Solving the Shortest Lattice Vector Problem in Time n

Transcription

1 Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, Lyon Cedex 07, France CNRS, Macquarie University and University of Sydney, Department of Mathematics and Statistics F07, University of Sydney NSW 006, Australia {xavier.pujol,damien.stehle}@ens-lyon.fr Abstract. The Shortest lattice Vector Problem is central in lattice-based cryptography, as well as in many areas of computational mathematics and computer science, such as computational number theory and combinatorial optimisation. We present an algorithm for solving it in time.465n+on) and space 1.33n+on), where n is the lattice dimension. This improves the best previously known algorithm, by Micciancio and Voulgaris [SODA 010], which runs in time 3.199n+on) and space 1.35n+on). Keywords. Lattices, Shortest Vector Problem, sieve algorithms. 1 Introduction A lattice L is a discrete subgroup of R n. The dimension of L is d = dimspanl). Any lattice can be represented as the set of integer linear combinations of d linearly independent vectors b 1,...,b d. These vectors form a basis of L and we write L = Lb 1,...,b d ). Since a lattice is discrete, it has shortest non-zero vectors. Their norm λl) is called the minimum of L. The Shortest Vector Problem SVP) consists in finding such a vector. For the sake of simplicity, we consider only full rank integer lattices in this article, i.e., d = n and L Z n. SVP is known to be NP-hard under randomized reductions [1], and to remain so even if relaxed by arbitrary constant factors [13, 10]. SVP is of prime interest in cryptography for two reasons: first, the security of several lattice-based cryptosystems see, e.g., [, 19, 8] and the survey [15]) relies on the hardness of polynomially relaxed versions of the decisional variant of SVP for [], it is proved to be so in [14]); second, the main cryptanalytic tool against lattice-based cryptosystems, namely hierarchical reduction algorithms [0, 1, 7], relies on an algorithm that solves SVP in moderate dimensions. Note that SVP also occurs naturally in algorithmic number theory [4] and in combinatorial optimization [5]. The currently known algorithms for SVP can be separated in two categories. On one side, deterministic algorithms enumerate all lattice vectors shorter than a fixed bound A λl), by working on the Gram- Schmidt orthogonalization of the given lattice basis. They were introduced by Kannan [1] and Fincke and Pohst [6]. If given as input an LLL-reduced basis, the algorithm of Fincke and Pohst runs in time On), while the worst-case complexity of Kannan s algorithm is n n e +on) this complexity upper bound is proved in [9]). Note that for all complexity statements, we omit a multiplicative factor that is polynomial in the bitsize of the lattice basis. Enumeration algorithms require a polynomially bounded amount of space. On the other side, the algorithms with the best theorical complexity are probabilistic Monte Carlo) sieve algorithms, the first of which was introduced by Ajtai et al. in [3]. The initial time and space complexity bounds of On) were later improved by Regev [18], then decreased to 5.90n+on) and.95n respectively by Nguyen and Vidick [17] and recently decreased further to 3.40n+on) and 1.97n+on) by Micciancio and Voulgaris [16]. The authors of [16] also introducedlistsieve, another sieve algorithm which solves SVP in time 3.199n+on) and space 1.35n+on). Contrary to enumeration algorithms, sieve algorithms require an exponential amount of space. Our result. We present an improved version of ListSieve which solves SVP in time.465n+on) and space 1.33n+on) the constants are chosen to minimize the time complexity: a better space complexity can

2 be achieved at the expense of increasing the time complexity). The main new ingredient is the use of the birthday paradox to decrease the number of vectors that must be generated to ensure that the sieve succeeds. The improvement is most easily described with the Ajtai et al. algorithm see the simplified description of [17]). The latter samples iid vectors in L B n 0,cλ 1 L)) for a small constant c, which contains only a finite number N of lattice points. The proof of correctness requires that the same vector is sampled twice with high probability, and another technical constraint implies that only a small fraction 1/x of all the vectors is taken into account. In the previous analyses, the number of required vectors was N x. However, the birthday paradox ensures that O Nx) vectors suffice. In the case of the Ajtai et al. algorithm, this leads to a time complexity bound of.648n+on). We omit the proof, as the improved variant of ListSieve provides a better complexity bound, although it requires more care to ensure that the sampled vectors are iid. Notations. We write for the euclidean norm and, for the dot product. If u and v are non-zero vectors, we define φ u,v as the angle between u and v. We use the notation log for the natural logarithm. All balls B n x,r) are closed, and if x is omitted, it means that the ball is centred on 0. The bitsize B of a basis B is sum of the bitsizes of its vectors. We let PB) denote the fundamental parallelepiped spanned by the basis B. Finally, for any u = i u ib i, we write u mod PB) for i u i u i )b i. The SVP algorithm We first recall the ListSieve algorithm from [16], in Figure 1. It builds a list T of lattice vectors, reducing each randomly generated vector with vectors previously added to the list. ListSieve keeps adding vectors to T until it finds a lattice vector whose norm corresponds the guessed value µ for the lattice minimum λ. It makes use of sampling and reduction functions, described in Figures 3 and 4. The reduction is done on perturbed vectors u = u+x instead of lattice vectors u L, with randomly chosen x s. If the perturbations are large enough, a given perturbed vector can sometimes be obtained from several lattice vectors. The fact that the reduction function is oblivious to the lattice vector is crucial for the proof of correctness. Input: A basis B, µ λlb)), ξ > 1, N1. Output: A shortest non-zero vector of LB). Choose x 1,...,x N1 ) randomly in B n0, ξµ). T {0}. For i = 1 to N 1, do t i,t i) ReductionNewPairB,x i ), T), If t j T, 0 < t i t j µ, then return t i t j; ElseIf t i / T, then T T {t i }. Fig. 1. The ListSieve algorithm The new algorithm ListSieve-Birthday is described in Figure. It runs ListSieve for a while, and then adds to a second list U the vectors reduced with respect to the ListSieve list T. Hence the vectors of the second list U are both short with high probability) and iid. In Section 3, we will prove the following result. Theorem 1 Let L Z n be an n-dimensional lattice and B = b 1,...,b n ) be a basis of L. With suitable choices for the parameters µ, ξ, r 0, N 1 and N, the algorithm ListSieve-Birthday can be used to solve SVP on B with probability 1 Ωn) in time.465n+on) Poly B ) and space 1.33n+on) Poly B ). 3 Analysis of ListSieve-Birthday In this section we set λ = λl) and fix the parameters ξ > 1/ and r 0 > ξ. Wlog, we assume that:

3 Input: A basis B, µ λlb)), ξ > 1, r 0 > ξ, N 1, N. Output: A shortest non-zero vector of LB). Choose x 1,...,x N1,y 1,...,y N ) randomly in B n0, ξµ). T, U. For i = 1 to N 1, do t i,t i) ReductionNewPairB,x i ), T), If t i r 0 µ then T T {t i }. For i = 1 to N, do u i,u i) ReductionNewPairB,y i ), T), U U {u i }. Find closest distinct points s 1,s ) in U fail if they do not exist). Return s 1 s. Fig.. The SVP algorithm: ListSieve-Birthday Input: A basis B and a perturbation x. Output: A lattice vector u and a perturbed vector u. u x) mod PB). u u + x. Return u,u ). Fig. 3. The NewPair algorithm Input: A pair u,u ) generated by NewPair and a list T L. Output: A reduced pair u,u ). While w T : u w < `1 1 n u, u,u ) u w,u w). Return u,u ). Fig. 4. The Reduction algorithm The integer basis B is LLL-reduced. This can be done in time Poly B ). We have max i b i = On) λ if the basis is LLL-reduced then the basis vectors that are too long cannot come into play, see [17, Lemma 3.3]). We know µ such that λ µ < n) λ. This can be ensured by trying a polynomial number of values for µ. 3.1 Known results The following lemmas are variants of those given in [16]. Theorem, which is the main tool for Lemmas 3 and 4, is proven in [11]. For the sake of completeness, we give proofs of Lemmas 3, 4 and 5 in the appendix. Theorem Kabatiansky and Levenshtein) Let E R n \{0}. If there exists φ 0 > 0 such that for any u,v E, we have φ u,v φ 0, then E cn+on) with c = 1 log [1 cosminφ 0,6.99 ))] Lemma 3 Let c b = log r For any lattice L, we have B n 0,r 0 µ) L N B n) = cbn+on). Lemma 4 Let c t = 1 log 1 ξ r ) At any moment during the execution of ListSieve-Birthday, 0 the list T contains at most N T n) = ctn+on) vectors. ) Lemma 5 Let c g = 1 log 1 1 4ξ and s be a shortest non-zero vector of L. Let I s = B n 0,ξµ) B n s,ξµ). If x is chosen uniformly in B n 0,ξµ), then Pr x I s ) 1 N with N Gn) Gn) = cgn+on). 3

4 3. Proof of Theorem 1 Let N max 1 = 4N G N T and N = 8N G N B. We sample N1 uniformly in the interval [0,N max 1 1]. The purpose of Lemmas 6 and 7 is to prove that with high probability, there are sufficiently many vectors u i in U such that u i is short i.e., u i < r 0 µ) and y i I s in that case, the perturbed vector u i could be associated to another lattice vector, namely u i + s with the perturbation y i + s). Lemma 6 Consider ListSieve-Birthday with N 1 = N1 max. For i N1 max, we define the event E i : t i < r 0 µ. We let p i = Pr E i x i I s ), where the probability is taken over the randomness of x 1,...,x i, and J = {i N1 max : p i 1 }. Then J Nmax 1 /. Proof. Assume for contradiction) that J > N max 1 /. Then by Lemma 5 we have i J 1 p i )Pr x i I s ) J N G > N T. This contradicts the following inequalities. The last one derives from Lemma 4. p i )Pr x i I s ) = i J1 Pr E i ) x i I s )) Pr E i ) N T. i J i 1 In the second loop of ListSieve-Birthday, we do not add any point to T. Therefore, the points that are added to U are iid. The procedure to reduce points being the same in both loops, we have that for any i N such that y i I s, the probability that u i < r 0 µ is p. Since N N1+1 1 is sampled uniformly in [0,N1 max 1], we have p 1 N1+1 with probability 1, by Lemma 6. Lemma 7 If n is sufficiently large, then with probability 1/4 taken over the randomness of N 1, the x k s and the y k s), there exist two distinct indices i,j N such that u i = u j and y i,y j I s. Proof. Let N = N B. Until the end of the current proof, we assume that p 1 N1+1, which occurs with probability 1 and implies that Pr u i r 0µ y i I s ) 1 for all i N. Let X = {i N : u i r 0 µ) y i I s )}. Lemma 5 gives Pr u i r 0 µ) y i I s )) = Pr u i r 0 µ y i I s ) Pr y i I s ) 1 N G. The variable X has a binomial distribution of parameter p 1 N G. We have EX) = pn N and VarX) = p1 p)n EX). Therefore, by using Chebyshev s inequality, we have since N B 5 holds for n large enough, we have N 10): VarX) Pr X N) Pr X EX) EX) N) EX) N) EX) EX) N) N 1 5. So with high probability ListSieve-Birthday samples at least N iid points in S 0 = B n r 0 µ) L. The probability that a collision occurs is minimized when the distribution is uniform, i.e., the probability of each point is 1/ S 0. Since we have chosen N S 0 by Lemma 3), the birthday paradox implies that the probability will be large. More precisely it is greater than i<n where we used the fact that S 0 N B by Lemma 3). 1 i ) ) 4 )) NN 1) 1 exp ), S 0 5 N B 5 e 4

5 In order to prove that ListSieve-Birthday returns a shortest non-zero vector with high probability, we introduce a modified version ListSieve-Birthday. Recall that in Lemma 5, we have fixed a shortest vector s and defined I s = B n 0,ξµ) B n s,ξµ). For x in B n 0,ξµ), let τx) = x + s if x I s and τx) = x if x / I s. The difference between ListSieve-Birthday and ListSieve-Birthday is that in the latter the function τ is applied to each y i with probability 1 immediately after it is chosen. If x is sampled uniformly in B n 0,ξµ), then so is τx). As a consequence, the outputs of ListSieve-Birthday and ListSieve-Birthday follow the same distribution. For x I s, let u,u ) = ReductionNewPairx),T) and v,v ) = ReductionNewPairτx)),T). The fact that x I s implies that x = τx) mod PB). The actions of Reduction depend only on the perturbed vector, so we have v = u and v = u + s. Lemma 8 Let c time = maxc g + c t,c g + c b ) and c space = maxc t,c g + c b /). Then with probability 1 16 and for sufficiently large n, ListSieve-Birthday returns a shortest non-zero vector of L in time ctimen+on) and space cspacen+on). Proof. We start with the correctness property. Assume that we run the algorithms ListSieve-Birthday and ListSieve-Birthday on the same input and that they make the same random choices for N 1 and the perturbations. By Lemma 7, with probability 1 4, there exist two distinct indices i and j such that u i = u j and y i,y j I s in ListSieve-Birthday. With probability 1 4, ListSieve-Birthday applies τ to y i but not to y j. Therefore it outputs u i + s and u j = u i, because it chooses the same perturbations as ListSieve-Birthday. Thus, with probability 1 16, there exist two vectors s 1 and s in the second list of ListSieve-Birthday such that s 1 s = λl). This also holds for ListSieve-Birthday, since it has the same output distribution. The space complexity is T + U. By Lemma 4, we have T ctn+on), and, by definition of N, we have U cg+cb/)n+on). Since b i = On) µ for all i, the complexity of Reduction is T Polyn, B ). Omitting the polynomial factor, the time complexity of the first loop is T N 1 T N1 max cg+ct)n+on). The time required to find a closest pair of points in U with the naive algorithm is U. Finally, the time complexity of the second loop is T U ct+cg+cb/)n+on), which is negligibly smaller than the cost of one of the other components. Proof of Theorem 1. The time complexity is minimized when c t = c g + c b. By Lemmas 3, 4 and 5, this is equivalent to r 0 = ξ ξ. Optimizing with respect to ξ leads to ξ , r , c time.465 and c space Calling the algorithm n times ensures that it succeeds with probability exponentially close to 1. 4 Open Problems In [16] the authors drew a list of important open problems about ListSieve, in particular on the necessity of perturbing the initial lattice vectors. These carry over to ListSieve-Birthday. Another question that is specific to the latter is whether it is necessary to divide it into two steps to ensure that the vectors of the second list are iid. At first sight, it seems to be an artefact of the proof, but we did not manage to avoid it. Acknowledgments This work is part of the Australian Research Council Discovery Project DP Integral lattices and their theta series. We thank D. Micciancio and P. Voulgaris for helpful discussions. References 1. M. Ajtai. The shortest vector problem in l is NP-hard for randomized reductions extended abstract). In Proceedings of the 30th Symposium on the Theory of Computing STOC 1998), pages ACM Press, M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 9th Symposium on the Theory of Computing STOC 1997), pages ACM Press,

6 3. M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the 33rd Symposium on the Theory of Computing STOC 001), pages ACM Press, H. Cohen. A Course in Computational Algebraic Number Theory, nd edition. Springer-Verlag, F. Eisenbrand. 50 Years of Integer Programming , From the Early Years to the State-of-the-Art, chapter Integer Programming and Algorithmic Geometry of Numbers. Springer-Verlag, U. Fincke and M. Pohst. A procedure for determining algebraic integers of given norm. In Proceedings of EUROCAL, volume 16 of Lecture Notes in Computer Science, pages Springer-Verlag, N. Gama and P. Q. Nguyen. Finding short lattice vectors within Mordell s inequality. In Proceedings of the 40th Symposium on the Theory of Computing STOC 008). ACM, C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Symposium on the Theory of Computing STOC 008), pages ACM Press, G. Hanrot and D. Stehlé. Improved analysis of Kannan s shortest lattice vector algorithm. In Proceedings of Crypto 007, volume 46 of Lecture Notes in Computer Science, pages Springer-Verlag, I. Haviv and O. Regev. Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In Proceedings of the 39th Symposium on the Theory of Computing STOC 007, pages ACM, G. A. Kabatiansky and V. I. Levenshtein. Bounds for packings on a sphere and in space. Problemy Peredachi Informatsii, 141):3 5, Available in English in Problems of Information Transmission 141): R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the 15th Symposium on the Theory of Computing STOC 1983), pages ACM Press, S. Khot. Hardness of approximating the shortest vector problem in lattices. Journal of the ACM, 55): , V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In Proceedings of Crypto 009, pages , D. Micciancio and O. Regev. Post-Quantum Cryptography, chapter Lattice-based Cryptography. Springer-Verlag, D. Micciancio and P. Voulgaris. Faster exponential time algorithms for the shortest vector problem, 010. To appear in the proceedings of SODA 10, preliminary versions available at the URLs report/009/065 and P. Nguyen and T. Vidick. Sieve algorithms for the shortest vector problem are practical. Journal of Mathematical Cryptology, ), O. Regev. Lattices in computer science, 004. Lecture notes of a course given at the Tel Aviv University. Available at the URL O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th Symposium on the Theory of Computing STOC 005), pages ACM Press, C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci, 53:01 4, C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Mathematics of Programming, 66: , Known proofs Proof of Lemma 3. Let α = 1+ 1 n. The ball B λ n ) contains exactly one lattice point. We cover Bn r 0 µ) \B λ n with coronas T r = B n αr) \B n r) for r = λ, λ α,..., λ αk, with k = nlog r 0 ) = On). It suffices to prove that any corona T r contains at most cbn+on) lattice points. Let u and v be two distinct lattice vectors in T r B n r 0 µ). We have u v,u v λ, so u,v u + v λ ). This implies that: 1 cos φ u,v = u,v u v 1 u v + v u λ ) u v n λ r µ n n ) r0 1 1 n r0. 1 For any ε 0, ) and sufficiently large n we can apply Theorem with φ r0 0 = cos ε r0 ) ) 60. 6

7 Proof of Lemma 4. First, we bound the norm of any vector of T. NewPair returns t,t ) such that t PB) and t t ξµ. We have assumed that max i b i = On) λ. Hence t nmax i b i On) µ. After applying Reduction, the norm of t does not increase and t t is unchanged, so, for any t i T, we have r 0 µ t i On) + ξ)µ. It now suffices to prove that any T r = {t i T rµ t i 1 + n) 1 rµ} for r r 0 contains at most ctn+on) points. Indeed, the list T is contained in a union of On ) sets T r. Let i < j such that t i,t j T r. The idea of the proof is that for large n, the angle between t j and t i is not far from being above π 3 because t i was already in T when t j was reduced. We use the inequality t j t j ξµ to obtain a lower bound for φ t i,t j and then apply Theorem. Note that t j t j + ξµ 3rµ. Since t j was added after t i, we have: t j t i > t j t i,t j t i > t j,t i < ) t n j 1 1 ) t n j,t j [ t i + n ] t j 1 ) t n j,t j Moreover, we have t j t j,t i ξµ t i. We can now bound cosφ t i,t j ). 1 t i + 1 n 3rµ). t j,t i = t j,t i + t j t j,t i 1 t i + 1 n 3rµ) + ξµ t i The bound on T r follows directly from Theorem. cosφ ti,t j ) = t j,t i t i t j 1 t i t j + 1 n 3rµ) t i t j + ξµ t j ) + 9 n n + ξ r 1 + ξ ) 1 + O. r 0 n Proof of Lemma 5. The set B n 0,µξ) B n s,µξ) is the union of two identical n-sphere caps of height µξ λ µ ξ ) 1. Let C be one of these. It contains a cone of height h = µ ξ 1 ) whose basis is an n 1)-sphere of radius r = µ ξ 1 4. Moreover B nr) is included in a cylinder of basis B n 1 r) and height r so we have Vol B n r) r Vol B n 1 r). Then VolC Vol B n ξµ) h n Vol B n 1r) Vol B n ξµ) h rn Vol B n r) Vol B n ξµ) ξ 1 n ξ ) n/ 4ξ. 7