return a set of n independent lattice vectors {s 1,...,s n } L such that s i γλ n L ) and v,s i Z for 1 i n. Then, for any 1 i n, v,s i t,s i = v t,s i v t s i < cλ 1L) γλ n L ) c. γn It implies that v,s i t,s i c, t,s i + c). Since there are at most c integers in this interval, the integer v,s i could be one of these adjacent integers. Each vector s i L 1 i n) can partition L into subsets L H i,j j Z) where H i,j denotes an n 1)- dimensional hyperplane H i,j = {x R n : x,s i = j}. Clearly, the distance between any two adjacent hyperplanes H i,j and H i,j+1 is 1/ s i. The above analysis shows that the closest vector v must be located on one of the c adjacent hyperplanes of t for each partition induced by s i. We discuss the following cases. Algorithm 3. BDD c/γn) B,t) Input: a lattice basis B Z n n and some constant c > 1 c, a target vector t such that distt,l) < γn λ 1L), BDD and c SIVPγ oracles, where 1 < γ polyn). 1/4/γn Output: a lattice vector v L such that distt,l) = v t. 1: Invoke SIVP γ oracle on the lattice L, output S = s 1,,s n) SIVP γl ). : Solve the linear equations v 0,s i = t,s i for 1 i n and output v 0. 3: for i = 1,,n do 4: for j = t,s i c,, t,s i +c do 5: Compute a vector w i,j L H i,j. 6: Compute the projection of t on H i,j : t i,j. 7: L i,j L H i,j w i,j, t i,j t i,j w i,j. 8: v i,j BDD c 1/4/γn L i,j,t i,j ) 9: v i,j v i,j +w i,j. 10: end for 11: end for 1: Output the closest point to t among all the points v i,j and v 0. Case 1. Suppose that v is located on all H i, t,si for 1 i n. Solving the linear equations v,s i = t,s i for 1 i n can immediately recover v. Case. Suppose that v lies on H i,j for some 1 i n and j t,s i. Then, by Lemma 4, we obtain the following two results: t t i,j 1 s i 1 γλ n L ) λ 1L) γn, distt i,j,l i,j ) = distt i,j,l H i,j ) = dist t,l) t t i,j ) 1/ c λ 1 < L) γ n λ 1 L) ) 1/ 4γ n c 1/4 c 1/4 λ 1 L) λ 1 L i,j ). γn γn
6 Cheng-Liang Tian et al.: Solving CVP Instances Using an SIVP Oracle 1375 It is easy to verify that L i,j is an n 1)-dimensional sublattice of L. Therefore, the recovery of v is converted to a BDD c 1/4/γn) instance L i,j,t i,j ). Now, we analyze the efficiency of Algorithm 3. In step of Algorithm 3, the vector v 0 can be found efficiently by Gaussian elimination. Using Euclidean algorithm, we can find w i,j efficiently in step 5 of Algorithm 3, and, in step 7, Micciancio [13] presented an efficient and deterministic algorithm to find a basis of L i,j. Therefore, invoking BDD oracle at c 1/4/γn) most cn times, we can find a closest vector v L to t in deterministic polynomial time in n. For arbitrary but finite constant c > 0, given an SIVP γ oracle, BDD c/γn can be solved by invoking Ocn) times BDD oracle. Recursively, the c 1/4/γn BDD c/γn problem can be reduced to BDD c m/4/γn after cn) m recursions. Let c m/4/γn 1/γn), we have m 4c 1. This implies that combining Algorithm and Algorithm 3, and invoking SIVP γ oracle at most cn) 4c 1 times, we can solve a BDD c/γn instance in deterministic polynomial time. 4 Approximate a Closer Lattice Vector When It Is Far from the Lattice First, we review some previous known results about the distance between a uniformly random chosen target and a lattice. Lemma 9 [19]. Given an n-dimensional lattice LB) and a vector t chosen uniformly from PL), then Pr t distt,lb)) ρl) ) 1, where ρl) denotes the covering radius of L. Lemma 10 [15]. For any n-dimensional lattice LB), λ n L) n ρl) λ nl). By Lemma 9 and Lemma 10, we have that for any uniformly chosen target vector t, ) Pr t Pr t distt,lb)) λ nl) 4 distt,lb)) ρl) ) 1. Given a lattice L = LB) and a target vector t R n. If we have n linearly independent vectors s 1,,s n satisfying that for any 1 i n, s i γλ n L) in hand. Then computing their Gram-Schmidt orthogonalization vectors s 1,, s n, and using Babai s nearest plane algorithm [14], we can find a vector v L such that distv,t) n ) si 1 n s i 1 nmax s i 1 i γ nλ n L). If distt,lb)) λnl) 4, then using SIVP γ oracle, we can find a vector v L such that distv,t) 1 γ nλ n L) γ ndistt,l). In summary, the above analysis contains the following result. Corollary 1. Given an n-dimensional lattice L = LB) and a target vector t R n, if distt,l) λ n L)/4, then CVP γ n can be reduced to SIVP γ in deterministic polynomial time. Specially, for uniformly chosen target vector, the reduction algorithm is correct with probability not less than 1/. Furthermore, if 1 < γ <, using lattice-embedding technique, we can get a better result. Theorem 3. Given an n-dimensional lattice L = LB) and a target vector t R n, for any real k > 3 3, 1 < γ < k, if distl,t) = min 1+k v L v t > γ k λ nl), then there exists a Cook reduction from CVP 3k1+1/n) to SIVP γ. Proof. Let µ = distt, L). Using Babai s nearest plane algorithm, we can get a real d satisfying µ d < n µ, namely, µ d/ n,d]. Divide the interval d/ n,d] into polyn) small intervals ) d 1+ 1 i, ) ] d n n 1+ 1 i+1 n n. For each i 0 = 0,, nlog 1+1/n), guess d µ n 1+ n) 1 i0, d n 1+ n) ] 1 i0+1. Let µ 0 = d 1+ 1 i0+1 n), then µ n µ0 < µ 1+ n) 1. Let B = B t 0 kµ 0 = b 1 b n t 0 0 kµ 0 ) = d 1 d n d n+1. The reduction algorithm goes as Algorithm 4.
7 1376 J. Comput. Sci. & Technol., Nov. 015, Vol.30, No.6 Algorithm 4. Lattice-Embedding B, t) Input: a lattice basis B Z n n, parameters k > γ < 1+k k and an SIVPγ oracle. Output: a lattice vector v L. 1: Construct a new lattice L = L B). 3 3,µ 0,1 < : Invoke SIVP γ oracle on L, v 1,v,, v n+1 SIVP γ L). 3: Express each v i = n+1 j=1 z ijd j. 4: Return v = n j=1 z i 0,jb j where z i0,1,, z i0,n,z i0,n+1) satisfies z i0,n+1 0. Now we prove the correctness of our algorithm in two cases. Case 1: λ n+1 L) µ +kµ 0 ). For every vector v i that can be representedas an integerlinearcombination of d 1,,d n+1, there must be some vector with a non-zerocoefficient in d n+1. Without loss of generality, assume that v n+1 = n z i d i +z n+1 d n+1 n ) = z i b i +z n+1 t,z n+1 kµ 0, z n+1 0. Now we will show that z n+1 = 1. In fact, if z n+1, then v n+1 4kµ 0 ). While, in step, we know v n+1 n = z i b i +z n+1 t γ λ n+1 L) γ µ +kµ 0 ) ), which implies that 4kµ 0 ) γ µ 0 +kµ 0 ) ) 4k γ 1+k ) γ +z n+1kµ 0 ) k 1+k. This contradicts with the condition in Theorem 3. Therefore z n+1 = 1. Let v = n z ib i. Then v +t = v n+1 z n+1 kµ 0) γ µ +γ 1)kµ 0 ) γ 1+k )µ 0 k µ 0 3k µ 0 v +t 3kµ 0 3k 1+ 1 ) µ. n Case : λ n+1 L) > µ +kµ 0 ). In this case, by the definition of λ n+1 L) and λ n L), we have µ +kµ 0 ) < λ n+1 L) λ n L). Similarly, we also show that z n+1 = 1. In fact, if z n+1, then v n+1 4kµ 0 ). While, in step, we know v n+1 n = z i b i +z n+1 t +zn+1 kµ 0) γ λ n+1 L) γ λ n L). Hence, 4kµ 0 ) γ λ n L) µ 0 γ k λ nl) µ γ k λ nl). This contradicts with the condition in Theorem 3. Therefore z n+1 = 1. Let v = n z ib i. Then v +t = v n+1 z n+1kµ 0 ) γ λ nl) kµ 0 ) < 4k µ k µ 0 4k µ k µ = 3k µ v +t < 3kµ. Combining the above two cases, we complete the proof of Theorem 3. γ Remark 1. In fact, let k = 1 4 in Theorem 3. We immediately obtain that if distt,l) > 1 4 λ nl), CVP 3γ1+1/n) can be reduced to SIVP γ for 1 < γ < 15. The reduction factor for CVP is much better than that in Corollary 1 for n 5. If we fix the reduction factor and let γ n = 3k1 + 1/n), then γ k = 31+1/n) 4 < 1 n 4 1 < γ < in the conditions that n 5 and n ) /4n. This implies that for n ) /4n, the reduction n 5 and 1 < γ < in Theorem 3 is valid for much more target vectors than that in Corollary 1. 5 Conclusions Motivated by the open problem presented by Micciancio in SODA 008, this paper studied the relationships between CVP and SIVP. Given a lattice and some target vector, intuitively, the hardness is different when the distance between the target vector and the lattice varies. Along this way, we gave some preliminary results about the relations between SIVP and some special CVP instances, which may be helpful for the full and final solution of the open problem. Solving this problem has a great impact on the computational complexity theory and security of lattice-based cryptosystems, which is the direction of our future work. References [1] Goldreich O, Micciancio D, Safra S, Seifert J P. Approximating shortest lattice vectors is not harder than approxi-
8 Cheng-Liang Tian et al.: Solving CVP Instances Using an SIVP Oracle 1377 mating closest lattice vectors. Information Processing Letters, 1999, 71): [] Dinur I, Kindler G, Raz R, Safra S. Approximating CVP to within almost-polynomial factors is NP-hard. Combinatorica, 003, 3): [3] Haviv I, Regev O. Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In Proc. the 39th Annual ACM Symp. Theory of Computing, June 007, pp [4] Kannan R. Minkowski s convex body theorem and integer programming. Mathematics of Operations Research, 1987, 13): [5] Ajtai M, Kumar R, Sivakumar D. Sampling short lattice vectors and the closest lattice vector problem. In Proc. the 17th IEEE Annual Conf. Computational Complexity, May 00, pp [6] Kannan R. Algorithmic geometry of numbers. Annual Review of Computer Science, 1987, : [7] Banaszczyk W. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 1993, 961): [8] Lyubashevsky V, Micciancio D. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In Lecture Notes in Computer Science 5677, Halevi S ed.), Springer Berlin Heidelberg, 009, pp [9] Dubey C, Holenstein T. Approximating the closest vector problem using an approximate shortest vector oracle. In Lecture Notes in Computer Science 6845, Goldberg L A, Jansen K, Ravi R, Rolim J D P eds.), Springer Berlin Heidelberg, 011, pp [10] Ajtai M. Generating hard instances of lattice problems extended abstract). In Proc. the 8th ACM Annual Symp. Theory of Computing, May 1996, pp [11] Regev O. On lattices, learning with errors, random linear codes, and cryptography. In Proc. the 37th Annual ACM Symp. Theory of Computing, May 005, pp [1] Blömer J, Seifert J. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proc. the 31st Annual ACM Symp. Theory of Computing, May 1999, pp [13] Micciancio D. Efficient reductions among lattice problems. In Proc. the 19th Annual ACM-SIAM Symp. Discrete Algorithms, January 008, pp [14] Babai L. On lovász lattice reduction and the nearest lattice point problem. Combinatorica, 1986, 61): [15] Micciancio D, Goldwasser S. Complexity of Lattice Problems: A Cryptographic Perspective. Kluwer Academic Publishers, 00. [16] Klein P. Finding the closest lattice vector when it s unusually close. In Proc. the 11th Annual ACM-SIAM Symp. Discrete Algorithms, January 000, pp [17] Cai J. A new transference theorem in the geometry of numbers and new bounds for Ajtai s connection factor. Discrete Applied Mathematics, 003, 161): [18] Micciancio D. The geometry of lattice cryptography. In Lecture Notes in Computer Science 6858, Aldini A, Gorrieri R eds.), Springer Berlin Heidelberg, 011, pp [19] Guruswami V, Micciancio D, Regev O. The complexity of the covering radius problem. Computational Complexity, 005, 14): Cheng-Liang Tian gained his B.S. and M.S. degrees in mathematics from Northwest University, Xi an, in 006 and 009 respectively, and Ph.D. degree in information security from Shandong University, Jinan, in 013. He is a post-doctor in State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing. His research interest is lattice-based cryptography. Wei Wei received his B.S. degree in mathematics from Shandong University, Jinan, in 008. She is currently a Ph.D. candidate of Tsinghua University, Beijing. Her current research interest is lattice-based cryptography. text text text text text text text text text text Dong-Dai Lin received his B.S. degree in mathematics from Shandong University, Jinan, and his M.S. degree and Ph.D. degree in fundamental mathematics from the Institute of Systems Science, Chinese Academy of Sciences, Beijing. Now, he is the director of State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences. His research interests include cryptology, security protocols, symbolic computation and software development, and he is currently working on multivariate public key cryptography, sequences and stream cipher, zero knowledge proof, and network-based cryptographic computation.
Dimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationand the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that
Sampling short lattice vectors and the closest lattice vector problem Miklos Ajtai Ravi Kumar D. Sivakumar IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120. fajtai, ravi, sivag@almaden.ibm.com
More informationSome Sieving Algorithms for Lattice Problems
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - Some Sieving Algorithms for Lattice Problems V. Arvind and Pushkar
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationHardness of the Covering Radius Problem on Lattices
Hardness of the Covering Radius Problem on Lattices Ishay Haviv Oded Regev June 6, 2006 Abstract We provide the first hardness result for the Covering Radius Problem on lattices (CRP). Namely, we show
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationCSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions
CSC 2414 Lattices in Computer Science September 27, 2011 Lecture 4 Lecturer: Vinod Vaikuntanathan Scribe: Wesley George Topics covered this lecture: SV P CV P Approximating CVP: Babai s Nearest Plane Algorithm
More informationLocally Dense Codes. Daniele Micciancio. August 26, 2013
Electronic Colloquium on Computational Complexity, Report No. 115 (2013) Locally Dense Codes Daniele Micciancio August 26, 2013 Abstract The Minimum Distance Problem (MDP), i.e., the computational task
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationLecture 7 Limits on inapproximability
Tel Aviv University, Fall 004 Lattices in Computer Science Lecture 7 Limits on inapproximability Lecturer: Oded Regev Scribe: Michael Khanevsky Let us recall the promise problem GapCVP γ. DEFINITION 1
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky and Daniele Micciancio May 9, 009 Abstract We prove the equivalence, up to a small polynomial
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationCSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Minkowski s theorem Instructor: Daniele Micciancio UCSD CSE There are many important quantities associated to a lattice. Some of them, like the
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationSolving the Shortest Lattice Vector Problem in Time n
Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, 69364 Lyon Cedex 07, France CNRS,
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationCOMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationCSC 2414 Lattices in Computer Science October 11, Lecture 5
CSC 244 Lattices in Computer Science October, 2 Lecture 5 Lecturer: Vinod Vaikuntanathan Scribe: Joel Oren In the last class, we studied methods for (approximately) solving the following two problems:
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationNew Lattice Based Cryptographic Constructions
New Lattice Based Cryptographic Constructions Oded Regev August 7, 2004 Abstract We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop
More informationTensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors
Tensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors Ishay Haviv Oded Regev March 2, 2007 Abstract We show that unless NP RTIME(2 poly(log n) ), for any ε > 0 there
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationThe Euclidean Distortion of Flat Tori
The Euclidean Distortion of Flat Tori Ishay Haviv Oded Regev June 0, 010 Abstract We show that for every n-dimensional lattice L the torus R n /L can be embedded with distortion O(n log n) into a Hilbert
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationSolving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems
Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems Thijs Laarhoven Joop van de Pol Benne de Weger September 10, 2012 Abstract This paper is a tutorial introduction to the present
More informationOn Approximating the Covering Radius and Finding Dense Lattice Subspaces
On Approximating the Covering Radius and Finding Dense Lattice Subspaces Daniel Dadush Centrum Wiskunde & Informatica (CWI) ICERM April 2018 Outline 1. Integer Programming and the Kannan-Lovász (KL) Conjecture.
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationLattice-based Cryptography
Lattice-based Cryptography Oded Regev Tel Aviv University, Israel Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationSolving BDD by Enumeration: An Update
Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers
More informationNote on shortest and nearest lattice vectors
Note on shortest and nearest lattice vectors Martin Henk Fachbereich Mathematik, Sekr. 6-1 Technische Universität Berlin Straße des 17. Juni 136 D-10623 Berlin Germany henk@math.tu-berlin.de We show that
More informationFundamental Domains, Lattice Density, and Minkowski Theorems
New York University, Fall 2013 Lattices, Convexity & Algorithms Lecture 3 Fundamental Domains, Lattice Density, and Minkowski Theorems Lecturers: D. Dadush, O. Regev Scribe: D. Dadush 1 Fundamental Parallelepiped
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationComputational complexity of lattice problems and cyclic lattices
Computational complexity of lattice problems and cyclic lattices Lenny Fukshansky Claremont McKenna College Undergraduate Summer Research Program ICERM - Brown University July 28, 2014 Euclidean lattices
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert December 3, 2006 Abstract We show that for any p 2, lattice
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationDeterministic Approximation Algorithms for the Nearest Codeword Problem
Deterministic Approximation Algorithms for the Nearest Codeword Problem Noga Alon 1,, Rina Panigrahy 2, and Sergey Yekhanin 3 1 Tel Aviv University, Institute for Advanced Study, Microsoft Israel nogaa@tau.ac.il
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationA Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 14 (2010) A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations Daniele
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm
mproved Analysis of Kannan s Shortest Lattice Vector Algorithm Abstract The security of lattice-based cryptosystems such as NTRU GGH and Ajtai-Dwork essentially relies upon the intractability of computing
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationLimits on the Hardness of Lattice Problems in l p Norms
Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert Abstract Several recent papers have established limits on the computational difficulty of lattice problems, focusing primarily on the
More informationInteger Least Squares: Sphere Decoding and the LLL Algorithm
Integer Least Squares: Sphere Decoding and the LLL Algorithm Sanzheng Qiao Department of Computing and Software McMaster University 28 Main St. West Hamilton Ontario L8S 4L7 Canada. ABSTRACT This paper
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationSolving the Closest Vector Problem in 2 n Time The Discrete Gaussian Strikes Again!
Solving the Closest Vector Problem in n Time The Discrete Gaussian Strikes Again! Divesh Aggarwal Divesh.Aggarwal@epfl.ch Daniel Dadush dadush@cwi.nl Noah Stephens-Davidowitz noahsd@cs.nyu.edu Abstract
More informationInapproximability Results for the Closest Vector Problem with Preprocessing over l Norm
Electronic Colloquium on Computational Complexity, Report No. 52 (2006) Inapproximability Results for the Closest Vector Problem with Preprocessing over l Norm Wenbin Chen Jiangtao Meng Abstract We show
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationarxiv: v1 [cs.ds] 2 Nov 2013
On the Lattice Isomorphism Problem Ishay Haviv Oded Regev arxiv:1311.0366v1 [cs.ds] 2 Nov 2013 Abstract We study the Lattice Isomorphism Problem (LIP), in which given two lattices L 1 and L 2 the goal
More informationsatisfying ( i ; j ) = ij Here ij = if i = j and 0 otherwise The idea to use lattices is the following Suppose we are given a lattice L and a point ~x
Dual Vectors and Lower Bounds for the Nearest Lattice Point Problem Johan Hastad* MIT Abstract: We prove that given a point ~z outside a given lattice L then there is a dual vector which gives a fairly
More informationAlgorithmic Problems for Metrics on Permutation Groups
Algorithmic Problems for Metrics on Permutation Groups V. Arvind and Pushkar S. Joglekar Institute of Mathematical Sciences C.I.T Campus,Chennai 600 113, India {arvind,pushkar}@imsc.res.in Abstract. Given
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationPrimitive Sets of a Lattice and a Generalization of Euclidean Algorithm
Primitive Sets of a Lattice and a Generalization of Euclidean Algorithm Spyros. S. Magliveras Center for Cryptology and Information Security Department of Mathematical Sciences Florida Atlantic University
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationA CVP-BASED LATTICE SIGNATURE SCHEME FOR NETWORK CODING
International Journal of Innovative Computing, Information and Control ICIC International c 2014 ISSN 1349-4198 Volume 10, Number 1, February 2014 pp. 317 327 A CVP-BASED LATTICE SIGNATURE SCHEME FOR NETWORK
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationLattice Basis Reduction and the LLL Algorithm
Lattice Basis Reduction and the LLL Algorithm Curtis Bright May 21, 2009 1 2 Point Lattices A point lattice is a discrete additive subgroup of R n. A basis for a lattice L R n is a set of linearly independent
More informationInteger Factorization using lattices
Integer Factorization using lattices Antonio Vera INRIA Nancy/CARAMEL team/anr CADO/ANR LAREDA Workshop Lattice Algorithmics - CIRM - February 2010 Plan Introduction Plan Introduction Outline of the algorithm
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationReduction of Smith Normal Form Transformation Matrices
Reduction of Smith Normal Form Transformation Matrices G. Jäger, Kiel Abstract Smith normal form computations are important in group theory, module theory and number theory. We consider the transformation
More informationApproximating-CVP to within Almost-Polynomial Factors is NP-Hard
Approximating-CVP to within Almost-Polynomial Factors is NP-Hard I Dinur Tel-Aviv University dinur@mathtauacil G Kindler Tel-Aviv University puzne@mathtauacil S Safra Tel-Aviv University Abstract This
More informationPrimitive sets in a lattice
Primitive sets in a lattice Spyros. S. Magliveras Department of Mathematical Sciences Florida Atlantic University Boca Raton, FL 33431, U.S.A spyros@fau.unl.edu Tran van Trung Institute for Experimental
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationSolving LWE problem with bounded errors in polynomial time
Solving LWE problem with bounded errors in polynomial time Jintai Ding, Southern Chinese University of Technology, University of Cincinnati, ding@mathucedu Abstract In this paper, we present a new algorithm,
More informationOn Nearly Orthogonal Lattice Bases and Random Lattices
On Nearly Orthogonal Lattice Bases and Random Lattices Ramesh Neelamani, Sanjeeb Dash, and Richard G. Baraniuk September 18, 2006 Abstract We study lattice bases where the angle between any basis vector
More informationA Note on the Distribution of the Distance from a Lattice
Discrete Comput Geom (009) 4: 6 76 DOI 0007/s00454-008-93-5 A Note on the Distribution of the Distance from a Lattice Ishay Haviv Vadim Lyubashevsky Oded Regev Received: 30 March 007 / Revised: 30 May
More informationBranching proofs of infeasibility in low density subset sum problems
Branching proofs of infeasibility in low density subset sum problems Gábor Pataki and Mustafa Tural We prove that the subset sum problem Abstract ax = β x {0, 1} n (SUB) has a polynomial time computable
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert 15 February, 2007 Abstract We show that several
More informationImproved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem
Improved Nguyen-Vidick Heuristic Sieve Algorithm for Shortest Vector Problem Xiaoyun Wang,, Mingjie Liu, Chengliang Tian and Jingguo Bi Institute for Advanced Study, Tsinghua University, Beijing 84, China
More informationLattice reduction for modular knapsack
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationImproved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract)
Improved Analysis of Kannan s Shortest Lattice Vector Algorithm (Extended Abstract) Guillaume Hanrot 1 and Damien Stehlé 2 1 LORIA/INRIA Lorraine, Technopôle de Nancy-Brabois, 615 rue du jardin botanique,
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More information