Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Similar documents
COS 598D - Lattices. scribe: Srdjan Krstic

1 Shortest Vector Problem

Background: Lattices and the Learning-with-Errors problem

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Dimension-Preserving Reductions Between Lattice Problems

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio

CSE 206A: Lattice Algorithms and Applications Spring Minkowski s theorem. Instructor: Daniele Micciancio

Lecture 5: CVP and Babai s Algorithm

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

Solving Hard Lattice Problems and the Security of Lattice-Based Cryptosystems

An intro to lattices and learning with errors

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Practical Analysis of Key Recovery Attack against Search-LWE Problem

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

1: Introduction to Lattices

Solving All Lattice Problems in Deterministic Single Exponential Time

Solving Closest Vector Instances Using an Approximate Shortest Independent Vectors Oracle

Hard Instances of Lattice Problems

Some Sieving Algorithms for Lattice Problems

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

An Algorithmist s Toolkit Lecture 18

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Notes for Lecture 15

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Classical hardness of the Learning with Errors problem

CSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio

Dwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP

CSE 206A: Lattice Algorithms and Applications Winter The dual lattice. Instructor: Daniele Micciancio

Classical hardness of Learning with Errors

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattice Cryptography

The Shortest Vector Problem (Lattice Reduction Algorithms)

Fundamental Domains, Lattice Density, and Minkowski Theorems

Weaknesses in Ring-LWE

Classical hardness of Learning with Errors

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Limits on the Hardness of Lattice Problems in l p Norms

Proving Hardness of LWE

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

Lattice Basis Reduction Part 1: Concepts

CSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions

Lattice-Based Cryptography

and the polynomial-time Turing p reduction from approximate CVP to SVP given in [10], the present authors obtained a n=2-approximation algorithm that

Hardness of the Covering Radius Problem on Lattices

Lecture 7 Limits on inapproximability

Lecture 2: Lattices and Bases

Limits on the Hardness of Lattice Problems in l p Norms

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

Oded Regev Courant Institute, NYU

Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes

Solving the Shortest Lattice Vector Problem in Time n

arxiv: v1 [cs.ds] 2 Nov 2013

Cryptanalysis via Lattice Techniques

Lattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

CSC 2414 Lattices in Computer Science October 11, Lecture 5

How to Factor N 1 and N 2 When p 1 = p 2 mod 2 t

A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors

Limits on the Hardness of Lattice Problems in l p Norms

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

Hardness and advantages of Module-SIS and Module-LWE

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Post-quantum key exchange for the Internet based on lattices

From the shortest vector problem to the dihedral hidden subgroup problem

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Faster Fully Homomorphic Encryption

Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

Lattice Basis Reduction and the LLL Algorithm

Solving the Closest Vector Problem in 2 n Time The Discrete Gaussian Strikes Again!

Sub-Linear Root Detection for Sparse Polynomials Over Finite Fields

New Conjectures in the Geometry of Numbers

Computational complexity of lattice problems and cyclic lattices

M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD

A Decade of Lattice Cryptography

Notes for Lecture 16

Application of the LLL Algorithm in Sphere Decoding

arxiv: v1 [quant-ph] 21 Nov 2016

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

New Lattice Based Cryptographic Constructions

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Tuple Lattice Sieving

9 Knapsack Cryptography

COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective

Computational and Statistical Learning Theory

Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption

Density of Ideal Lattices

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Recovering Short Generators of Principal Ideals: Extensions and Open Problems

Additive Combinatorics Lecture 12

Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems

A Digital Signature Scheme based on CVP

Worst case complexity of the optimal LLL algorithm

Estimation of the Hardness of the Learning with Errors Problem with a Given Number of Samples

Diophantine equations via weighted LLL algorithm

On the Asymptotic Complexity of Solving LWE

Solving BDD by Enumeration: An Update

Worksheet for Lecture 25 Section 6.4 Gram-Schmidt Process

Transcription:

Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18

Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b ) N = p q = 2 / 18

Lattice-Based Cryptography = 2 / 18

Lattice-Based Cryptography = Why? Simple description and implementation (Images courtesy xkcd.org) 2 / 18

Lattice-Based Cryptography = Why? Simple description and implementation Efficient: linear, highly parallel operations (Images courtesy xkcd.org) 2 / 18

Lattice-Based Cryptography = Why? Simple description and implementation Efficient: linear, highly parallel operations Resists quantum attacks (so far) (Images courtesy xkcd.org) 2 / 18

Lattice-Based Cryptography = Why? Simple description and implementation Efficient: linear, highly parallel operations Resists quantum attacks (so far) Security from worst-case assumptions [Ajtai96,... ] (Images courtesy xkcd.org) 2 / 18

Lattice-Based Cryptography = Why? Simple description and implementation Efficient: linear, highly parallel operations Resists quantum attacks (so far) Security from worst-case assumptions [Ajtai96,... ] Solutions to holy grail crypto problems [Gentry09,... ] (Images courtesy xkcd.org) 2 / 18

Part 1: Mathematical Background Coming up: 1 Definitions: lattice, basis, determinant, cosets, successive minima,... 2 Two simple bounds on the minimum distance. 3 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. Discrete: for all x L, exists ε > 0 s.t. L Ball(x, ε) = {x}. 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. Discrete: for all x L, exists ε > 0 s.t. L Ball(x, ε) = {x}. Lattices Not lattices {0}, Z R Q R 2Z, cz for any c R 2Z + 1 = {odd x Z} Z n R n Z + 2Z 3 2 1 0 1 2 3 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. Discrete: for all x L, exists ε > 0 s.t. L Ball(x, ε) = {x}. Lattices Not lattices {0}, Z R Q R 2Z, cz for any c R 2Z + 1 = {odd x Z} Z n R n Z + 2Z 3 2 1 0 1 2 3 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. Discrete: for all x L, exists ε > 0 s.t. L Ball(x, ε) = {x}. Lattices Not lattices {0}, Z R Q R 2Z, cz for any c R 2Z + 1 = {odd x Z} Z n R n Z + 2Z O 4 / 18

Lattices Lattice L of dimension n: a discrete additive subgroup of R n. Additive subgroup: 0 L, and x, y L = x, x + y L. Discrete: for all x L, exists ε > 0 s.t. L Ball(x, ε) = {x}. Lattices Not lattices {0}, Z R Q R 2Z, cz for any c R 2Z + 1 = {odd x Z} Z n R n Z + 2Z O 4 / 18

This Week: Only Full-Rank Integer Lattices Integer lattice: L Z n. (Essentially equivalent to rational lattice, by scaling.) 5 / 18

This Week: Only Full-Rank Integer Lattices Integer lattice: L Z n. (Essentially equivalent to rational lattice, by scaling.) Full-rank lattice: span(l) = R n. Equivalently, L has a set of n linearly independent vectors. 5 / 18

This Week: Only Full-Rank Integer Lattices Integer lattice: L Z n. (Essentially equivalent to rational lattice, by scaling.) Full-rank lattice: span(l) = R n. Equivalently, L has a set of n linearly independent vectors. Full rank Not full rank cz n, c 0 {0} (1, 1) Z + ( 1, 1) Z (1, 1) Z 5 / 18

This Week: Only Full-Rank Integer Lattices Integer lattice: L Z n. (Essentially equivalent to rational lattice, by scaling.) Full-rank lattice: span(l) = R n. Equivalently, L has a set of n linearly independent vectors. Full rank Not full rank cz n, c 0 {0} (1, 1) Z + ( 1, 1) Z (1, 1) Z 5 / 18

This Week: Only Full-Rank Integer Lattices Integer lattice: L Z n. (Essentially equivalent to rational lattice, by scaling.) Full-rank lattice: span(l) = R n. Equivalently, L has a set of n linearly independent vectors. Full rank Not full rank cz n, c 0 {0} (1, 1) Z + ( 1, 1) Z (1, 1) Z 5 / 18

Representing Lattices: Bases Basis of L: ordered set (i.e., matrix) B = (b 1, b 2,..., b n ) s.t. { n } L = L(B) = B Z n = c i b i : c i Z. The b i must be linearly ind., because span(l) = span(b) = R n. i=1 b 2 b 1 O 6 / 18

Representing Lattices: Bases Basis of L: ordered set (i.e., matrix) B = (b 1, b 2,..., b n ) s.t. { n } L = L(B) = B Z n = c i b i : c i Z. The b i must be linearly ind., because span(l) = span(b) = R n. The fundamental parallelepiped of basis B is P(B) = B [ 1 2, 1 2) n. i=1 b 2 b 1 O 6 / 18

Representing Lattices: Bases Basis of L: ordered set (i.e., matrix) B = (b 1, b 2,..., b n ) s.t. { n } L = L(B) = B Z n = c i b i : c i Z. The b i must be linearly ind., because span(l) = span(b) = R n. The fundamental parallelepiped of basis B is P(B) = B [ 1 2, 1 2) n. It tiles space: R n = v L(v + P(B)). i=1 b 2 b 1 O 6 / 18

Representing Lattices: Bases Basis of L: ordered set (i.e., matrix) B = (b 1, b 2,..., b n ) s.t. { n } L = L(B) = B Z n = c i b i : c i Z. The b i must be linearly ind., because span(l) = span(b) = R n. The fundamental parallelepiped of basis B is P(B) = B [ 1 2, 1 2) n. It tiles space: R n = v L(v + P(B)). A basis is not unique: BU is also a basis iff U Z n n, det(u) = ±1. i=1 b 1 O b 2 6 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. Determinant det(l) = Z n /L = det(b) = vol(p(b)), any basis B. 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. Determinant det(l) = Z n /L = det(b) = vol(p(b)), any basis B. For any basis B and v R n, (v + L) P(B) = { v}. Write v = v mod B, the distinguished representative of v + L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. Determinant det(l) = Z n /L = det(b) = vol(p(b)), any basis B. For any basis B and v R n, (v + L) P(B) = { v}. Write v = v mod B, the distinguished representative of v + L. v 7 / 18

Cosets and Determinant Quotient group Z n /L consists of cosets v + L: shifts of the lattice. Recall: v 1 + L = v 2 + L iff v 1 v 2 L. Determinant det(l) = Z n /L = det(b) = vol(p(b)), any basis B. For any basis B and v R n, (v + L) P(B) = { v}. Write v = v mod B, the distinguished representative of v + L. v 7 / 18

Successive Minima The minimum distance of L is λ 1 (L) = min v = min x y. 0 v L distinct x,y L b 1 b 2 λ 1 8 / 18

Successive Minima The minimum distance of L is λ 1 (L) = min v = min x y. 0 v L distinct x,y L More generally, the ith successive minimum (i = 1,..., n) is λ i (L) = min{r : L contains i linearly ind. vectors of length r} = min{r : dim(span(l B(r))) i}. b 1 λ 2 b 2 λ 1 8 / 18

Gram-Schmidt Orthogonalization and Lower Bounding λ 1 The GSO (or QR decomposition) of basis B is: b 1 B = QR = Q b 2...., Q orthonormal bn b 2 b 2 b 1 = b 1 9 / 18

Gram-Schmidt Orthogonalization and Lower Bounding λ 1 The GSO (or QR decomposition) of basis B is: b 1 B = QR = Q b 2...., Q orthonormal bn Facts: P( B) = B [ 1 2, 1 2 )n is a fund. region; det(l) = n i=1 b i. b 2 b 2 b 1 = b 1 9 / 18

Gram-Schmidt Orthogonalization and Lower Bounding λ 1 The GSO (or QR decomposition) of basis B is: b 1 B = QR = Q b 2...., Q orthonormal bn Facts: P( B) = B [ 1 2, 1 2 )n is a fund. region; det(l) = n i=1 b i. Fact: λ 1 (L) min b i. i b 2 b 2 b 1 = b 1 9 / 18

Gram-Schmidt Orthogonalization and Lower Bounding λ 1 The GSO (or QR decomposition) of basis B is: b 1 B = QR = Q b 2...., Q orthonormal bn Facts: P( B) = B [ 1 2, 1 2 )n is a fund. region; det(l) = n i=1 b i. Fact: λ 1 (L) min b i. Proof: consider Bc = Q(Rc) for c Z n. i b 2 b 2 b 1 = b 1 9 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. 10 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. Proof of Theorem 1 Let S = S/2, so vol(s ) > det(l). 10 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. Proof of Theorem 1 Let S = S/2, so vol(s ) > det(l). 2 By pigeonhole argument, distinct x, y S s.t. x y L. 10 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. Proof of Theorem 1 Let S = S/2, so vol(s ) > det(l). 2 By pigeonhole argument, distinct x, y S s.t. x y L. 3 Now 2x, 2y S by central symmetry, so x y S by convexity. 10 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. Proof of Theorem 1 Let S = S/2, so vol(s ) > det(l). 2 By pigeonhole argument, distinct x, y S s.t. x y L. 3 Now 2x, 2y S by central symmetry, so x y S by convexity. Proof of Corollary 1 Ball of radius > n det(l) 1/n is convex and centrally symmetric. 10 / 18

Upper Bounding λ 1 : Minkowski s Theorem Theorem Any convex, centrally symmetric body S of volume > 2 n det(l) contains a nonzero lattice point. Corollary: λ 1 (L) n det(l) 1/n. Proof of Theorem 1 Let S = S/2, so vol(s ) > det(l). 2 By pigeonhole argument, distinct x, y S s.t. x y L. 3 Now 2x, 2y S by central symmetry, so x y S by convexity. Proof of Corollary 1 Ball of radius > n det(l) 1/n is convex and centrally symmetric. 2 It contains a cube of side length > 2 det(l) 1/n, which has volume > 2 n det(l). 10 / 18

Part 2: Computational Background Lattices are a source of many seemingly hard problems: SVP, CVP, usvp, SIVP, BDD, CRP, DGS,... & decision variants. 11 / 18

Part 2: Computational Background Lattices are a source of many seemingly hard problems: SVP, CVP, usvp, SIVP, BDD, CRP, DGS,... & decision variants. We ll focus on the two most relevant to cryptography: the (approximate) Shortest Vector Problem (SVP γ and GapSVP γ ) and Bounded-Distance Decoding (BDD) problem. 11 / 18

Part 2: Computational Background Lattices are a source of many seemingly hard problems: SVP, CVP, usvp, SIVP, BDD, CRP, DGS,... & decision variants. We ll focus on the two most relevant to cryptography: the (approximate) Shortest Vector Problem (SVP γ and GapSVP γ ) and Bounded-Distance Decoding (BDD) problem. 1 They admit worst-case/average-case reductions (to SIS and LWE). 11 / 18

Part 2: Computational Background Lattices are a source of many seemingly hard problems: SVP, CVP, usvp, SIVP, BDD, CRP, DGS,... & decision variants. We ll focus on the two most relevant to cryptography: the (approximate) Shortest Vector Problem (SVP γ and GapSVP γ ) and Bounded-Distance Decoding (BDD) problem. 1 They admit worst-case/average-case reductions (to SIS and LWE). 2 Essentially all crypto schemes are based on versions of these problems. 11 / 18

Shortest Vector Problem: SVP γ and GapSVP γ Approximation problems with factor γ = γ(n): Search: given basis B, find nonzero v L s.t. v γ λ 1 (L). b 1 γ λ 1 b 2 λ 1 12 / 18

Shortest Vector Problem: SVP γ and GapSVP γ Approximation problems with factor γ = γ(n): Search: given basis B, find nonzero v L s.t. v γ λ 1 (L). Decision: given basis B and real d, decide between λ 1 (L) d versus λ 1 (L) > γ d. b 2 b 1 d γd 12 / 18

Shortest Vector Problem: SVP γ and GapSVP γ Approximation problems with factor γ = γ(n): Search: given basis B, find nonzero v L s.t. v γ λ 1 (L). Decision: given basis B and real d, decide between λ 1 (L) d versus λ 1 (L) > γ d. Clearly GapSVP γ SVP γ, but the reverse direction is open! b 2 b 1 d γd 12 / 18

Shortest Vector Problem: SVP γ and GapSVP γ Approximation problems with factor γ = γ(n): Search: given basis B, find nonzero v L s.t. v γ λ 1 (L). Decision: given basis B and real d, decide between λ 1 (L) d versus λ 1 (L) > γ d. Clearly GapSVP γ SVP γ, but the reverse direction is open! Recall: min b i λ 1 n det(l) 1/n, but these are often very loose. i b 2 b 1 d γd 12 / 18

Complexity of GapSVP Clearly, (Gap)SVP γ can only get easier as γ increases. 13 / 18

Complexity of GapSVP Clearly, (Gap)SVP γ can only get easier as γ increases. γ = 2 (log n)1 ɛ n n 2 n NP-hard [Ajtai 98,... ] NP conp [GG 98,AR 05] crypto [Ajtai 96,... ] SVP P [LLL 82,Schnorr 87] 13 / 18

Complexity of GapSVP Clearly, (Gap)SVP γ can only get easier as γ increases. γ = 2 (log n)1 ɛ n n 2 n NP-hard [Ajtai 98,... ] NP conp [GG 98,AR 05] crypto [Ajtai 96,... ] SVP P [LLL 82,Schnorr 87] For γ = poly(n), best algorithm is 2 n time & space [AKS 01,MV 10,... ] 13 / 18

Complexity of GapSVP Clearly, (Gap)SVP γ can only get easier as γ increases. γ = 2 (log n)1 ɛ n n 2 n NP-hard [Ajtai 98,... ] NP conp [GG 98,AR 05] crypto [Ajtai 96,... ] SVP P [LLL 82,Schnorr 87] For γ = poly(n), best algorithm is 2 n time & space [AKS 01,MV 10,... ] For γ = 2 k, best algorithm takes 2 n/k time [Schnorr 87,... ] E.g., γ = 2 n appears to be 2 n -hard. 13 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. b 2 b 2 b 1 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. b 2 b2 b 1 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. b 2 b 1 b 2 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. b2 b 2 b 1 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. Claim 1: At end, b 2 2 1 2 b 1 2 (as desired). Proof: At end, 3 4 b 1 2 b 2 2 b 2 2 + 1 4 b 1 2. 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. Claim 1: At end, b 2 2 1 2 b 1 2 (as desired). Proof: At end, 3 4 b 1 2 b 2 2 b 2 2 + 1 4 b 1 2. Claim 2: Algorithm terminates after poly( B ) many iterations. Proof: Define Φ(B) = b 1 2 b 2 = b 1 det(l). When we swap, Φ decreases by > 3 2 factor. It starts as 2 poly( B ) and cannot go below 1. 14 / 18

An Algorithm for SVP 2 (n 1)/2 [LLL 82] Key idea: manipulate basis to ensure b i+1 2 1 2 b i 2, for all i. This implies b 1 2 (n 1)/2 min b i 2 (n 1)/2 λ 1 (L). i In two dimensions: given basis B = (b 1, b 2 ), 1 Let b 2 b 2 c b 1 for the c Z s.t. b 2 b 2 + [ 1 2, 1 2 ) b 1. 2 If b 2 2 < 3 4 b 1 2, swap b 1 b 2 and loop. Else end. Claim 1: At end, b 2 2 1 2 b 1 2 (as desired). Proof: At end, 3 4 b 1 2 b 2 2 b 2 2 + 1 4 b 1 2. Claim 2: Algorithm terminates after poly( B ) many iterations. Proof: Define Φ(B) = b 1 2 b 2 = b 1 det(l). When we swap, Φ decreases by > 3 2 factor. It starts as 2 poly( B ) and cannot go below 1. LLL in n dimensions: do similar loop on all adjacent pairs b i, b i+1. 14 / 18

Related: Shortest Independent Vectors Problem (SIVP γ ) Given basis B, find lin. ind. v 1,..., v n L s.t. v i γ λ n (L). b 1 λ 2 γ λ 2 λ 1 b 2 15 / 18

Related: Shortest Independent Vectors Problem (SIVP γ ) Given basis B, find lin. ind. v 1,..., v n L s.t. v i γ λ n (L). LLL algorithm also solves SIVP 2 (n 1)/2. b 1 λ 2 γ λ 2 λ 1 b 2 15 / 18

Related: Shortest Independent Vectors Problem (SIVP γ ) Given basis B, find lin. ind. v 1,..., v n L s.t. v i γ λ n (L). LLL algorithm also solves SIVP 2 (n 1)/2. We know GapSVP γ SIVP γ, but the reverse direction is open! b 1 λ 2 γ λ 2 λ 1 b 2 15 / 18

Bounded-Distance Decoding (BDD) Search: given basis B, point t, and real d < λ 1 /2 s.t. dist(t, L) d, find the (unique) v L closest to t. t b 1 b 2 16 / 18

Bounded-Distance Decoding (BDD) Search: given basis B, point t, and real d < λ 1 /2 s.t. dist(t, L) d, find the (unique) v L closest to t. Equivalently, given coset t + L e s.t. e d, find e. b 1 t + L e b 2 16 / 18

Bounded-Distance Decoding (BDD) Search: given basis B, point t, and real d < λ 1 /2 s.t. dist(t, L) d, find the (unique) v L closest to t. Equivalently, given coset t + L e s.t. e d, find e. Decision: given basis B, coset t + L, and real d, decide between dist(0, t + L) d versus > γ d. b 1 t + L b 2 16 / 18

Bounded-Distance Decoding (BDD) Search: given basis B, point t, and real d < λ 1 /2 s.t. dist(t, L) d, find the (unique) v L closest to t. Equivalently, given coset t + L e s.t. e d, find e. Decision: given basis B, coset t + L, and real d, decide between dist(0, t + L) d versus > γ d. b 1 t + L b 2 16 / 18

Algorithms for BDD [Babai 86] Round off: Using a good basis B, output e = t mod B. Works if Ball(d) P(B): radius d = min b i /2. i b 1 b 1 b 2 b 2 17 / 18

Algorithms for BDD [Babai 86] Round off: Using a good basis B, output e = t mod B. Works if Ball(d) P(B): radius d = min b i /2. i Nearest plane: Output e = t mod B. Proceeds iteratively. Works if Ball(d) P( B): radius d = min b i /2. i b 1 b 2 b 2 17 / 18

Wrapping Up Now you know (almost) everything you need to know about lattices (to do cryptography, at least). We ve covered a lot: do the exercises to reinforce your understanding! Tomorrow: the cryptographic problems SIS and LWE (as SVP and BDD variants), and some basic applications. 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback