Hard Instances of Lattice Problems

Similar documents
and the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

COS 598D - Lattices. scribe: Srdjan Krstic

Dimension-Preserving Reductions Between Lattice Problems

Some Sieving Algorithms for Lattice Problems

Solving All Lattice Problems in Deterministic Single Exponential Time

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

Background: Lattices and the Learning-with-Errors problem

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Lattice-based Cryptography

1 Shortest Vector Problem

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Simultaneous Diophantine Approximation with Excluded Primes. László Babai Daniel Štefankovič

CSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio

1: Introduction to Lattices

An intro to lattices and learning with errors

Reduction of Smith Normal Form Transformation Matrices

Dwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields

satisfying ( i ; j ) = ij Here ij = if i = j and 0 otherwise The idea to use lattices is the following Suppose we are given a lattice L and a point ~x

Solving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

On Approximating the Covering Radius and Finding Dense Lattice Subspaces

New Conjectures in the Geometry of Numbers

On Nearly Orthogonal Lattice Bases

Lecture 7 Limits on inapproximability

Hardness of the Covering Radius Problem on Lattices

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

The Shortest Vector Problem (Lattice Reduction Algorithms)

Locally Dense Codes. Daniele Micciancio. August 26, 2013

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Lecture 5: CVP and Babai s Algorithm

Tensor-based Hardness of the Shortest Vector Problem to within Almost Polynomial Factors

From the shortest vector problem to the dihedral hidden subgroup problem

CSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

Looking back at lattice-based cryptanalysis

Lattice-Based Cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Limits on the Hardness of Lattice Problems in l p Norms

Inapproximability Results for the Closest Vector Problem with Preprocessing over l Norm

Note on shortest and nearest lattice vectors

A Disaggregation Approach for Solving Linear Diophantine Equations 1

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

Application of the LLL Algorithm in Sphere Decoding

CSC 2414 Lattices in Computer Science October 11, Lecture 5

A Digital Signature Scheme based on CVP

Diophantine equations via weighted LLL algorithm

9 Knapsack Cryptography

A Lattice-Based Public-Key Cryptosystem

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Lattice Reduction Algorithms: Theory and Practice

Cryptanalysis of the Quadratic Generator

Lattice Reduction for Modular Knapsack

Worst case complexity of the optimal LLL algorithm

New Lattice Based Cryptographic Constructions

Algorithms for ray class groups and Hilbert class fields

Solving the Shortest Lattice Vector Problem in Time n

Post-Quantum Cryptography

Improved Analysis of Kannan s Shortest Lattice Vector Algorithm

Isodual Reduction of Lattices

On Nearly Orthogonal Lattice Bases and Random Lattices

Lattice reduction for modular knapsack

Proving Hardness of LWE

Density of Ideal Lattices

Limits on the Hardness of Lattice Problems in l p Norms

Oded Regev Courant Institute, NYU

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems

Implicit factorization of unbalanced RSA moduli

An Algorithmist s Toolkit Lecture 18

Short solutions for a linear Diophantine equation

Lattice Cryptography

Limits on the Hardness of Lattice Problems in l p Norms

Approximating-CVP to within Almost-Polynomial Factors is NP-Hard

Enumeration. Phong Nguyễn

The Euclidean Distortion of Flat Tori

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

An Efficient and Parallel Gaussian Sampler for Lattices

Notes for Lecture 16

A new attack on RSA with a composed decryption exponent

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

arxiv: v1 [cs.ds] 2 Nov 2013

Lecture 2: Lattices and Bases

Classical hardness of the Learning with Errors problem

Lattice Basis Reduction Part 1: Concepts

Lattice Basis Reduction and the LLL Algorithm

On estimating the lattice security of NTRU

CS Topics in Cryptography January 28, Lecture 5

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Transcription:

Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012

Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection

Abstract Christos Litsas (NTUA) Average Case - Worst Case Connections 3/31

Hard Problems Already Exist All Time Classic Hard Problems NP-Complete problems Factorization Discrete Logarithm reduces to average case: log g2 t = (log g1 g 2 )(log g1 t) 1 Christos Litsas (NTUA) Average Case - Worst Case Connections 4/31

Hard Problems Already Exist All Time Classic Hard Problems NP-Complete problems Factorization Discrete Logarithm reduces to average case: log g2 t = (log g1 g 2 )(log g1 t) 1 Worst-Case Hardness Those problems are hard only under certain distributions. Often it is not clear how to find such a distribution. Christos Litsas (NTUA) Average Case - Worst Case Connections 4/31

One Step Further Worst-Case Vs. Average-Case Hardness A random class of lattices so that if the SVP is easy to solve then the above problems are easy in every lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 5/31

Lattices Christos Litsas (NTUA) Average Case - Worst Case Connections 6/31

Lattice Definition Definition Let B R m n, we consider the set L = {y : y = B x x Z 1 n }, that is the set of all integer linear combinations of B. We call every L with the above properties a lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 7/31

Lattices Figure: An example of a lattice and its basis. Christos Litsas (NTUA) Average Case - Worst Case Connections 8/31

Lattices Figure: A lattice has more than one bases. Christos Litsas (NTUA) Average Case - Worst Case Connections 9/31

Properties Multiplication by a unimodular matrix produces a new basis. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

Properties Multiplication by a unimodular matrix produces a new basis. Infinite (countable) different bases. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

Properties Multiplication by a unimodular matrix produces a new basis. Infinite (countable) different bases. The only part of a lattice that is known is the place where the basis vectors lie. Christos Litsas (NTUA) Average Case - Worst Case Connections 10/31

Fundamental Parallelepiped Definition Let L be a lattice, and let a basis for L is B = [b 1,..., b n ], b i are the column vectors of B, then we define the set n P(B) = {y : y = x i b i, x i [ 1 2, 1 )}. We call P(B) the 2 i=0 fundamental parallelepiped of L with respect to the basis B. Christos Litsas (NTUA) Average Case - Worst Case Connections 11/31

Mathematical Tools Equivalence relation, mod B. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

Mathematical Tools Equivalence relation, mod B. Efficiently computable distinguished representatives as t B B 1 t. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

Mathematical Tools Equivalence relation, mod B. Efficiently computable distinguished representatives as t B B 1 t. Partition of the space R n by multiplies of fundamental parallelepiped. Christos Litsas (NTUA) Average Case - Worst Case Connections 12/31

Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Classic Algorithms and Bounds LLL Reduction Algorithm (2 n 1 2 sh(l) approximation). Babai s Nearest Plane Algorithm. Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

Lattice Problems & Solutions Classic Hard Problems P1 approximate SVP P2 approximate unique SVP P3 approximate SIVP (find a basis) Classic Algorithms and Bounds LLL Reduction Algorithm (2 n 1 2 sh(l) approximation). Babai s Nearest Plane Algorithm. Bounds Shor proved that in LLL the approximation factor can be replaced by (1 + ɛ) n. Minkowski (Convex Body Theorems) sh(l) c n det(l) 1 n Christos Litsas (NTUA) Average Case - Worst Case Connections 13/31

More on Lattices... Definition (Dual Lattice) Let L be a lattice, we define the dual lattice to be the set L = {y : x L x, y Z}. Christos Litsas (NTUA) Average Case - Worst Case Connections 14/31

More on Lattices... Definition (Dual Lattice) Let L be a lattice, we define the dual lattice to be the set L = {y : x L x, y Z}. Definition (Smoothing Parameter) For any n-dimensional lattice L and ɛ R +, we define its smoothing parameter η ɛ (L) to be the smallest s such that ρ 1/s (L \ {0}) ɛ. Christos Litsas (NTUA) Average Case - Worst Case Connections 14/31

Sampling Lemma For any s > 0, c R n and lattice L(B), the statistical distance between D s,c mod P(B) and the uniform distribution over P(B) is at most 1 2 ρ 1/s(L(B) \ {0}). In particular, for any ɛ > 0 and any s η ɛ (B), holds that (D s,c mod P(B), U(P(B))) ɛ/2 Christos Litsas (NTUA) Average Case - Worst Case Connections 15/31

The Random Class Christos Litsas (NTUA) Average Case - Worst Case Connections 16/31

Definition of L and Λ 1. L: q-ary lattice. 2. Λ: the perpendicular lattice of L. Christos Litsas (NTUA) Average Case - Worst Case Connections 17/31

Definition of L and Λ Symbols B = (u 1 : u 2 :... : u m ), u i Z n. Lattice: L(B, q) = {y : y = B x mod q, x Z 1 m } (L(B, q) Z n ). Perpendicular Lattice: Λ(B, q) = {y : y B 0 mod q} (Λ(B, q) Z n ). Parameters m = [c 1 n log n] q = [n c 2] Christos Litsas (NTUA) Average Case - Worst Case Connections 18/31

Our Goal Our Goal 1. Redefine the basis B so that if there is a PT algorithm that finds a shortest vector in Λ then it breaks P1, P2, P3 in any lattice. Christos Litsas (NTUA) Average Case - Worst Case Connections 19/31

First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Simultaneous Diophantine Equations The problem of finding a SV in Λ(λ, q) is equivalent to solve a linear simultaneous Diophantine equation. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

First Step Substitute B by λ Define λ = (v 1,..., v m ), v i Z n q. Every v i is chosen independently and with uniform distribution from the set of all vectors in Z n q. Simultaneous Diophantine Equations The problem of finding a SV in Λ(λ, q) is equivalent to solve a linear simultaneous Diophantine equation. Theorem (Dirichlet) If c 1 is sufficiently large with respect to c 2 then there is always a SV in Λ(λ, q) which is sorter than n. Christos Litsas (NTUA) Average Case - Worst Case Connections 20/31

Problem :-( Λ(λ, q) is Unknown to Everybody (Crypto Only) It seems that there is no way of constructing a shortest vector in Λ(λ, q). So we don t have a trapdoor! Christos Litsas (NTUA) Average Case - Worst Case Connections 21/31

Second Step Substitute λ by λ Define λ = (v 1,..., v m ), i {1,..., m 1}v i Z n q also v i is chosen independently and with uniform distribution from the set m 1 of all vectors in Z n q. We also define v m = δ i v i. Where δ i is i=1 a, randomly generated, sequence of 0 and 1 s. Christos Litsas (NTUA) Average Case - Worst Case Connections 22/31

Second Step Substitute λ by λ Define λ = (v 1,..., v m ), i {1,..., m 1}v i Z n q also v i is chosen independently and with uniform distribution from the set m 1 of all vectors in Z n q. We also define v m = δ i v i. Where δ i is i=1 a, randomly generated, sequence of 0 and 1 s. No Loss of Generality The distribution of λ is exponentially close to the uniform distribution. P(λ = x) 1 A 1, where A is the set of all 2cn x A possible values of λ. Christos Litsas (NTUA) Average Case - Worst Case Connections 22/31

Worst-Case - Average-Case Connection Christos Litsas (NTUA) Average Case - Worst Case Connections 23/31

Main Theorem Theorem There are absolute constants c 1, c 2, c 3 so that the following holds: Suppose that there is a PPT algorithm A which given a value of the random variable λ n,c1,c 2 as an input, with a probability of at least 1 2 outputs a nonzero vector of Λ(λ n,c 1,c 2, [n c 1]) of length at most n. Then, there is a PPT algorithm B with the following properties: If the linearly independent vectors a 1,..., a n Z n are given as an input then in polynomial time in size(a i ) gives the output 1 (d 1,..., d n ) so that with probability of greater than 1 2 size(a i ) (d 1,..., d n ) is a basis with max d i n c 3bl(L) Christos Litsas (NTUA) Average Case - Worst Case Connections 24/31

Main Tool for the Proof Easy Construction of a Basis There is a polynomial time algorithm that from a set of n linearly independent vectors r 1,..., r n L can construct a basis s 1,..., s n of L so that max s i n max r i Christos Litsas (NTUA) Average Case - Worst Case Connections 25/31

Main Tool for the Proof Easy Construction of a Basis There is a polynomial time algorithm that from a set of n linearly independent vectors r 1,..., r n L can construct a basis s 1,..., s n of L so that max s i n max r i Defining a new Goal Construct a set of n linearly independent vectors of L so that each of them is shorter than n c 3 1 bl(l). Christos Litsas (NTUA) Average Case - Worst Case Connections 25/31

Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i First Case (Trivial) If M n c 3 1 bl(l) we are done. Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

Proof of Main Theorem Assume that we have the set of linearly independent vectors a 1,..., a n L. Let M = max a i First Case (Trivial) If M n c 3 1 bl(l) we are done. Second Case (Hmmm...) If M > n c3 1 bl(l) we construct (?) a set of linearly independent vectors of b 1,..., b n L so that max b i M 2. Then we repeat the algorithm with input the set b 1,..., b n. After log 2 M 2 size(a i ) steps we get a set of linearly independent vectors where each of them is shorter than n c3 1 bl(l). Christos Litsas (NTUA) Average Case - Worst Case Connections 26/31

max b i M 2 1. Starting from the set a 1,..., a n L we construct a set of linearly independent vectors f 1,..., f n L so that max f i n 3 M and also the parallelepiped W = P(f 1,..., f n ) is very close to a cube. 2. We cut W into q n parallelepipeds each of the form ti q f i + 1 q W, where 0 t i < q is a sequence of integers. 3. We take a random sequence of lattice points ξ 1,..., ξ m, m = c 1 n log n from W. Let ξ j t (j) i q f i + 1 q W then we define v j = (t (j) 1,..., t(j) n ). 4. Apply A to the input λ = (v 1,..., v m ) and get a vector (h 1,..., h m ) Z n. 5. Then the vector h j (ξ j η j ) L and its length is at most M 2, where η j = t (j) i q f i. Christos Litsas (NTUA) Average Case - Worst Case Connections 27/31

References Christos Litsas (NTUA) Average Case - Worst Case Connections 28/31

References Miklos Ajtai (1996). Generating Hard Instances of Lattice Problems (Extended Abstract). STOC 96, pp. 99 108. Daniele Micciancio, Oded Regev (2005). Worst-case to Average-case Reductions based on Gaussian Measures. FOCS 04. Christos Litsas (NTUA) Average Case - Worst Case Connections 29/31

References Ravindran Kannan (1987). Algorithmic Geometry of Numbers. Annual Review of Comp. Sci, pp. 231 267 L. Babai (1986). On Lovasz lattice reduction and the nearest lattice point problem Proc. STACS 85, pp. 13 20. H.W. Lenstra, A.K. Lenstra, L. Lovasz (1982). Factoring polynomials with rational coefficients. Mathematische Annalen, pp. 515 534. Christos Litsas (NTUA) Average Case - Worst Case Connections 30/31

Thank you!!! Christos Litsas (NTUA) Average Case - Worst Case Connections 31/31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback