arxiv: v1 [quant-ph] 21 Nov 2016
|
|
- Jonathan O’Brien’
- 5 years ago
- Views:
Transcription
1 An Efficient Quantum Algorithm for a Variant of the Closest Lattice-Vector Problem Lior Eldar Peter W. Shor arxiv: v [quant-ph] 2 Nov 206 June 8, 208 Abstract The Systematic Normal Form (SysNF) is a canonical form of lattices introduced in [ES], in which the basis entries satisfy a certain co-primality condition. Using a smooth analysis of lattices by SysNF lattices we design a quantum algorithm that can efficiently solve the following variant of the bounded-distance-decoding problem: given a lattice L, a vector v, and numbers b = λ (L)/n 7, a = λ (L)/n 3 decide if v s distance from L is in the range [a/2, a] or at most b, where λ (L) is the length of L s shortest non-zero vector. Improving these parameters to a = b = λ (L)/ n would invalidate one of the security assumptions of the Learning-with- Errors (LWE) crypto-system against quantum attacks. Introduction. General A lattice is a discrete set of points in Euclidean space, that are spaced in a regular fashion. One usually thinks of a lattice as the set of all integer combinations of a linearly-independent set of vectors b,..., b n R n. Lattices give rise to an immensely important family of associated problems, predominantly of which is the shortest-vector problem (or SVP for short) and the closest-vector problem (CVP for short). The study of both of these problems in the last decades has unearthed deep connections to subjects as diverse as integer programming, algorithmic number theory (via the celebrated LLL algorithm [LLL82]), and cryptanalysis. In particular, the latter of the aforementioned subjects, cryptanalysis, has seen an explosive growth in the context of lattices, as researchers have discovered that one can base cryptographic primitives on the hardness of approximating SVP in the worst-case, to some polynomial factors [Ajt96, MR07, Reg09, BLP + 3]. In other words, the security of these cryptographic schemes is based on the assumption that even a modest (polynomial) approximation of the baseline problems, namely SVP / CVP is hard, and requires exponential time. To give a sense of why lattice problems are at least intuitively hard it is sufficient to consider even the simplest forms of lattices, namely an arbitrary rotation of the integer lattice Z n. For such lattices, instead of providing the natural basis of vectors of length, one can provide adversarially, as input, a lattice basis {b,..., b n } that forms a very skewed parallelotope, where each vector has length which is exponential in n, i.e. b i = 2 Ω(n). In such a scenario it seems that even providing a linear combination v = i z ib i, with z i Z, with v = poly(n) entails a brute-force traversal of a very large set of possible coefficients, and would hence require time which is exponential in the size of the input. Center for Theoretical Physics, MIT Department of Mathematics and Center for Theoretical Physics, MIT
2 Currently there is no evidence that undermines these assumptions: asymptotically, the best approximation achievable by a classical poly-time algorithm for SVP/CVP is the LLL algorithm [LLL82] for CVP, and subsequent nearest-plane algorithm [Bab86], both running in time 2 Ω(n). If one is interested in polynomial approximation of these problems, the best-known classical algorithms still require almost exponential time, 2 O(nloglog(n)/log(n)) due to Schnorr, and Ajtai et. al. [Sch87, AKS0]. However, in terms of complexity theory we do believe that some polynomial approximation of these problems is not NP-complete. In this context, the strongest result is by Aharonov and Regev [AR05] who showed that approximation of both SVP and CVP to a factor at least n is in NP conp, and hence unlikely to be NPcomplete. Actual NP-hardness results for SVP and CVP only exist for some factors which are sub-polynomial [ABSS97, DKS98, GMSS99, HR2, Kho06, Mic0], some of which are under standard complexity-theoretic assumptions. Hence approximate versions of SVP, CVP, namely SVP γ, CVP γ where we are required to produce a solution (lattice-vector) whose length is at most γ times larger than an optimal solution - these problems are in an awkward position, for γ = poly(n). On one hand, complexity theory predicts these problems are not NP-hard, but on the other hand we have no algorithms for solving these problems that run in polynomial, or even sub-exponential time. To further aggravate matters, one should consider the importance of SVP γ, CVP γ for γ = poly(n) in the context of Ajtai s famous worst-to-average case reductions. Ajtai s work [Ajt96] provided a reduction from a worst-case instance of SVP, to an average case instance of SVP, such that if one was able to approximate the shortest vector problem for a non-negligible fraction of the output instances to factor γ, then one would be able to approximate the shortest vector of the original lattice to a moderately worse factor γ n. This result and subsequent improvements were then used to design a variety of cryptographic primitives. Essentially, it allows to mass produce instances of SVP which are hard to approximate, assuming that worst-case SVP is hard to approximate even to polynomial factors..2 A Quantum Perspective The discussion above is confined to our theoretical understanding of lattice problems in the regime of classical computers. But how about quantum computers? Quantum computers are, for the time being, hypothetical objects, that describe a well-controlled computational abstraction of quantum-mechanics. They have been shown to be able to solve several problems exponentially faster than the best known classical-computer algorithms for these problems, most prominently of which is the integer factoring problem due to Shor [Sho97]. In particular, their strength has been shown to be manifested most strongly in problems in which the object of interest is an Abelian subgroup. Given that this structure is trivially present in lattices, a natural question is to ask whether or not one can provide a good approximation of SVP, CVP efficiently on a quantum computer. Until now, no such algorithm was found. Furthermore, in [Reg09] where the celebrated encryption scheme Learning-With-Errors was invented, Regev based the security of this scheme against quantum attacks on the assumption that quantum computers are unable to efficiently solve SVP γ, CVP γ for some γ = poly(n). In this work show that certain lattice problems, not known to be efficiently solvable using classical computers, can in fact be solved efficiently by quantum computers. We consider a gapped decision version of the Bounded-Distance-Decoding problem BDD defined as follows: Definition. Gapped bounded-distance decoding: gapbdd γ,γ 2 Given is a lattice L R n, a vector v R n and two numbers a = λ (L)/γ, b = λ (L)/γ 2, where γ 2 2γ. Decide whether or YES( very close to the lattice ) : (v, L) b. NO( somewhat close to the lattice ) : (v, L) [a/2, a], provided that v belongs to one of these categories. 2
3 We then show a quantum circuit, whose size scales polynomially in n that solves this problem for certain parameters: Theorem. Fix any α > 0. The problem gapbdd γ,γ 2 BQP for all γ n 3+2α and γ 2 γ n 4 α..3 Previous work It is natural to relate to the well-known problem of Bounded-Distance-Decoding (BDD). In the BDD problem we are given a lattice L, a vector v, for which (L, v) αλ (L) and asked to find a closest lattice vector to v. It is known that for α /2 the search problem BDD α is NP-hard [LM09]. However, it is unknown whether for α < /2 the problem BDD α still remains NPhard. In fact, there is indication that this problem is actually not NP-hard in [LLM06] where the authors showed that a pre-processing version of BDD α called BDDP can be efficiently computed, for certain parameters. In terms of decision problems, in [LLM06] it was also shown how to reduce the search version of BDD α to the decision version of BDD α for sufficiently small polynomial factors α / n. Thus for sufficiently small α the search and decision versions of BDD α are equivalent. With respect to other lattice problems, it is known that the decision problem gapsvp γ where we are asked to decide whether the shortest vector in L has length d or length at least dγ is reducible to BDD /γ for γ = γ n/log(n) (see [LM09]). Finally, in the work of Regev that introduced the Learning-With-Errors problem [Reg09] it was shown that LWE is hard assuming that the search version BDD / n is hard. Hence, the problem gapbdd γ,γ 2 defined above is a somewhat weaker version of the decision version BDD γ because it has an additional margin of error γ /γ 2, within the already bounded radius around the target lattice. Using the result of Liu et al. it then follows that improving the parameters of Theorem to γ = γ 2 = / n would invalidate the aforementioned security assumption of LWE against quantum computers..4 The Systematic Normal Form of Lattices Our algorithm makes crucial use of the Systematic Normal Form of lattices (SysNF) introduced in [ES]. SysNF lattices can be characterized by a basis matrix of the following canonical form: N b 2 b 3... b n B = ().... where N is a prime number, b i s are integers, all unspecified entries are 0, and in addition n b 2 i 0(mod N). i=2 A lattice L is a SysNF lattice if L = {Bx, x Z n }, and B is of the form above. It is important to point out that without the last condition above, such lattices are wellknown in literature, as they correspond to solutions to a single homogeneous linear equation modulo a prime number N, and hence can be considered as a special case of the random lattice ensemble of Ajtai [Ajt96]. In addition, such lattices have been shown to form a uniformly dense set in a well-defined way [GM03]. The first important property of SysNF lattices is that a sufficient density of prime numbers (via GRH) gives rise to a similar density of SysNF lattices, in an efficiently-computable fashion: Given any lattice L, one can efficiently find a nearby SysNF lattice L : For any ε > 0 there exists an efficiently computable linear map σ = σ(ε) and a large integer T, such that x L, σ(x) L and x σ(x)/t ε. 3
4 This allows one to translate computational problems on an arbitrary lattice to a computational problem on a nearby SysNF lattice, and translate back the result to the original instance, with a negligible loss to the precision of the result. This property of efficiently-computable density of canonical lattices is not a new phenomenon, and it has been observed by Paz and Schnorr [PS87] that such a property exists for other types of canonical lattices. The second important property of this form, arises from the structure of B. Specifically, the SysNF structure allows one to consider the lattice L as a sub-lattice of F n N - i.e. of the n- dimensional vector space over the finite prime-number field F N. The quotient F n N /L N is cyclic, because N is prime, and is bijective with the set of all dual lattice points NL contained in F n N. Furthermore, both L and NL are periodic in N, so Ne i L, NL. Hence, when we consider the lattice and its dual, our objects of interest will be and L N := L F n N (NL ) N := (N L ) F n N. In the algorithm, we crucially use a bijection from [ES] Φ 3 : F n N/L N (NL ) N, This bijection implies that given any x F n N, there exists a unique dual lattice point y (NL ) N, such that x + y L N = L F n N. This is discussed in Claim, where it is also shown that this map is efficiently computable. Consider the action of applying the map x x + Φ 3 (x) to some short vector x F n N. Then x + Φ 3(x) is a lattice vector, that has distance exactly x from (NL ) N - specifically from the point Φ 3 (x) (NL ) N. In the context of quantum computing, by applying Φ 3 to a super-position on F n N corresponding to, say, the discrete Gaussian on F n N, we can efficiently generate the following quantum state (up to normalization), for polynomially small s > 0: e π x y y (NL ) N x L N 2 /s 2 x y. This allows us, by measuring the second register of the state above - to collapse to a superposition on L N that is very tightly concentrated around some dual lattice point y (NL ) N. A similar state will be used as the starting state of our quantum algorithm..5 Overview of the algorithm We assume here for simplicity, that we are given a SysNF lattice L, and interested in solving the gapped version of BDD on the scaled dual of L, namely NL, i.e. to determine some information about the distance of a given vector v from NL. This assumption is without loss of generality and removed in the full algorithm - see Section 4. In concrete terms: we are given a SysNF lattice L, a vector v L, N = det(l), and asked to decide whether YES : dist(v, NL ) λ (NL )/n 7, or NO : dist(v, NL ) [λ (NL )/(2n 3 ), λ (NL )/n 3 ]. Following is a high-level description of the core of our algorithm: we fix some parameter s so that N/s λ (NL )/n. We define a Hilbert space of 3 registers H = H a H b H c. All arithmetic operations are defined on the prime number field F N.. Generate the quantum state ψ 0 = sinc F n N,s,0, where sinc s,y (x) is the n-th fold product of the function sin(x/s)/(x/s) sampled on F n N, and centered at y (see Definition 4 and Figure 3) 4
5 v Figure : The two distributions in case v is far from the lattice: the blue circles indicate n-balls of radius, say λ (L)/ n, and the red circles are the same distributions shifted by v. Since v is far, the statistical distance between these two distributions is large. v Figure 2: The two distributions in case v is close to the lattice: the blue circles indicate n-balls of radius, say λ (L)/ n, and the red circles are the same distributions shifted by v. Since v is close to L, the statistical distance between these two distributions is very small. 2. Recall that Φ 3 : F n N (NL ) N is the map that sends each x F n N to its coset representative in F n N /L N (NL ) N (see Claim ). Apply the map Φ 3 (x) unitarily: denote the state by ψ. x a 0 b x + Φ 3 (x) a Φ 3 (x) b 0 c, 3. For each x on H a, compute (unitarily) the inner product x, v to H c, denote by ψ Measure the register H b of ψ 2 in the computational basis, and post-select on H c so that x, v [ N/(2π n), N/(2π n)]. Un-compute x, v on H c. Denote the state by ψ Apply the n-th fold tensor-product Quantum Fourier Transform - F n N - to ψ 3, denote by ψ Apply the Hadamard test to ψ 4 w.r.t. the unitary U v : U v : x x + v and accept if and only if the test passes..5. The Hadamard Test It is perhaps easier to understand the algorithm, working backward from the final step, which is essentially the auto-correlation test due to [GG00]. The auto-correlation protocol in [GG00] demonstrates an AM (and in fact SZK) protocol for solving cogapcvp n. In that problem we are given a lattice L and a vector v, and asked to determine if (v, L) = or (v, L) n. The protocol reduces the lattice problem to a problem of distinguishing between two distributions: ρ - the periodic uniform distribution on n-dimensional balls of radius n around the points of L, and ρ 2 is a shifted version of ρ by the input vector v. The verifier picks one distribution at random, and sends samples of this distribution to the prover, who is then asked to decide if the samples emanated from ρ or ρ 2. It is then easy to see that if v is close to L, then the statistical overlap between ρ, ρ 2 is large and so the prover would not be able to tell them apart with probability better than /2, whereas if v is far - she can do so w.p. that exceeds /2 non-negligibly - see Figures, 2: 5
6 Figure 3: The function sinc(x) on Z n. In the proposed algorithm above we generate a quantum super-position similar to ρ and compute the overlap between ρ and its v-shifted version, namely ρ 2. Denoting ρ as the quantum state that encodes the function ρ, i.e. ρ = x L N ρ (x) x, essentially we are computing ρ U v ρ, were U v x (x + v)(mod N). Readers familiar with this protocol are aware that the above scheme has been essentially the natural scheme to attempt to solve gapped versions of lattice problems for several years now, using quantum computers. However, the major hurdle so far has been to actually generate ρ for interesting ranges of parameters. In particular, sampling from ρ with variance approximately λ (L)/p for some p = poly(n) was observed by Regev [Reg09] to be reducible to a gapped version of the closest-vector problem. On the other hand, attempting to start from the Fourier Series of the function ρ and then apply FT, even quantumly, would entail sampling short vectors from the dual lattice, which is equivalent to SVP γ for certain γ = poly(n), which is yet another hard lattice problem..5.2 The Quantum States Keeping the high-level strategy of the auto-correlation test in mind, we now follow the evolution of the quantum states throughout the algorithm. The first state ψ 0 is a trivial product super-position on the integer lattice (restricted to F n N ) - it is easy to generate, for any parameter s, even if it is quite small. See Figure 3. The next state, ψ partitions this super-position among orthogonal subspaces of H b, corresponding to the cosets of the F n N /L N (NL ) N. By shifting each x F n N by its coset representative in (NL ) N we get the following state: ψ y (NL ) N x L N sinc s,y (x) x y. We note that the distribution induced by measuring this state can be simulated classically. This, by sampling from sinc Zn,s,0 and applying the map x x + Φ 3 (x) to the sampled vector. Next, we compute for each x L N its inner product with the target vector v: ψ 2 x L N sinc s,y (x) x a y b x, v (mod N) c, We note that this state too can be simulated classically as a distribution. Next, we measure the registers b, c. Since these measurements are on separate registers, they commute, and can be carried out in any order. So suppose first we only measure the 6
7 register H b containing y (NL ) N. This collapses the quantum state (after uncomputing H c ) to a single discrete sinc-function around some point y (NL ) N, where this point is chosen approximately uniformly at random from (NL ) N..5.3 The Case of y = 0 At this point, we note that if y = 0, i.e. the 0-centered replica was measured, we achieve essentially our desired goal: by applying the QFT map F n N to H a we get the quantum state φ sq N/s,y (x) x a 0 b 0 c, y (NL ) N,x F n N where sq N/s,y (x) is the n-th dimensional hypercube indicator function of side-length N/s, centered at y (NL ) N. Since N/s is generically much larger than the covering radius of the lattice F n N, then it is as though we have a hypercube indicator on the full real space R n that is periodic (convolved) around the dual lattice (NL ) N, with side-length (N/s) which is comparable to λ (NL )/n. Since we assume a BDD-type scenario, then it is the case that any point in F n N receives a nonzero contribution from at most a single indicator function (replica) centered around some dual lattice point. Also, the lattice NL is periodic in N e i for each i [n]. Therefore, to determine the distance of v to NL it is sufficient to test the overlap between this state and its v-shifted version (modulo F n N ) which can be easily accomplished by the Hadamard test. The acceptance probability of the Hadamard test is known to be given by the following expression: R( φ U v φ ), where U v x = (x + v)(mod N). Since the quadratic form above is comparable to the overlap O v = ρ U v ρ 2, then our work is complete..5.4 General Case Of course, generally, we sample y = 0 only very rarely. In fact, when s is sufficiently large, then the distribution over the values of y is approximately uniform over (NL ) N which is a cyclic group of order N, so the probability of sampling y = 0 is O(/N). Hence, it is unreasonable to expect such behavior. So now, consider an arbitrary value y (NL ) N measured at register H b of ψ 2. The collapsed state in this case is a super-position of the sinc function centered around some point y (NL ) N. We refer to this state as the y-th replica. One can check that for non-zero y (NL ) N the acceptance probability is given up to negligible error by R( φ U v φ ) = O v cos(2π y cv, v /N), (2) where y cv is a closest L-lattice point to the dual lattice point y (NL ) N, and O v is the realvalued auto-correlation defined above. Since y is approximately uniform on (NL ) N it turns out that y cv, v /N is uniform on [0, ) which then implies that the average acceptance probability is identical for both YES / NO cases - i.e. /2: O v cos(2πθ)dθ = [0,) 2. (3) 7
8 x, v = ɛ x, v = ɛ F n N Figure 4: The post-selection process filters out the section of space that lies between two hyperplanes defined by x, v /N = ε and x, v /N = ε. If ε is too small, it may not leave even a single function replica intact..5.5 Phase Filtering Thus, if we only measure the register H b we wouldn t be able to distinguish between the YES and NO cases. To provide an advantage for the YES case over the NO case, we further condition the fractional inner product x, v (mod N)/N of lattice vectors x L N in the support of ψ 3, i.e. before QFT, to be almost 0, i.e. within a window of O(/ n). This happens with nonnegligible probability and on the face of it reduces almost to the case of y = 0. The question immediately arises then why not measure the register H c to a single value, and then apply the Hadamard test in a way that compensates for the measured phase, i.e. compute R( φ e 2πi x,v /N U v φ ), which can be done efficiently, given the measured value x, v from H c. The problem with this approach is that the collapsed state is the restriction of the previous (NL -periodic) quantum state to some hyperplane {x, x, v = Θ} as follows: φ sinc s,y (x) x y x, v, (4) x L N, x,v =Θ which may not be a proper coherent sinc replica around y (NL ) N. Rather, it could be some thin slice thereof, and this happens in general whenever the uncertainty on the inner product is too small - see e.g. Figure 4. Consider what happens when applying QFT to such a thin slice of a single replica around a dual point y (NL ) N. By the uncertainty of the FT, the DFT of this function would have a much larger variance. Hence, the output quantum state may have variance which is much larger than the desired N/s - thereby causing the algorithm to return a wrong answer. Thus, we strike a balance between two opposing forces: on one hand, we condition the pre-qft quantum state ψ 3 to be supported on vectors x L N for which x, v N [ ε, ε]. This implies that after QFT and the Hadamard test the acceptance probability of equation 3 is determined by an integral over a much tighter interval: O v ε [ ε,ε] cos(2πθ)dθ 2ε 2 /3. (5) Yet on the other hand, we want ε to be sufficiently large, as to leave enough uncertainty in the inner product so that we don t damage the measured sinc replica around y (NL ) N at the state ψ 3 before QFT, as demonstrated in the extreme case of a hyper-plane in Equation 4. The ability to strike such a balance stems from the observation in Fact 6 that lattice points x, x 2, v L, N = det(l) that are relatively close compared to v s distance to NL, i.e. (v, NL ) x x 2 Nc have very similar inner-products with v, i.e.: ( x, v x 2, v )(mod N) Nc. 8
9 P( x, v /N) Deviation from uniform: statistical distance = O(/s). ɛ ɛ x x 2, v /N for close v s. x x 2, v /N for far v s. Figure 5: The distribution of the inner product x, v in the interval [ ε, ε]. The deviation from uniform is negligible. The brackets sketch the relative deviation of the inner product between the furthermost lattice points in a ball containing almost all measure from a single replica of the discrete periodic sinc function, given v that is near/far from NL. We parametrize the window range of the measurement of ε = x, v /N so that even when v is at maximal allowable distance from NL, i.e. (v, NL ) = λ (NL )/γ then w.h.p. the sampled replica is complete, up to negligible error. See Figure 5 describing the measured interval, and the typical spreads of inner-products in the YES/NO cases. To dwell on this point a little further, it is crucial for the algorithm that the input vector v is a-priori somewhat close to the lattice, (i.e. at distance at most (N/s)/γ ) so that reasonably adjacent lattices points x, x 2 will have similar inner-product with v. Otherwise - we may lose control of whether or not we can filter a complete replica around some y (NL ) N, and simultaneously condition on x, v N[ ε, ε]..6 Discussion and Open Questions In this study we present an algorithm that solves a gapped version of the decision version of the bounded-distance-decoding problem. This problem has only exponential-time classical algorithms to the best of our knowledge. However, we believe this is only a very initial step in what could be a much larger regime of quantum algorithms. We list here several of the numerous open problems that we believe can be of interest:.6. Cryptography Lattice problems have received enormous attention in recent years, mainly because of their algebraic structure has allowed constructions of cryptographic primitives, culminating in the Learning-with-Errors (LWE) encryption scheme due to Regev [Reg09]. Our algorithm does not invalidate the security assumption of LWE against quantum attacks, yet. To do that, one would have to improve the performance of the algorithm to solve gapbdd γ,γ 2 for γ = γ 2 = n, which would make it equivalent to say, solving gapsvpõ( n). We point out, that even achieving such an algorithm would not break LWE per-se. To do that - one would have to actually find a quantum algorithm that solves the full version of gapcvp to some polynomial factor. Such a task, we believe, would require adding new techniques to the ones suggested here: see next item. 9
10 .6.2 gapbdd gapcvp Our proposed algorithm falls short of solving the full version of gapped-cvp and requires an additional promise that the input vector is at least somewhat close to the lattice. We believe that this is not an artifact of the proof, but goes to the core of the scheme: we require crucially, that if we consider adjacent lattice points, and test their inner-product w.r.t. some vector v, then these vectors would have similar inner-product with that vector. That can only happen if v is close to a dual lattice, the extreme point of which is that v NL in which case both of these inner products are by definition 0. Removing the assumption on v would hence entail a completely different scheme, we believe. As an additional example of this difference, we note that an instance of gapcvp, like that of gapbdd also includes two numbers a, b, where b/a = poly(n), and we are asked to distinguish whether or not a vector is within distance at most a or at least b from L. Yet for gapbdd the knowledge that both of these numbers are some relative fraction of λ yields some implicit information about the length of the shortest vector of the input lattice..6.3 Quantum Implementation Our main theorem states that our algorithm corresponds to a quantum circuit of size which is polynomial in the dimension of the lattice n. One can also ask whether or not this algorithm can be implemented in log(n)-depth. The Quantum Fourier Transform (and so its n-th fold tensor product) is known to be implementable to error /ε in log(n) by the work of Cleve and Watrous [CW00]. The Hadamard test can be implemented in O()-depth, and so the entire circuit can be implemented in O(log(n)) depth if the map Φ 3 : F n N NL can be implemented in O(log(n)) depth. Clearly, the inner-product part of this map can be parallelized to logarithmic depth but we do not know how to implement the inversion modulo N in log(n) depth. Several works have shown that if N = p t for some small prime number p, then indeed this can be done. However, in our algorithm we crucially require N to be prime (see next section), so it is not clear immediately how to do better than Euclid s algorithm which is serial in nature..6.4 Number-theoretic conjectures Our algorithm, and specifically the reduction to SysNF requires a certain assumption on the density of prime numbers. We assume the Generalized Riemann Hypothesis, namely that any number n has a prime number between n and n + log(n), to claim that the density of SysNF lattices in terms of the mapping error σ(x) x is O(log(N)/N). Hence weaker density assumptions like Bertrand-Chebyshev that imply only linear density would not suffice. However, we note that there is one relaxation that can be made, which is that we don t crucially need N to be prime, only that the sum of squares n i=2 b2 i has an inverse in the ring modulo N. Can it be that given this value of sum of squares, and a number N, one can find N near N for which this value has an inverse modulo N? This would amount to a GRH type statement for rings with an inverse for a specific value, and we are not aware that such statements exist. That would allow to remove the GRH assumption, and possibly pave the way for improved depth complexity. 2 Preliminaries 2. Notation The n-dimensional Euclidean space is denoted by R n. The Euclidean norm of a vector x R n is x = n i= x i 2. A Euclidean lattice L is written as L = L(B) where B is some basis of L. N is used to denote a prime number, and F N the prime number field corresponding to N. When we write F N as a set we refer to the numbers [( N + )/2,..., (N )/2], and x(mod N) means the unique value x such that x = x + k N for integer k, and x F N. 0
11 We define as the statistical distance between distributions (p, Ω), (q, Ω), i.e. (p, q) = Ω p(x) q(x) dx. Given a set S, U(S) is the uniform distribution on S. For any v Rn define: v = max i v i. For real number s > 0 and vector c R n, Bs (c) is the closed Euclidean ball of radius s around c. For integer n, the notation [n] stands for the set of indices {,..., n}. Given a set S R n, and a vector v R n, we denote dist(v, S) := min x S v x. For a positive odd integer M, we denote by [M] as the 0-centered interval of integers [ (M )/2,..., (M )/2]. For functions f, g we write f(x) g(x) if there exists a constant c independent of x such that f(x) = c g(x). 2.2 Background on Lattices We start by stating some standard facts about lattices. Definition 2. Euclidean Lattice A Euclidean lattice L R n is the set of all integer linear combinations of a set of linearly independent vectors b,..., b m : { m } L = z i b i, z i Z, R n i= This set {b i } n i= is called the basis of the lattice. We denote by L = L(B), where B is the matrix whose columns are b,..., b m. In this paper, we will always assume that L is full-dimensional, i.e. m = n. For lattice L = L(B), P(B) is the basic parallelotope of L according to B: P(B) := v = x i b i, x i [0, ). Sometimes, it will be more convenient to use P(L) when B is clear from the context. i [n] Definition 3. The Dual Lattice The dual of a lattice is the lattice generated by the columns of B T. Definition 4. Successive minima of a lattice Given a lattice L of rank n, its successive minima λ i (L) for all i [n] are defined as follows: λ i (L) = inf { r dim(span(l B r (0))) i }. Definition 5. Unimodular matrix The group of unimodular matrices GL n (Z) is the set of n n integer matrices with determinant or. Unimodular matrices preserve a lattice: L(B) = L(B ) if and only if B = B A, for some unimodular matrix A. Definition 6. The determinant of a lattice For a lattice L = L(B) we define det(l) = det(b), and denote by N. The determinant of a lattice is well-defined, since if L(B ) = L(B), then by the above B = B A for some unimodular matrix A, in which case det(b ) = det(b) det(a) = det(b). The lattice L is periodic modulo N. In other words, if we add N to any coordinate of a lattice point, we reach another lattice point. Thus, a cube of side length N gives a subset of the lattice which generates the whole lattice when acted on by translations by N in any direction. We let L N denote the lattice restricted to a cube of side length N. In particular, if L = L(B) is an integer lattice, with det(l) = N, for prime N, this implies that L N is a finite additive sub-group, or lattice, of F n N : Proposition. Let F n N denote the additive group of n-dimensional vectors of integers, where in each coordinate summation is carried out modulo N. Then L N is an additive sub-group of F n N, that contains the 0 point. In particular L N is a lattice of F n N, with L N = N n.
12 A canonical representation of integer lattices is called the Hermite normal form (HNF): Definition 7. Hermite Normal Form An integer matrix A Z n n is said to be in Hermite normal form (HNF) if A is upper-triangular, and a i,i > a i,j 0 for all j > i, and all i [n]. It is well-known that every integer matrix can be efficiently transformed into HNF: Fact. Unique, efficiently-computable, Hermite normal form For every full-rank integer matrix A Z n n, there exists a unique unimodular matrix U GL n (Z), such that H = U A, and H is HNF. U can be computed efficiently. Definition 8. Lattice covering radius Let L R n be some lattice. The covering radius of L, ρ(l) is the minimal number such that any x R n is at distance at most ρ(l) from L. It is easy to check that the covering radius is controlled by the n-th minima, up to polynomial factors: Proposition 2. For any L R n we have ρ(l) λ n n. The work of Banaszczyk [Ban93] established an important connection between the successive minima of a lattice and its dual: Fact 2. For any lattice L R n we have 2.3 Lattice Problems i [n], λ i λ n i+ n There are by now many different lattice problems that are not known to be equivalent. However, all of them can be stated as a variant of one of two major problems, namely the shortestvector problem, and the closest-vector problem: Definition 9. Closest-vector problem / Shortest-vector problem: SVP, CVP The closest-vector problem is defined as follows: Given is a lattice L = L(B), and a vector v R n. Find a lattice vector w for which v w = dist(v, L). The shortest-vector problem is defined as follows: Given L = L(B) find a non-zero lattice vector of minimal length. Since solving these problems exactly turned out to be NP-hard, it is then natural to consider the approximate versions of these problems: Definition 0. Approximate shortest/closest-vector: CVP γ, SVP γ The approximate closest-vector problem CVP β is the following problem: given a lattice L, and a vector v R n return w L such that dist(v, w) β dist(v, L). Similarly, the approximate shortestvector problem SVP β is the following problem: given a lattice L, find a vector v L, v 0 such that v βλ (L). One can also think about decision versions of these problems called gapcvp, gapsvp: Definition. Gapped approximate shortest/closest-vector: gapcvp β,γ, gapsvp β,γ The approximate gapped closest-vector problem gapcvp β,γ is the following problem: given a lattice L, and a vector v R n decide whether dist(v, L) β or dist(v, L) γβ. Similarly, the gapped approximate shortest-vector problem gapsvp β,γ is defined as follows: Given a lattice L, decide whether λ (L) β or λ (L) γβ. Often, it is the case that one would like to find a closest lattice vector to a point v R n, given that v is close to L. This is called bounded-distance decoding or BDD for short: Definition 2. Bounded-distance decoding: BDD γ Given a lattice L R n and v R n, such that dist(v, L) λ (L)/γ find a lattice vector closest to v. In this paper we introduce a variant of a decision version of BDD denoted by gapbdd β,γ as defined above in definition. 2
13 2.4 Fourier Transform and Lattices Definition 3. Fourier Transform / Inverse Fourier Transform Let L R n be some lattice, and f be some function periodic in P(L) of bounded l -norm. The Fourier Transform on L is defined as follows on each point of the dual lattice L : z L, F(z) = det(l) P(L) f(x)e 2πi x,z dx. Likewise, we can define the Inverse-Fourier-Transform as follows: let f : L R n be some l -bounded function on L. Then: x R n F (x) = f(z)e 2πi z,x z L In particular, for any such function f : L R n, its IFT F f is periodic on L. Definition 4. Sinc-Square transform pair Let sinc,a (x) denote the function which is sinc,a (x) = sin(x/a)/(x/a) for all x 0 and otherwise. When defining sinc as a real-function on R n we refer to the product sinc a (x) = n sinc,a (x i ) Similarly, let sq,a (x) denote the function which is whenever x a and 0 otherwise. We define sq a (x) = i= n sq,a (x i ) i= We denote by sinc LN,s,0 the quantum state in which the amplitude of x L N is proportional to sinc s,0 (x). We denote by sq LN,s,0 the quantum state corresponding to the function sq s,0. The following fact is standard in signal processing literature: Fact 3. FT of sinc The Inverse Fourier transform of sinc,s is proportional to sq,/s, and hence the IFT of sinc s is sq /s. 2.5 Quantum Primitives Definition 5. Phase-shift, lattice-shift Given a SysNF lattice L, and v L N, define and Lattice-shift: x L N, U v x (x + v)(mod N) Phase-shift: x L N, W v x e 2πi x,v /N x. It is easy to check that for every v we have: U v F n N = F n N W v. Definition 6. Discrete distributions on lattices Let f = f(s) : R n R + be some non-negative real-valued function on R n, parameterized by s. For a SysNF lattice L, N = det(l), the notation f L,s,c is the discrete distribution formed by sampling each x L N with probability proportional to a shifted version of f(s): x L N, f L,s,c (x) f(s)(x c) 3
14 Definition 7. Quantum states on lattices Let f = f(s) : R n R + be some non-negative real-valued function on R n, parameterized by s. For a SysNF lattice L, N = det(l), the notation f L,s,c denotes the quantum state where f 2 L,s,c (L) = x L N f L,s,c (x) 2. f L,s,c = f(s)(x c) x fl,s,c 2 (L) x L N Definition 8. The Quantum Fourier Transform Let N > 0 be some integer. There exists an efficient quantum circuits that implements the following unitary map: x [N] : x e 2πi x,z /N z. N z [N] One of the main pillars of quantum speed-up relies on an efficient quantum circuit implementation of the QFT, see e.g. [NC] Fact 4. One can efficiently compute, for any integer N, a description of a quantum circuit of size poly(n) that implements F N. Fact 5. QFT of functions on L Let L = L(B) be a SysNF lattice, N = det(b). Let f be some real-valued function supported on F n N,and f x L N f(x) x. Then F n N f = (F f)(z/n) z. z F n N Proof. By definition of the n-th fold tensor-product QFT each x L N is mapped to a summation on all z F n N, using the character of x: e 2πi x,z /N. Hence by definition for each z F n N, the amplitude of z is proportional to: x L N f(x)e 2πi x,z /N = x L N f(x)e 2πi x,z/n By definition, the above is equal to F f evaluated at point z/n. Definition 9. The Hadamard Test Let U be some unitary map U U(H). Let ψ H be some quantum state. The Hadamard isometry H U w.r.t. U is the following isometry H H anc H ψ 2 ( 0 anc ψ + anc U ψ ) The Hadamard test on a state ψ is then defined as the application of H U to ψ and then the measurement of H anc in the Hadamard basis. The test succeeds if and only if the measured qubit is 0. The following fact is standard: Proposition 3. Success probability of the Hadamard Test Let U be some unitary. Then the probability of measuring 0 in the ancilla system after applying H U to ψ is given by: P(success) = R ( ψ U ψ ). 4
15 3 The Systematic Normal Form (SysNF) Definition 20. Systematic Normal Form (SysNF) A matrix B is said to be SysNF if B i,i = for all i >, and B, = N where N is a prime number, and in addition, for all i > B i,j = 0 for all i j. In addition i> B2,i 0(mod N) This form is called suggestively systematic because for every v L(B), the last n coordinates, are in fact the last n coefficients of the vector under the basis B, which in error-correcting terminology can be considered as the message to be encoded by the matrix B. The following facts will be useful later on: Proposition 4. If B is in SysNF form, then NB T, i.e. the matrix spanning the scaled dual of L(B) assumes the following form: N B T = b 2 b 3. b n N Proposition 5. There are N n points of L = L(B SysNF ) in F n N, and there are N lattice points of NL in that cube. Hence there are N points of F n N inside P(L), and N n points in P(NL ). Both L, NL are periodic in N - i.e. Ne i L, Ne i (NL ) N for every i [n]. Claim. Compute dual vector for any vector There exists an efficiently-computable bijection Φ 3 : F n N /L N (NL ) N. In particular, for every x F n N, x + Φ 3(x) L N. Proof. Let x F n N. We would like to find (the unique) y = Φ 3(x) for which x + y L N. Each point in y (NL ) N is characterized uniquely by an element a F N as follows: N... y = (a, b 2 a(mod N),..., b n a(mod N)). (7) Thus, to find y we would like to solve the following vector equality over a, z 2,..., z n F N : ( n ) T (x,..., x n ) T + (a, b 2 a(mod N),..., b n a(mod N)) T = b i z i (mod N), z 2,..., z n (8) Consider the first coordinate. We have: x + a = N i=2 n b i z i (mod N). (9) i=2 Substituting in the above z i = x i ab i (mod N) for all i 2 implies: ( n n ) x x i b i = a b 2 i + (mod N). (0) i=2 i=2 Since N is prime, and the number n i=2 b2 i + is not equal to 0(mod N) then it has an inverse modulo N. Thus, the parameter a can be computed uniquely from the equation above, which implies that y can be determined uniquely and efficiently. (6) 5
16 3. Reduction to SysNF In this section we provide an efficient reduction from an arbitrary lattice to a lattice in SysNF form, that preserves all important properties of the lattice. Specifically - it allows the reduction of any computational problem on an arbitrary lattice L to another problem on an SysNF lattice L SysNF such that any solution to the reduced problem allows to find efficiently a solution to the original problem on L. Lemma. Efficient reduction to SysNF There exists an efficient algorithm that for any L = L(B) and numbers a > 0, ε > 0, computes a tuple B, σ, T, where B is in SysNF, T = poly(det(b)/ε) is a positive integer and σ is a linear map σ : L L(B ) such that for any v L we have σ(v)/t v v ε. The lemma above immediately implies that one can reduce standard lattice problems, given for an arbitrary lattice, to the same problem on a lattice in SysNF, and then translate the output solution efficiently to a solution for the original lattice. For example: Corollary. Reducing lattice problems to SysNF Let L = L(B), and v some vector. Let B, σ, T denote the tuple returned by the SysNF reduction, for parameter ε. Suppose that for some vector v and γ we find x L such that (v, x) γλ (L ). Then x = σ (x) L and in addition (x, v/t ) (γ + ε)λ (L). 3.2 Properties of the Systematic Normal Form The next fact is central to the algorithm: it shows that if two lattice points are close, then their inner-product with some vector v are also very close, if v is close to the dual lattice: Fact 6. Smoothness of inner-product Let L be some integer lattice, N = det(l), and let x, y, v L N be some lattice vectors, such that for some c /2 we have: (v, NL ) x y Nc. Then Proof. Write ( x, v y, v )(mod N) Nc, ( x, v y, v )(mod N) = x y, v (mod N) () v = v + ε, where v (NL ) N, and ε is minimal length. Then by assumption x y ε Nc. Since x, y L then x y L, hence x y, v = 0(mod N). Thus x y, v (mod N) = x y, ε (mod N) x y, ε x y ε (2) where the inequality is by Cauchy-Schwartz. So by assumption ( x, v y, v )(mod N) Nc. (3) 6
17 4 An Efficient Quantum Algorithm for gapbdd γ,γ 2 4. Algorithm for the dual SysNF lattice In this section we show a quantum algorithm, that given a SysNF lattice L and a vector v can approximate the distance between v and NL. Algorithm. Input: B, u, s, ε : SysNF basis B, N = det(b), a vector u F n N, and parameter s = poly(n). Define the Hilbert space: H = H a H b H c, with each register has log(n) qubits. Define the interval: W 0 := [ ε, ε] N/(2π). Denote {Π v, I Π v } the orthogonal projection onto the subspace of H c where the value is in W 0. Execute the following steps N = 40πε 2 times, and accept if and only if the number of unsuccessful runs is at most log(n):. Sample a U[(NL ) N ]. 2. Generate an approximation of the quantum state sinc F n N,s,0, as ψ 0 = φ... φ n, where each φ i is computed as φ i = F N N/s, and N/s is the uniform super-position on the interval [ N/(2s), N/(2s)] F N. 3. Apply the map Φ 3 (x) unitarily: x a 0 b x + Φ 3 (x) a Φ 3 (x) b, denote by ψ. 4. For each x on H a, write the inner product x, v + a to H c, denote by ψ Measure H b in the computational basis. 6. Measure H c and post-select on the measurement collapsing to im(π v ). Uncompute the register H c. Denote the state by ψ Apply F n N to ψ 3, denote by ψ Apply the Hadamard test H Uv+a : (a) Add an ancilla qubit in initial state q anc = 2 ( 0 + ). (b) Apply a controlled version of e 2πi Φ3(x),v+a /N U v+a to ψ 4, controlled by q anc. (c) Measure q anc in the Hadamard basis. (d) Declare success if q anc is in state 0, and otherwise fail. Lemma 2. Algorithm decides gapbdd γ,γ 2 on dual of SysNF lattice Fix a small constant α > 0 as a parameter of the instance. Let u be some vector in FN n matrix B with N = det(b), λ (L(B)) n. Given are input parameters Fix a = λ (NL )/n 3+2α, b = λ (NL )/n 7+α. s = Nδ/(an +α ), ε = n /2 α. Upon input B, u, s, ε the algorithm has the following behavior: and B be a SysNF YES : (u, NL ) b P YES (accept) 3 8 ε2 and NO : (u, NL ) [a/2, a] P NO (accept) δε 2 n α /20 7
18 4.2 Proof of lemma Parameters: Define the following polynomials: Let q n = n, q y = n 4 ε, p = n 2+α. Set δ = /(4π). Since s = Nδ/(an +α ) then s = pδ/(λ ). Under the definition of the parameters above, we have: YES : (u, NL ) (N/s) εδ/q y = b (4) Efficient Computation NO : (u, NL ) [(N/s) εδ/(2q n ), (N/s) εδ/q n ] = [a/2, a] (5) Proposition 6. algorithm runs in polynomial time. Proof. Consider the computational steps of the algorithm: Step 3: Φ 3 is computed efficiently by Claim. Step 7 and step 2: The n-th fold tensor product Quantum Fourier Transform F n N is computed efficiently by taking n copies of the -dimensional QFT, and each is efficiently computable by Fact 4. Next, it is sufficient to show that the algorithm post-selects w.h.p. in Step 6. Consider the initial quantum state, and let sinc 2 (F n N ) = x F sinc 2 n s (x). By construction at step 2 we can N write it, up to exponentially small error, as: ψ 0 = sinc2 (F n N ) sinc F n N,s,0 a 0 b 0 c, Then the state ψ is proportional to: ψ = Hence we can re-write ψ as: ψ = sinc2 (F n N ) sinc2 (F n N ) x F n N sinc s,0 (x) x + Φ 3 (x) a Φ 3 (x) b 0 c. y (NL ) N,x L N sinc s,y (x) x a y b 0 c. and so ψ 2 = sinc2 (F n N ) y (NL ) N,x L N sinc s,y (x) x a y b x, v + a c. (6) By Fact 0 the state ψ 2 has projection at least 2ε O(/s) on lattice vectors x for which x, v + a W 0. Hence w.p. at least /(3ε) the orthogonal measurement {Π v, I Π v } collapses ψ onto im(π v ) Very Close Vectors Are Accepted Proposition 7. Let v L, and suppose that (v, NL ) (N/s)(εδ)/q y. Then w.p. at least 3ε 2 /4 the algorithm accepts. Proof. Consider state ψ 3. By Equation 6 it is equal to: ψ 3 x L N, x,v W 0 sinc s,y (x) x a y a 0 c, y (NL ) N. 8
19 Since registers b, c are constant from this point on, we will omit them from the representation. Consider the set of all lattice vectors x L N in tensor with a dual lattice point y (NL ) N, in the state above ψ 3. Let t = t (n) = n 2, t 2 = t 2 (n) = 3n 3 denote the multiplicative factor in Fact 7 such that the projection of sinc F n N,s,0 on x F n N, x s n is at least t 2. For any y (NL ) N and x, x 2 B s t (y) L we have by assumption of the YES case: This implies by Fact 6 that (v, NL ) x x 2 Nεδ sq y 2st 2N(εδ)t /q y, (7) ( x, v x 2, v )(mod N) 2N(εδ)t /q y (8) Since q y 4πδt we can consider the following shrunk window: W := W 0 ( 4πδt /q y ). In addition, for any y (NL ) N let y cv L N denote a closest vector to y in L N : y cv (y) = argmin x LN y x. Suppose that y cv, v W. Then by Equation 8 and the triangle inequality: x B s t (y) L, x, v W 0. (9) Let D 2 denote the classical probability distribution of measuring the registers of ψ 2. By concentration of measure of the sinc 2 function in Fact 7 we have: P (x,y) D2 (x B s t (y)) = t 2. (20) Thus, together with Equation 9, and conditioned on y cv, v W, we can approximate the post-selected quantum state (on which we un-compute H c ) by the sinc function centered at the dual-lattice point y (NL ) N : ψ 3 x L N sinc s,y (x) x + E, y cv, v W, E 2 t 2, (2) We now upper bound the distance dist(y cv, NL ). We have y y cv ρ(l) λ n n n n λ = sn.5 /p, where the first inequality is by definition, the second one is by proposition 2, and the third is by the transference Fact 2. Hence, by the triangle inequality for any x L N : x y cv = x y + O(sn.5 /p). Hence, by Fact 8 ψ 3 is at l 2 -distance O(t 2 + 8n 2.5 p /3 + ρ/s) close to a state in which is a sinc function centered at y cv L N : ψ 3 x L N sinc s,ycv (x) x + E, y cv, v W, E 2 = O(t 2 + 8n 2.5 p /3 + ρ/s). (22) We shall now disregard E from now to avoid clutter, and account for it at the end of the analysis. Since y cv L N we can express ψ 3 as an approximately shifted origin-centered distribution on L N as follows: ψ 3 = U ycv sinc LN,s,0, y cv, v W, (23) 9
20 and so Hence, by standard shift-phase DFT duality: ψ 4 = F n N ψ 3 = F n N U y cv sinc LN,s,0 (24) Denote: ψ 4 = F n N U y cv sinc LN,s,0 = W ycv F n N sinc L N,s,0 (25) F n N sinc L N,s,0 = g(x) x, (26) x F n N By Fact 5 g is the P(NL )-periodic function: x F n N, g(x) = F (sinc LN,s,0)(x/N), (27) namely the IFT of sinc LN,s,0 (sinc function supported on L N ) evaluated at point x/n. Since s/n = 2 Ω(n) then g(x) = F (sinc L,s,0 + E)(x/N), x L E(x) 2 = 2 Ω(n). (28) By Parseval s theorem then: g(x) = F (sinc L,s,0 )(x/n) + E (x), (29) where So by Fact 3 det(p(nl E (x) 2 dx = 2 Ω(n). )) P(NL ) x P(NL ) g(x) = sq /s (x/n) + E (x) = sq N/s (x) + E (x), (30) which implies that up to exponentially small error we have: ψ 4 W ycv sq /s,w (x/n) x (3) = W ycv = w NL x F n N w NL x F n N w NL x F n N sq N/s,w (x) x (32) sq N/s,w (x)e 2πi x,ycv /N x (33) Consider the Hadamard test of step 8, and the probability of sampling 0 at the ancilla qubit. Since the value of the H b register is y, then the probability of acceptance is given by Proposition 3 as: R( ψ 4 e 2πi y,v+a /N U v+a ψ 4 ). (34) We can write the argument of the real part R() as: e 2πi y,v+a /N sq N/s,w (z)sq N/s,w2 (z + (v + a))e 2πi z,ycv /N e 2πi z+(v+a),ycv /N w,w 2 NL z F n N = e 2πi v+a,ycv y /N w,w 2 NL z F n N (35) sq N/s,w (z)sq N/s,w2 (z + (v + a)) (36) 20
Background: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationFrom the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem
From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem Curtis Bright December 9, 011 Abstract In Quantum Computation and Lattice Problems [11] Oded Regev presented the first known connection
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationLecture 7 Limits on inapproximability
Tel Aviv University, Fall 004 Lattices in Computer Science Lecture 7 Limits on inapproximability Lecturer: Oded Regev Scribe: Michael Khanevsky Let us recall the promise problem GapCVP γ. DEFINITION 1
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationQuantum algorithms for computing short discrete logarithms and factoring RSA integers
Quantum algorithms for computing short discrete logarithms and factoring RSA integers Martin Ekerå, Johan Håstad February, 07 Abstract In this paper we generalize the quantum algorithm for computing short
More informationLimits on the Hardness of Lattice Problems in l p Norms
Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert Abstract Several recent papers have established limits on the computational difficulty of lattice problems, focusing primarily on the
More informationCSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Minkowski s theorem Instructor: Daniele Micciancio UCSD CSE There are many important quantities associated to a lattice. Some of them, like the
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCompute the Fourier transform on the first register to get x {0,1} n x 0.
CS 94 Recursive Fourier Sampling, Simon s Algorithm /5/009 Spring 009 Lecture 3 1 Review Recall that we can write any classical circuit x f(x) as a reversible circuit R f. We can view R f as a unitary
More informationNew Lattice Based Cryptographic Constructions
New Lattice Based Cryptographic Constructions Oded Regev August 7, 2004 Abstract We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop
More informationCSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Winter 2016 The dual lattice Instructor: Daniele Micciancio UCSD CSE 1 Dual Lattice and Dual Basis Definition 1 The dual of a lattice Λ is the set ˆΛ of all
More informationFrom the shortest vector problem to the dihedral hidden subgroup problem
From the shortest vector problem to the dihedral hidden subgroup problem Curtis Bright University of Waterloo December 8, 2011 1 / 19 Reduction Roughly, problem A reduces to problem B means there is a
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationSome Sieving Algorithms for Lattice Problems
Foundations of Software Technology and Theoretical Computer Science (Bangalore) 2008. Editors: R. Hariharan, M. Mukund, V. Vinay; pp - Some Sieving Algorithms for Lattice Problems V. Arvind and Pushkar
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT
Quantum algorithms (CO 78, Winter 008) Prof. Andrew Childs, University of Waterloo LECTURE : Quantum circuits and the abelian QFT This is a course on quantum algorithms. It is intended for graduate students
More informationHardness of the Covering Radius Problem on Lattices
Hardness of the Covering Radius Problem on Lattices Ishay Haviv Oded Regev June 6, 2006 Abstract We provide the first hardness result for the Covering Radius Problem on lattices (CRP). Namely, we show
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationCSC 2414 Lattices in Computer Science October 11, Lecture 5
CSC 244 Lattices in Computer Science October, 2 Lecture 5 Lecturer: Vinod Vaikuntanathan Scribe: Joel Oren In the last class, we studied methods for (approximately) solving the following two problems:
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert Alon Rosen November 26, 2006 Abstract We demonstrate an average-case problem which is as hard as finding γ(n)-approximate
More informationMath 350 Fall 2011 Notes about inner product spaces. In this notes we state and prove some important properties of inner product spaces.
Math 350 Fall 2011 Notes about inner product spaces In this notes we state and prove some important properties of inner product spaces. First, recall the dot product on R n : if x, y R n, say x = (x 1,...,
More informationOn the query complexity of counterfeiting quantum money
On the query complexity of counterfeiting quantum money Andrew Lutomirski December 14, 2010 Abstract Quantum money is a quantum cryptographic protocol in which a mint can produce a state (called a quantum
More informationFourier Sampling & Simon s Algorithm
Chapter 4 Fourier Sampling & Simon s Algorithm 4.1 Reversible Computation A quantum circuit acting on n qubits is described by an n n unitary operator U. Since U is unitary, UU = U U = I. This implies
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationUpper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China
Λ A Huiwen Jia 1, Chunming Tang 1, Yanhua Zhang 2 hwjia@gzhu.edu.cn, ctang@gzhu.edu.cn, and yhzhang@zzuli.edu.cn 1 Key Laboratory of Information Security, School of Mathematics and Information Science,
More informationCSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions
CSC 2414 Lattices in Computer Science September 27, 2011 Lecture 4 Lecturer: Vinod Vaikuntanathan Scribe: Wesley George Topics covered this lecture: SV P CV P Approximating CVP: Babai s Nearest Plane Algorithm
More informationVerification of quantum computation
Verification of quantum computation THOMAS VIDICK, CALIFORNIA INSTITUTE OF TECHNOLOGY Presentation based on the paper: Classical verification of quantum computation by U. Mahadev (IEEE symp. on Foundations
More informationFourier analysis of boolean functions in quantum computation
Fourier analysis of boolean functions in quantum computation Ashley Montanaro Centre for Quantum Information and Foundations, Department of Applied Mathematics and Theoretical Physics, University of Cambridge
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationThe Euclidean Distortion of Flat Tori
The Euclidean Distortion of Flat Tori Ishay Haviv Oded Regev June 0, 010 Abstract We show that for every n-dimensional lattice L the torus R n /L can be embedded with distortion O(n log n) into a Hilbert
More informationFinite-dimensional spaces. C n is the space of n-tuples x = (x 1,..., x n ) of complex numbers. It is a Hilbert space with the inner product
Chapter 4 Hilbert Spaces 4.1 Inner Product Spaces Inner Product Space. A complex vector space E is called an inner product space (or a pre-hilbert space, or a unitary space) if there is a mapping (, )
More informationLecture 2: From Classical to Quantum Model of Computation
CS 880: Quantum Information Processing 9/7/10 Lecture : From Classical to Quantum Model of Computation Instructor: Dieter van Melkebeek Scribe: Tyson Williams Last class we introduced two models for deterministic
More informationThe Gaussians Distribution
CSE 206A: Lattice Algorithms and Applications Winter 2016 The Gaussians Distribution Instructor: Daniele Micciancio UCSD CSE 1 The real fourier transform Gaussian distributions and harmonic analysis play
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationAlgorithmic Problems for Metrics on Permutation Groups
Algorithmic Problems for Metrics on Permutation Groups V. Arvind and Pushkar S. Joglekar Institute of Mathematical Sciences C.I.T Campus,Chennai 600 113, India {arvind,pushkar}@imsc.res.in Abstract. Given
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationFactoring integers with a quantum computer
Factoring integers with a quantum computer Andrew Childs Department of Combinatorics and Optimization and Institute for Quantum Computing University of Waterloo Eighth Canadian Summer School on Quantum
More informationLattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors
1 / 15 Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert 1 Alon Rosen 2 1 SRI International 2 Harvard SEAS IDC Herzliya STOC 2007 2 / 15 Worst-case versus average-case
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationQuantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem
Quantum Computing Lecture Notes, Extra Chapter Hidden Subgroup Problem Ronald de Wolf 1 Hidden Subgroup Problem 1.1 Group theory reminder A group G consists of a set of elements (which is usually denoted
More informationQUANTUM COMPUTATION AND LATTICE PROBLEMS
QUATUM COMPUTATIO AD LATTICE PROBLEMS ODED REGEV Abstract. We present the first explicit connection between quantum computation and lattice problems. amely, our main result is a solution to the Unique
More informationMath 121 Homework 5: Notes on Selected Problems
Math 121 Homework 5: Notes on Selected Problems 12.1.2. Let M be a module over the integral domain R. (a) Assume that M has rank n and that x 1,..., x n is any maximal set of linearly independent elements
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationarxiv: v1 [cs.ds] 2 Nov 2013
On the Lattice Isomorphism Problem Ishay Haviv Oded Regev arxiv:1311.0366v1 [cs.ds] 2 Nov 2013 Abstract We study the Lattice Isomorphism Problem (LIP), in which given two lattices L 1 and L 2 the goal
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationAn Introduction to Quantum Information and Applications
An Introduction to Quantum Information and Applications Iordanis Kerenidis CNRS LIAFA-Univ Paris-Diderot Quantum information and computation Quantum information and computation How is information encoded
More informationCourse 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra
Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra D. R. Wilkins Contents 3 Topics in Commutative Algebra 2 3.1 Rings and Fields......................... 2 3.2 Ideals...............................
More informationLimits on the Hardness of Lattice Problems in l p Norms
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 148 (2006) Limits on the Hardness of Lattice Problems in l p Norms Chris Peikert 15 February, 2007 Abstract We show that several
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More information1 Fields and vector spaces
1 Fields and vector spaces In this section we revise some algebraic preliminaries and establish notation. 1.1 Division rings and fields A division ring, or skew field, is a structure F with two binary
More informationSpanning and Independence Properties of Finite Frames
Chapter 1 Spanning and Independence Properties of Finite Frames Peter G. Casazza and Darrin Speegle Abstract The fundamental notion of frame theory is redundancy. It is this property which makes frames
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationCommutative Banach algebras 79
8. Commutative Banach algebras In this chapter, we analyze commutative Banach algebras in greater detail. So we always assume that xy = yx for all x, y A here. Definition 8.1. Let A be a (commutative)
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationSPRING 2006 PRELIMINARY EXAMINATION SOLUTIONS
SPRING 006 PRELIMINARY EXAMINATION SOLUTIONS 1A. Let G be the subgroup of the free abelian group Z 4 consisting of all integer vectors (x, y, z, w) such that x + 3y + 5z + 7w = 0. (a) Determine a linearly
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationChapter 1. Preliminaries. The purpose of this chapter is to provide some basic background information. Linear Space. Hilbert Space.
Chapter 1 Preliminaries The purpose of this chapter is to provide some basic background information. Linear Space Hilbert Space Basic Principles 1 2 Preliminaries Linear Space The notion of linear space
More informationQuantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP
Quantum algorithms (CO 78, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP So far, we have considered the hidden subgroup problem in abelian groups.
More information1, for s = σ + it where σ, t R and σ > 1
DIRICHLET L-FUNCTIONS AND DEDEKIND ζ-functions FRIMPONG A. BAIDOO Abstract. We begin by introducing Dirichlet L-functions which we use to prove Dirichlet s theorem on arithmetic progressions. From there,
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationFundamental Domains, Lattice Density, and Minkowski Theorems
New York University, Fall 2013 Lattices, Convexity & Algorithms Lecture 3 Fundamental Domains, Lattice Density, and Minkowski Theorems Lecturers: D. Dadush, O. Regev Scribe: D. Dadush 1 Fundamental Parallelepiped
More informationLinear Algebra. Min Yan
Linear Algebra Min Yan January 2, 2018 2 Contents 1 Vector Space 7 1.1 Definition................................. 7 1.1.1 Axioms of Vector Space..................... 7 1.1.2 Consequence of Axiom......................
More informationFactoring on a Quantum Computer
Factoring on a Quantum Computer The Essence Shor s Algorithm Wolfgang Polak wp@pocs.com Thanks to: Eleanor Rieffel Fuji Xerox Palo Alto Laboratory Wolfgang Polak San Jose State University, 4-14-010 - p.
More informationQuantum Computing. 6. Quantum Computer Architecture 7. Quantum Computers and Complexity
Quantum Computing 1. Quantum States and Quantum Gates 2. Multiple Qubits and Entangled States 3. Quantum Gate Arrays 4. Quantum Parallelism 5. Examples of Quantum Algorithms 1. Grover s Unstructured Search
More informationExercises on chapter 1
Exercises on chapter 1 1. Let G be a group and H and K be subgroups. Let HK = {hk h H, k K}. (i) Prove that HK is a subgroup of G if and only if HK = KH. (ii) If either H or K is a normal subgroup of G
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More information0.2 Vector spaces. J.A.Beachy 1
J.A.Beachy 1 0.2 Vector spaces I m going to begin this section at a rather basic level, giving the definitions of a field and of a vector space in much that same detail as you would have met them in a
More informationDavid Hilbert was old and partly deaf in the nineteen thirties. Yet being a diligent
Chapter 5 ddddd dddddd dddddddd ddddddd dddddddd ddddddd Hilbert Space The Euclidean norm is special among all norms defined in R n for being induced by the Euclidean inner product (the dot product). A
More informationPh.D. Qualifying Exam: Algebra I
Ph.D. Qualifying Exam: Algebra I 1. Let F q be the finite field of order q. Let G = GL n (F q ), which is the group of n n invertible matrices with the entries in F q. Compute the order of the group G
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLinear Cyclic Codes. Polynomial Word 1 + x + x x 4 + x 5 + x x + x
Coding Theory Massoud Malek Linear Cyclic Codes Polynomial and Words A polynomial of degree n over IK is a polynomial p(x) = a 0 + a 1 x + + a n 1 x n 1 + a n x n, where the coefficients a 0, a 1, a 2,,
More information