On the Quantitative Hardness of CVP Huck Bennett, Alexander - PowerPoint PPT Presentation

On the Quantitative Hardness of CVP Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz NYCAC 2017

Outline ■ Closest Vector Problem ■ Applications ■ Hardness ■ Isolating Parallelepipeds

The Closest Vector Problem

n is the rank of , d is the (ambient) dimension Lattice ■ A lattice L is the set of all integer combinations of linearly independent basis vectors ⃗ b 1 , . . . ,⃗ b n ∈ R d n { } L = L ( ⃗ b 1 , . . . ,⃗ z i ⃗ ∑ b n ) := b i : z i ∈ Z i = 1

Lattice ■ A lattice L is the set of all integer combinations of linearly independent basis vectors ⃗ b 1 , . . . ,⃗ b n ∈ R d n { } L = L ( ⃗ b 1 , . . . ,⃗ z i ⃗ ∑ b n ) := b i : z i ∈ Z i = 1 ■ n is the rank of L , d is the (ambient) dimension

Lattice. Example b 1 b 2

Lattice. Example b 1 b 1 + b 2 b 2

Lattice. Example 2 b 1 + b 2 b 1 b 1 + b 2 b 2

Lattice. Example 2 b 1 + b 2 b 1 b 1 + b 2 b 2

Lattice. Example 2 b 1 + b 2 b 1 t b 1 + b 2 b 2

Lattice. Example 2 b 1 + b 2 b 1 t b 1 + b 2 b 2

Lattice. Example b 1 b 2

Lattice. Example b 1 t b 2

Lattice. Example b 1 t b 2

Distance is defjned in terms of the p norm; for 1 p : p p p 1 p x p x 1 x 2 x d for p : x 1 i d x i CVP p —Closest Vector Problem in the p norm Closest Vector Problem ■ Given a basis for a L ⊂ R d and a target t ∈ R d , compute the distance from t to L

CVP p —Closest Vector Problem in the p norm Closest Vector Problem ■ Given a basis for a L ⊂ R d and a target t ∈ R d , compute the distance from t to L ■ Distance is defjned in terms of the ℓ p norm; for 1 ≤ p < ∞ : x ∥ p := ( | x 1 | p + | x 2 | p + · · · + | x d | p ) 1 / p ∥ ⃗ for p = ∞ : x ∥ ∞ := max 1 ≤ i ≤ d | x i | ∥ ⃗

Closest Vector Problem ■ Given a basis for a L ⊂ R d and a target t ∈ R d , compute the distance from t to L ■ Distance is defjned in terms of the ℓ p norm; for 1 ≤ p < ∞ : x ∥ p := ( | x 1 | p + | x 2 | p + · · · + | x d | p ) 1 / p ∥ ⃗ for p = ∞ : x ∥ ∞ := max 1 ≤ i ≤ d | x i | ∥ ⃗ ■ CVP p —Closest Vector Problem in the ℓ p norm

Applications

Integer Programming [Len83,Kan87,DPV11] Cryptanalysis [Odl90,JS98,NS01] Applications ■ Factoring polynomials over the rationals [LLL’82]

Cryptanalysis [Odl90,JS98,NS01] Applications ■ Factoring polynomials over the rationals [LLL’82] ■ Integer Programming [Len83,Kan87,DPV11]

Applications ■ Factoring polynomials over the rationals [LLL’82] ■ Integer Programming [Len83,Kan87,DPV11] ■ Cryptanalysis [Odl90,JS98,NS01]

Effjciency, Parallelism, Simplicity Worst-Case Hardness Proofs Powerful Cryptography: FHE, ABE About to be Deployed Lattice-Based Cryptography ■ Conjectured Quantum Security

Worst-Case Hardness Proofs Powerful Cryptography: FHE, ABE About to be Deployed Lattice-Based Cryptography ■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity

Powerful Cryptography: FHE, ABE About to be Deployed Lattice-Based Cryptography ■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs

About to be Deployed Lattice-Based Cryptography ■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs ■ Powerful Cryptography: FHE, ABE

Lattice-Based Cryptography ■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs ■ Powerful Cryptography: FHE, ABE ■ About to be Deployed

Real Life Cryptography

Real Life Cryptography

Real Life Cryptography

Hardness

CVP 2 can be solved in 2 n o n time [ADS15] Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2 n 20 -time algorithm would break these schemes in practice Hardness of CVP ■ CVP p is NP-hard for every 1 ≤ p ≤ ∞ [vEB81]

Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2 n 20 -time algorithm would break these schemes in practice Hardness of CVP ■ CVP p is NP-hard for every 1 ≤ p ≤ ∞ [vEB81] ■ CVP 2 can be solved in 2 n + o ( n ) time [ADS15]

Hardness of CVP ■ CVP p is NP-hard for every 1 ≤ p ≤ ∞ [vEB81] ■ CVP 2 can be solved in 2 n + o ( n ) time [ADS15] ■ Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2 n / 20 -time algorithm would break these schemes in practice

n Boolean vars, m clauses, clause length k SETH [IP99]. There exists a constant k : no algorithm solves k -SAT in 2 0 99 n time Goal: Reduce k -SAT on n vars to CVP on a rank- n lattice k -SAT ■ ( x 1 ∨ ¬ x 2 ∨ . . . ∨ x k ) ∧ . . . ∧ ( x 7 ∨ ¬ x 4 ∨ . . . ∨ x 3 )

SETH [IP99]. There exists a constant k : no algorithm solves k -SAT in 2 0 99 n time Goal: Reduce k -SAT on n vars to CVP on a rank- n lattice k -SAT ■ ( x 1 ∨ ¬ x 2 ∨ . . . ∨ x k ) ∧ . . . ∧ ( x 7 ∨ ¬ x 4 ∨ . . . ∨ x 3 ) ■ n Boolean vars, m clauses, clause length ≤ k

Goal: Reduce k -SAT on n vars to CVP on a rank- n lattice k -SAT ■ ( x 1 ∨ ¬ x 2 ∨ . . . ∨ x k ) ∧ . . . ∧ ( x 7 ∨ ¬ x 4 ∨ . . . ∨ x 3 ) ■ n Boolean vars, m clauses, clause length ≤ k ■ SETH [IP99]. There exists a constant k : no algorithm solves k -SAT in 2 0 . 99 n time

k -SAT ■ ( x 1 ∨ ¬ x 2 ∨ . . . ∨ x k ) ∧ . . . ∧ ( x 7 ∨ ¬ x 4 ∨ . . . ∨ x 3 ) ■ n Boolean vars, m clauses, clause length ≤ k ■ SETH [IP99]. There exists a constant k : no algorithm solves k -SAT in 2 0 . 99 n time ■ Goal: Reduce k -SAT on n vars to CVP on a rank- n lattice

A Very Special Case: 2 -SAT x 1 x 2 x n − 1 x n · · · x 1 2 α 0 0 0 · · · α x 2 0 2 α 0 0 · · · α . . . . ... . . . . . . . 0 0 . x n 0 0 0 2 α · · · α C 1 = ( x 1 ∨ x 2 ) 2 2 0 0 3 · · · C 2 = ( x 1 ∨ x n ) 2 0 0 2 3 · · · . . . . . . ... . . . . . . . . . . . . C m = ( x n − 1 ∨ x n ) 0 0 2 2 3 · · ·

A Very Special Case: 2 -SAT x 1 x 2 x n − 1 x n · · · x 1 2 α 0 0 0 · · · α x 2 0 2 α 0 0 · · · α . . . . ... . . . . . . . 0 0 . x n 0 0 0 2 α · · · α C 1 = ( x 1 ∨ x 2 ) 2 2 0 0 3 · · · C 2 = ( x 1 ∨ x n ) 2 0 0 2 3 · · · . . . . . . ... . . . . . . . . . . . . C m = ( x n − 1 ∨ x n ) 0 0 2 2 3 · · ·

A Very Special Case: 2 -SAT x 1 x 2 x n − 1 x n · · · x 1 2 α 0 0 0 · · · α x 2 0 2 α 0 0 · · · α . . . . ... . . . . . . . 0 0 . x n 0 0 0 2 α · · · α C 1 = ( x 1 ∨ x 2 ) 2 2 0 0 3 · · · C 2 = ( x 1 ∨ x n ) 2 0 0 2 3 · · · . . . . . . ... . . . . . . . . . . . . C m = ( x n − 1 ∨ x n ) 0 0 2 2 3 · · ·

0 1 n , If x fjrst n lines give p distance n 0 1 n , If x distance is p n 1 A Very Special Case: 2 -SAT. Proof x 1 x 2 x n − 1 x n · · · 2 α 0 0 0 · · · α α is very large 0 2 α 0 0 · · · α . . . ... . . . . . 0 0 . 0 0 0 2 α · · · α 2 2 0 0 3 · · · 2 0 0 2 3 · · · . . . . . ... . . . . . . . . . . 0 0 2 2 3 · · ·

0 1 n , If x distance is p n 1 A Very Special Case: 2 -SAT. Proof x 1 x 2 x n − 1 x n · · · 2 α 0 0 0 · · · α α is very large 0 2 α 0 0 · · · α If x ∈ { 0 , 1 } n , . . . ... . . . . . 0 0 . fjrst n lines give 0 0 0 2 α · · · α distance n α p 2 2 0 0 3 · · · 2 0 0 2 3 · · · . . . . . ... . . . . . . . . . . 0 0 2 2 3 · · ·

A Very Special Case: 2 -SAT. Proof x 1 x 2 x n − 1 x n · · · 2 α 0 0 0 · · · α α is very large 0 2 α 0 0 · · · α If x ∈ { 0 , 1 } n , . . . ... . . . . . 0 0 . fjrst n lines give 0 0 0 2 α · · · α distance n α p 2 2 0 0 3 · · · If x ̸∈ { 0 , 1 } n , 2 0 0 2 3 · · · distance is . . . . . ... . . . . . . . . . . ≥ ( n + 1 ) α p 0 0 2 2 3 · · ·

sat clause con- tributes 1 to the distance unsat clause contributes 3 p 1 A Very Special Case: 2 -SAT. Proof x 1 x 2 x n − 1 x n · · · x ∈ { 0 , 1 } n 2 α 0 0 0 · · · α 0 2 α 0 0 · · · α . . . ... . . . . . 0 0 . 0 0 0 2 α · · · α 2 2 0 0 3 · · · 2 0 0 2 3 · · · . . . . . ... . . . . . . . . . . 0 0 2 2 3 · · ·

unsat clause contributes 3 p 1 A Very Special Case: 2 -SAT. Proof x 1 x 2 x n − 1 x n · · · x ∈ { 0 , 1 } n 2 α 0 0 0 · · · α 0 2 α 0 0 · · · α sat clause con- . . . ... . . . . . 0 0 . tributes 1 to 0 0 0 2 α · · · α the distance 2 2 0 0 3 · · · 2 0 0 2 3 · · · . . . . . ... . . . . . . . . . . 0 0 2 2 3 · · ·