Hard Instances of Lattice Problems

Transcription

1 Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012

2 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection

3 Abstract Christos Litsas (NTUA) Average Case - Worst Case Connections 3/31

4 Hard Problems Already Exist All Time Classic Hard Problems NP-Complete problems Factorization Discrete Logarithm reduces to average case: log g2 t = (log g1 g 2 )(log g1 t) 1 Christos Litsas (NTUA) Average Case - Worst Case Connections 4/31

5 Hard Problems Already Exist All Time Classic Hard Problems NP-Complete problems Factorization Discrete Logarithm reduces to average case: log g2 t = (log g1 g 2 )(log g1 t) 1 Worst-Case Hardness Those problems are hard only under certain distributions. Often it is not clear how to find such a distribution. Christos Litsas (NTUA) Average Case - Worst Case Connections 4/31

6 One Step Further Worst-Case Vs. Average-Case Hardness A random class of lattices so that if the SVP is easy to solve then the above problems are easy in every lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 5/31

7 Lattices Christos Litsas (NTUA) Average Case - Worst Case Connections 6/31

8 Lattice Definition Definition Let B R m n, we consider the set L = {y : y = B x x Z 1 n }, that is the set of all integer linear combinations of B. We call every L with the above properties a lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 7/31

9 Lattices Figure: An example of a lattice and its basis. Christos Litsas (NTUA) Average Case - Worst Case Connections 8/31

10 Lattices Figure: A lattice has more than one bases. Christos Litsas (NTUA) Average Case - Worst Case Connections 9/31

11 Properties Multiplication by a unimodular matrix produces a new basis. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

12 Properties Multiplication by a unimodular matrix produces a new basis. Infinite (countable) different bases. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

13 Properties Multiplication by a unimodular matrix produces a new basis. Infinite (countable) different bases. The only part of a lattice that is known is the place where the basis vectors lie. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

14 Fundamental Parallelepiped Definition Let L be a lattice, and let a basis for L is B = [b 1,..., b n ], b i are the column vectors of B, then we define the set n P(B) = {y : y = x i b i, x i [ 1 2, 1 )}. We call P(B) the 2 i=0 fundamental parallelepiped of L with respect to the basis B. Christos Litsas (NTUA) Average Case - Worst Case Connections 11/31

15 Mathematical Tools Equivalence relation, mod B. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

16 Mathematical Tools Equivalence relation, mod B. Efficiently computable distinguished representatives as t B B 1 t. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

17 Mathematical Tools Equivalence relation, mod B. Efficiently computable distinguished representatives as t B B 1 t. Partition of the space R n by multiplies of fundamental parallelepiped. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

18 Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

19 Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Classic Algorithms and Bounds LLL Reduction Algorithm (2 n 1 2 sh(l) approximation). Babai s Nearest Plane Algorithm. Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

20 Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Classic Algorithms and Bounds LLL Reduction Algorithm (2 n 1 2 sh(l) approximation). Babai s Nearest Plane Algorithm. Bounds Shor proved that in LLL the approximation factor can be replaced by (1 + ɛ) n. Minkowski (Convex Body Theorems) sh(l) c n det(l) 1 n Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

21 More on Lattices... Definition (Dual Lattice) Let L be a lattice, we define the dual lattice to be the set L = {y : x L x, y Z}. Christos Litsas (NTUA) Average Case - Worst Case Connections 14/31

22 More on Lattices... Definition (Dual Lattice) Let L be a lattice, we define the dual lattice to be the set L = {y : x L x, y Z}. Definition (Smoothing Parameter) For any n-dimensional lattice L and ɛ R +, we define its smoothing parameter η ɛ (L) to be the smallest s such that ρ 1/s (L \ {0}) ɛ. Christos Litsas (NTUA) Average Case - Worst Case Connections 14/31

23 Sampling Lemma For any s > 0, c R n and lattice L(B), the statistical distance between D s,c mod P(B) and the uniform distribution over P(B) is at most 1 2 ρ 1/s(L(B) \ {0}). In particular, for any ɛ > 0 and any s η ɛ (B), holds that (D s,c mod P(B), U(P(B))) ɛ/2 Christos Litsas (NTUA) Average Case - Worst Case Connections 15/31

24 The Random Class Christos Litsas (NTUA) Average Case - Worst Case Connections 16/31

25 Definition of L and Λ 1. L: q-ary lattice. 2. Λ: the perpendicular lattice of L. Christos Litsas (NTUA) Average Case - Worst Case Connections 17/31

26 Definition of L and Λ Symbols B = (u 1 : u 2 :... : u m ), u i Z n. Lattice: L(B, q) = {y : y = B x mod q, x Z 1 m } (L(B, q) Z n ). Perpendicular Lattice: Λ(B, q) = {y : y B 0 mod q} (Λ(B, q) Z n ). Parameters m = [c 1 n log n] q = [n c 2] Christos Litsas (NTUA) Average Case - Worst Case Connections 18/31

27 Our Goal Our Goal 1. Redefine the basis B so that if there is a PT algorithm that finds a shortest vector in Λ then it breaks P1, P2, P3 in any lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 19/31

28 First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

29 First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Simultaneous Diophantine Equations The problem of finding a SV in Λ(λ, q) is equivalent to solve a linear simultaneous Diophantine equation. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

30 First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Simultaneous Diophantine Equations The problem of finding a SV in Λ(λ, q) is equivalent to solve a linear simultaneous Diophantine equation. Theorem (Dirichlet) If c 1 is sufficiently large with respect to c 2 then there is always a SV in Λ(λ, q) which is sorter than n. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

31 Problem :-( Λ(λ, q) is Unknown to Everybody (Crypto Only) It seems that there is no way of constructing a shortest vector in Λ(λ, q). So we don t have a trapdoor! Christos Litsas (NTUA) Average Case - Worst Case Connections 21/31

32 Second Step Substitute λ by λ Define λ = (v 1,..., v m ), i {1,..., m 1}v i Z n q also v i is chosen independently and with uniform distribution from the set m 1 of all vectors in Z n q. We also define v m = δ i v i. Where δ i is i=1 a, randomly generated, sequence of 0 and 1 s. Christos Litsas (NTUA) Average Case - Worst Case Connections 22/31

33 Second Step Substitute λ by λ Define λ = (v 1,..., v m ), i {1,..., m 1}v i Z n q also v i is chosen independently and with uniform distribution from the set m 1 of all vectors in Z n q. We also define v m = δ i v i. Where δ i is i=1 a, randomly generated, sequence of 0 and 1 s. No Loss of Generality The distribution of λ is exponentially close to the uniform distribution. P(λ = x) 1 A 1, where A is the set of all 2cn x A possible values of λ. Christos Litsas (NTUA) Average Case - Worst Case Connections 22/31

34 Worst-Case - Average-Case Connection Christos Litsas (NTUA) Average Case - Worst Case Connections 23/31

35 Main Theorem Theorem There are absolute constants c 1, c 2, c 3 so that the following holds: Suppose that there is a PPT algorithm A which given a value of the random variable λ n,c1,c 2 as an input, with a probability of at least 1 2 outputs a nonzero vector of Λ(λ n,c 1,c 2, [n c 1]) of length at most n. Then, there is a PPT algorithm B with the following properties: If the linearly independent vectors a 1,..., a n Z n are given as an input then in polynomial time in size(a i ) gives the output 1 (d 1,..., d n ) so that with probability of greater than 1 2 size(a i ) (d 1,..., d n ) is a basis with max d i n c 3bl(L) Christos Litsas (NTUA) Average Case - Worst Case Connections 24/31

36 Main Tool for the Proof Easy Construction of a Basis There is a polynomial time algorithm that from a set of n linearly independent vectors r 1,..., r n L can construct a basis s 1,..., s n of L so that max s i n max r i Christos Litsas (NTUA) Average Case - Worst Case Connections 25/31

37 Main Tool for the Proof Easy Construction of a Basis There is a polynomial time algorithm that from a set of n linearly independent vectors r 1,..., r n L can construct a basis s 1,..., s n of L so that max s i n max r i Defining a new Goal Construct a set of n linearly independent vectors of L so that each of them is shorter than n c 3 1 bl(l). Christos Litsas (NTUA) Average Case - Worst Case Connections 25/31

38 Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

39 Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i First Case (Trivial) If M n c 3 1 bl(l) we are done. Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

40 Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i First Case (Trivial) If M n c 3 1 bl(l) we are done. Second Case (Hmmm...) If M > n c3 1 bl(l) we construct (?) a set of linearly independent vectors of b 1,..., b n L so that max b i M 2. Then we repeat the algorithm with input the set b 1,..., b n. After log 2 M 2 size(a i ) steps we get a set of linearly independent vectors where each of them is shorter than n c3 1 bl(l). Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

41 max b i M 2 1. Starting from the set a 1,..., a n L we construct a set of linearly independent vectors f 1,..., f n L so that max f i n 3 M and also the parallelepiped W = P(f 1,..., f n ) is very close to a cube. 2. We cut W into q n parallelepipeds each of the form ti q f i + 1 q W, where 0 t i < q is a sequence of integers. 3. We take a random sequence of lattice points ξ 1,..., ξ m, m = c 1 n log n from W. Let ξ j t (j) i q f i + 1 q W then we define v j = (t (j) 1,..., t(j) n ). 4. Apply A to the input λ = (v 1,..., v m ) and get a vector (h 1,..., h m ) Z n. 5. Then the vector h j (ξ j η j ) L and its length is at most M 2, where η j = t (j) i q f i. Christos Litsas (NTUA) Average Case - Worst Case Connections 27/31

42 References Christos Litsas (NTUA) Average Case - Worst Case Connections 28/31

43 References Miklos Ajtai (1996). Generating Hard Instances of Lattice Problems (Extended Abstract). STOC 96, pp Daniele Micciancio, Oded Regev (2005). Worst-case to Average-case Reductions based on Gaussian Measures. FOCS 04. Christos Litsas (NTUA) Average Case - Worst Case Connections 29/31

44 References Ravindran Kannan (1987). Algorithmic Geometry of Numbers. Annual Review of Comp. Sci, pp L. Babai (1986). On Lovasz lattice reduction and the nearest lattice point problem Proc. STACS 85, pp H.W. Lenstra, A.K. Lenstra, L. Lovasz (1982). Factoring polynomials with rational coefficients. Mathematische Annalen, pp Christos Litsas (NTUA) Average Case - Worst Case Connections 30/31

45 Thank you!!! Christos Litsas (NTUA) Average Case - Worst Case Connections 31/31