Lattice Basis Reduction Part 1: Concepts

Similar documents
Lattice Basis Reduction Part II: Algorithms

Application of the LLL Algorithm in Sphere Decoding

A Lattice Basis Reduction Algorithm

Integer Least Squares: Sphere Decoding and the LLL Algorithm

Applications of Lattices in Telecommunications

A Hybrid Method for Lattice Basis Reduction and. Applications

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

The Diagonal Reduction Algorithm Using Fast Givens

A Digital Signature Scheme based on CVP

HKZ and Minkowski Reduction Algorithms for Lattice-Reduction-Aided MIMO Detection

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Post-Quantum Cryptography

1 Shortest Vector Problem

Lattice Basis Reduction and the LLL Algorithm

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

A Delayed Size-reduction Technique for Speeding Up the LLL Algorithm

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Background: Lattices and the Learning-with-Errors problem

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

Math 240 Calculus III

The Shortest Vector Problem (Lattice Reduction Algorithms)

Solving All Lattice Problems in Deterministic Single Exponential Time

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Communication Over MIMO Broadcast Channels Using Lattice-Basis Reduction 1

New Cryptosystem Using The CRT And The Jordan Normal Form

Dimension-Preserving Reductions Between Lattice Problems

Lattice Reduction of Modular, Convolution, and NTRU Lattices

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

Diophantine equations via weighted LLL algorithm

An algebraic perspective on integer sparse recovery

Hermite normal form: Computation and applications

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Partial LLL Reduction

1: Introduction to Lattices

Chapter 2:Determinants. Section 2.1: Determinants by cofactor expansion

COS 598D - Lattices. scribe: Srdjan Krstic

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

and the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Augmented Lattice Reduction for MIMO decoding

An intro to lattices and learning with errors

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

Some Sieving Algorithms for Lattice Problems

satisfying ( i ; j ) = ij Here ij = if i = j and 0 otherwise The idea to use lattices is the following Suppose we are given a lattice L and a point ~x

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Optimal Factorization in Lattice-Reduction-Aided and Integer-Forcing Linear Equalization

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

Analyzing Blockwise Lattice Algorithms using Dynamical Systems

Notes for Lecture 15

Reduction of Smith Normal Form Transformation Matrices

An Efficient Optimal Algorithm for Integer-Forcing Linear MIMO Receivers Design

Tensor-based Trapdoors for CVP and their Application to Public Key Cryptography

9 Knapsack Cryptography

A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming

Citation Journal of Geodesy (2012), 86(1): 3.

New Conjectures in the Geometry of Numbers

Weaknesses in Ring-LWE

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Closest Point Search in Lattices

ANALYTICAL MATHEMATICS FOR APPLICATIONS 2018 LECTURE NOTES 3

CSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions

Computers and Mathematics with Applications

from Lattice Reduction Problems MIT - Laboratory for Computer Science November 12, 1996 Abstract

Computational complexity of lattice problems and cyclic lattices

Gentry s SWHE Scheme

Lattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid

ELE/MCE 503 Linear Algebra Facts Fall 2018

BOUNDS FOR SOLID ANGLES OF LATTICES OF RANK THREE

Matrix Operations: Determinant

Last Time. Social Network Graphs Betweenness. Graph Laplacian. Girvan-Newman Algorithm. Spectral Bisection

Linear Algebra Massoud Malek

Components and change of basis

Lattice Cryptography

Classical hardness of Learning with Errors

Lattice Reduction Aided- Zero Forcing MIMO Detection using two Stage QR-Decomposition

Worksheet for Lecture 25 Section 6.4 Gram-Schmidt Process

Improving BDD cryptosystems in general lattices

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ

CP3 REVISION LECTURES VECTORS AND MATRICES Lecture 1. Prof. N. Harnew University of Oxford TT 2013

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

Lecture 4 Orthonormal vectors and QR factorization

Short Vectors of Planar Lattices via Continued Fractions. Friedrich Eisenbrand Max-Planck-Institut für Informatik

Inverses. Stephen Boyd. EE103 Stanford University. October 28, 2017

BKZ 2.0: Better Lattice Security Estimates

Math 407: Linear Optimization

Lattice Reduction for Modular Knapsack

Lattice reduction is a powerful concept for solving diverse problems

Hermite Normal Forms and its Cryptographic Applications

Locally Dense Codes. Daniele Micciancio. August 26, 2013

Cryptanalysis via Lattice Techniques

Since the determinant of a diagonal matrix is the product of its diagonal elements it is trivial to see that det(a) = α 2. = max. A 1 x.

Gentry s Fully Homomorphic Encryption Scheme

CHAPTER 6. Direct Methods for Solving Linear Systems

A new attack on RSA with a composed decryption exponent

An Algorithmist s Toolkit Lecture 18

Hard Instances of Lattice Problems

A Lattice-Based Public-Key Cryptosystem

Lecture 5: CVP and Babai s Algorithm

Transcription:

Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012 Joint work with W. Zhang and Y. Wei, Fudan University

Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

An optimization problem Integer least squares (ILS) problem A: real, full column rank b: real min x Z n Ax b 2 2

Example A = [ 1 4 2 3 ] [ 0.4, b = 4 ]

Example A = [ 1 4 2 3 ] [ 0.4, b = 4 ]

A naive approach Solve for the real solution, then round it to its nearest integer. [ ] [ ] A 1 3.44 3 b = 0.96 1

A naive approach Solve for the real solution, then round it to its nearest integer. [ ] [ ] A 1 3.44 3 b = 0.96 1

A naive approach Solve for the real solution, then round it to its nearest integer. [ ] [ ] A 1 3.44 3 b = 0.96 1 Is this the ILS solution?

Lattices and Bases A brute force approach:

Lattices and Bases A brute force approach: The set L = {Az z Z n } is call the lattice generated by A. Basis: Formed by the columns of A (generator matrix).

Lattices and bases For a given lattice, its basis is not unique. [ ] 1 2 B = 2 1

Lattices and bases Two bases are related by AZ = B: [ 1 4 2 3 ] [ 1 2 0 1 ] [ ] 1 2 = 2 1 Z : Unimodular matrix, a nonsingular integer matrix whose inverse is also integer. (An integer matrix whose determinant is ±1.)

Lattices and bases Two bases are related by AZ = B: [ 1 4 2 3 ] [ 1 2 0 1 ] [ ] 1 2 = 2 1 Z : Unimodular matrix, a nonsingular integer matrix whose inverse is also integer. (An integer matrix whose determinant is ±1.) For any two generator matrices A and B of the same lattice, det(a) = det(b), called the determinant (volume) of the lattice.

Naive approach revisited B 1 b = [ 1.52 0.96 ] [ 2 1 ]

Naive approach revisited B 1 b = [ 1.52 0.96 ] [ 2 1 ] A closer (closest) lattice point (1.077 vs 1.166).

Naive approach revisited B 1 b = [ 1.52 0.96 ] [ 2 1 ] A closer (closest) lattice point (1.077 vs 1.166). Finding a closest vector (CVP) is an NP problem.

Lattice basis reduction Lattice basis reduction problem: Given a basis for a lattice, find a basis consisting of short vectors. Lattice basis reduction algorithm: Given a basis matrix A, compute a unimodular matrix Z that transforms the basis into a new basis matrix B = AZ whose column vectors (basis vectors) are short.

Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

Wireless communication Source signal (code) s, integer vector. Communication channel is represented by H, real/complex matrix. Noise is represented by v, real vector. The received signal y = Hs + v Given H and y, find s (decoding) using the naive approach called zero forcing (fast).

Wireless communication Source signal (code) s, integer vector. Communication channel is represented by H, real/complex matrix. Noise is represented by v, real vector. The received signal y = Hs + v Given H and y, find s (decoding) using the naive approach called zero forcing (fast). When H is reduced, we have better chance of recovering s (lattice aided decoding).

Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A. Public key: An ill-conditioned basis matrix B = AZ.

Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A. Public key: An ill-conditioned basis matrix B = AZ. Encrypt: e = Bc + v, c clear text, v noise. Decrypt: A 1 e Zc. (B 1 e gives wrong result.)

Cryptography Lattice based cryptosystems: GGH (Goldreich, Goldwasser, Halevi) public-key cryptosystem. Private key: A reduced basis matrix, e.g., diagonal, A. Public key: An ill-conditioned basis matrix B = AZ. Encrypt: e = Bc + v, c clear text, v noise. Decrypt: A 1 e Zc. (B 1 e gives wrong result.) Lattice basis reduction is an NP problem.

Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

Matrix representation Given a generator matrix A, compute the QRZ decomposition A = QRZ 1 Q: orthonormal columns, preserving vector length R: upper triangular Z : unimodular

Matrix representation Given a generator matrix A, compute the QRZ decomposition A = QRZ 1 Q: orthonormal columns, preserving vector length R: upper triangular Z : unimodular Thus QR is the QR decomposition of AZ, reduced (the columns of R or AZ are short).

Hermite reduction Hermite-reduced, also called size-reduced. Hermite, 1850. Hermite-reduced A lattice basis {b 1, b 2,..., b n } is called size-reduced if its QR decomposition satisfies r i,i 2 r i,j, for all 1 i < j n,

Hermite reduction Hermite-reduced, also called size-reduced. Hermite, 1850. Hermite-reduced A lattice basis {b 1, b 2,..., b n } is called size-reduced if its QR decomposition satisfies r i,i 2 r i,j, for all 1 i < j n, The off-diagonal of R is small.

HKZ reduction HKZ-reduced, strengthened Hermite-reduced. Korkine and Zolotarev, 1873. HKZ-reduced A lattice basis {b 1, b 2,..., b n } is called HKZ-reduced if it is size-reduced and for each trailing (n i + 1) (n i + 1), 1 i < n, submatrix of R in the QR decomposition, its first column is a shortest nonzero vector in the lattice generated by the submatrix.

HKZ reduction HKZ-reduced r i,i r i,i+1 r i,n r i+1,i+1 r i+1,n.... r n,n

LLL reduction LLL-reduced Lenstra, Lenstra, and Lovász, 1982 LLL-reduced A lattice basis {b 1, b 2,..., b n } is called LLL-reduced if it is size-reduced and R in the QR decomposition satisfies r 2 i+1,i+1 + r 2 i,i+1 ω r 2 i,i

HKZ and LLL HKZ-reduced and LLL-reduced r i,i r i,i+1 r i,n r i+1,i+1 r i+1,n.... r n,n

HKZ and LLL HKZ-reduced and LLL-reduced r i,i r i,i+1 r i,n r i+1,i+1 r i+1,n.... r n,n LLL-reduced is weaker than HKZ-reduced, HKZ-reduced implies LLL-reduced for any ω: 0;.25 < ω < 1.0 Easier to compute (fast). Practically, it produces reasonably short bases.

Minkowski minima Minkowski, 1891 Short vectors Minkowski minima We say that λ k, 1 k n, is the k-th successive minimum wrt a lattice if λ k is the lower bound of the radius λ of the sphere Bz 2 λ that contains k linearly independent lattice points.

Minkowski minima Minkowski, 1891 Short vectors Minkowski minima We say that λ k, 1 k n, is the k-th successive minimum wrt a lattice if λ k is the lower bound of the radius λ of the sphere Bz 2 λ that contains k linearly independent lattice points. λ 1 : the length of a shortest nonzero lattice vector b 1

Minkowski minima Minkowski, 1891 Short vectors Minkowski minima We say that λ k, 1 k n, is the k-th successive minimum wrt a lattice if λ k is the lower bound of the radius λ of the sphere Bz 2 λ that contains k linearly independent lattice points. λ 1 : the length of a shortest nonzero lattice vector b 1 Is there always a basis {b 1, b 2,..., b n } so that b i = λ i simultaneously?

Minkowski minima No. Consider a lattice formed by columns of 2 0 0 0 1 0 2 0 0 1 0 0 2 0 1 0 0 0 2 1 0 0 0 0 1 Minkowski minima λ 1 =... = λ 5 = 2..

Minkowski minima No. Consider a lattice formed by columns of 2 0 0 0 1 0 2 0 0 1 0 0 2 0 1 0 0 0 2 1 0 0 0 0 1 Minkowski minima λ 1 =... = λ 5 = 2.. The columns of 2I 5 do not form a basis for the lattice (determinants do not equal).

Minkowski reduction Minkowski-reduced A lattice basis {b 1, b 2,..., b n } is called Minkowski-reduced if for each b k, k = 1,..., n, b k 2 is the lower bound of the radius ρ of the sphere Bz 2 ρ that contains k lattice vectors that can be extended to a basis for the lattice.

Minkowski reduction Minkowski-reduced A lattice basis {b 1, b 2,..., b n } is called Minkowski-reduced if for each b k, k = 1,..., n, b k 2 is the lower bound of the radius ρ of the sphere Bz 2 ρ that contains k lattice vectors that can be extended to a basis for the lattice. Properties b i is a shortest nonzero vector in the sublattice generated by {b i, b i+1,..., b n }; λ 1 = b 1 2 b 2 2 b n 2 ; b i 2 λ i for 1 i n.

Minkowski reduction Another (weaker or equivalent?) notion Minkowski-reduced A lattice basis {b 1, b 2,..., b n } is called Minkowski-reduced if for each b i, i = 1, 2,...,n, its length b i 2 = min( ˆb i 2, ˆb i+1 2,..., ˆb n 2 ) over all sets {ˆb i, ˆb i+1,..., ˆb n } of lattice points such that {b 1, b 2,..., b i 1, ˆb i, ˆb i+1,..., ˆb n } form a basis for the lattice.

Minkowski reduction Another (weaker or equivalent?) notion Minkowski-reduced A lattice basis {b 1, b 2,..., b n } is called Minkowski-reduced if for each b i, i = 1, 2,...,n, its length b i 2 = min( ˆb i 2, ˆb i+1 2,..., ˆb n 2 ) over all sets {ˆb i, ˆb i+1,..., ˆb n } of lattice points such that {b 1, b 2,..., b i 1, ˆb i, ˆb i+1,..., ˆb n } form a basis for the lattice. In words, each b i, for i = 1, 2,...,n 1, is a shortest nonzero lattice vector such that {b 1, b 2,...,b i } can be extended to a basis for the lattice.

Outline 1 Introduction 2 Applications 3 Notions of Reduced Bases 4 Examples

Examples 1 1 2 1 2 0 1 1 2 0 0 1 HKZ, thus LLL, reduced, but not Minkowski-reduced.

Examples 1 1 2 1 2 0 1 1 2 0 0 1 HKZ, thus LLL, reduced, but not Minkowski-reduced. B = 1 1 2 0 0 1 1 2 0 0 1 = 1 1 2 1 2 0 1 1 2 0 0 1 Minkowski-reduced, also HKZ-reduced. 1 0 1 0 1 1 0 0 1

Examples 2 0 0 0 1 0 2 0 0 1 0 0 2 0 1 0 0 0 2 1 0 0 0 0 1 Minkowski-reduced, but not LLL-reduced for ω > 0.5, thus not HKZ-reduced.

Next talk Preview Algorithms for computing reduced bases.

Thank you!

Thank you! Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback