Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling - PowerPoint PPT Presentation

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong University. Wenling Liu @ SJTU

Table of Contents Lattice Backgrounds Lenstra–Lenstra–Lov´ asz Reduction Hemite SVP reduction and DBKZ Algorithm Slide Reduction Last Update: August 4, 2020 Wenling Liu @ SJTU

Section 1 Lattice Backgrounds Wenling Liu @ SJTU

Lattice Definition (Lattice) An n -dimensional lattice L in R m is the set of integer combinations L := { z 1 b 1 + · · · + z n b n : z i ∈ Z } of linearly independent basis vectors B = [ b 1 , · · · , b n ] ∈ Z m × n . q Remark. • We call n the rank of L • We say L is full-rank if n = m • B is called a basis of L • For simplicity, we mainly concerns integer lattices , those lattices are subgroups of Z m . Figure: A Lattice in R 2 Wenling Liu @ SJTU

Basis of Lattice A lattice can have different basis: Figure: Different Basis of same Lattice Fact. A lattice has infinite number of bases. Fact. Integer lattices only have bases with integer entries. A lattice is the set of integer combinations of any of its bases . A lattice with basis B is denoted by L ( B ) (denoted by Λ( B ) in some literature). The notion are abused to non-basis B in some literature. Wenling Liu @ SJTU

Fundamental Parallelepiped Define the fundamental parallelepiped of a basis B as P ( B ) = { y ∈ R n | y = Bx for some x ∈ [ 0 , 1 ) n } Figure: Fundamental Parallelepiped of different Basis Fact The fundamental parallelepiped contains no lattice points except 0 . Wenling Liu @ SJTU

Volume Definition Let B be any basis of lattice L , define the volume of L : √ B T B vol( L ) = Remark. • For any L ( B 1 ) = L ( B 2 ) , it holds that B T 1 B 1 = B T 2 B 2 . • For n = m (i.e., B ∈ R m × m ), vol( L ( B )) = | det B | . √ • We often abuse the notion and denote B T B by vol( B ) . • Some literature write vol instead of det . Geometrical view. The volume of a lattice is the volume of its fundamental parallelpiped. Refer to UCSD CSE 206A Lec 1 by Daniele Micciancio for more detail. Wenling Liu @ SJTU

Gram-Schmidt Orthogonalization For a lattice basis B = [ b 1 , · · · , b n ] ∈ R m × n , the Gram-Schmidt orthogonal basis of B can be compute by b ∗ 1 = b 1 b ∗ 2 = b 2 − µ 2 , 1 b ∗ 1 n − 1 b ∗ µ n , j ( b ∗ � n = b n − j ) j = 1 where µ i , j = � b i , b ∗ j � j � . We say B ∗ = [ b ∗ 1 , · · · , b ∗ n ] the Gram-Schmidt Orthogonal Form � b ∗ j , b ∗ of B . Fact. Gram-Schmidt Orthogonalization never lengthen vectors. Wenling Liu @ SJTU

Gram-Schmidt Orthogonalization Fact • det B = det B ∗ . n • vol( L ( B )) = det B ∗ = � b ∗ � j � j = 1 • For basis B of L , λ 1 ( L ) ≥ � B ∗ � . Remark. Usually, B ∗ is not a basis of L ( B ) . Wenling Liu @ SJTU

Dual Lattice Definition (Dual Lattice) For any lattice L ∈ R m , define its dual lattice L × = { w ∈ span( L ) : � w , y � ∈ Z for all y ∈ L} Dual lattice of L ( B ) is the intersection of n sets of equidistant paralleled ( n − 1 ) -dimensional hyperplanes which are perpendicular to b i . Wenling Liu @ SJTU

Dual Basis For lattice L , we call L the primal lattice , L × the dual lattice . Like its primal lattice, dual lattice has infinite number of basis. Fact For a lattice L = L ( B ) , there exists a unique D s.t. B T D = D T B = I , and D is a basis of L × . Proof can be done by checking the definition. D is called the dual basis of B . The explicit construction of D is D := B ( B T B ) − 1 We denote the reverse order of D by B − s , and call it the reversed dual basis of B . Fact • det D = 1 / (det B ) . • � b ∗ n � = 1 / � d n � • vol( L × ) = 1 / vol( L ) . Wenling Liu @ SJTU

Hermite’s Constant Successive Minimal. For any lattice L , define λ 1 ( L ) to be the length of shortest non-zero vector on L . The notion can be abused to bases. Definite the Hermite’s Constant γ n := sup λ 1 ( L ) 2 vol( L ) 2 / n where the supremum is over lattices L ⊆ R n with full rank n . Remark. For any n -dimensional lattice L , it holds that λ 1 ( L ) ≤ √ γ n vol( L ) 1 / n . γ n is known for n ≤ 8 and n = 24, and it is known that γ n = Θ( n ) . Wenling Liu @ SJTU

Shortest Vector Problem Definition Shortest Vector Problem (SVP): Given lattice basis B of L , find the shortest nonzero vector on L . SVP is NP -hard. Definition γ -Approximate Shortest Vector Problem (SVP γ ): Given the lattice basis B of L , find a non-zero vector z on lattice L s.t. � z � ≤ γ · λ 1 ( L ) . Remark. SVP γ is written to γ -SVP in some literature. SVP γ is extremely hard for some γ , but get easier when γ grows very large. Wenling Liu @ SJTU

Status of SVP (for beginners) Hardness: • NP -complete for not very small γ • The hardest among lattice problems • No known quantum acceleration • No known subexponential algorithm for γ ≤ √ n Cryptographic Importance: • γ = n c : the hardness basic of average-case problems (e.g., LWE) Wenling Liu @ SJTU

Section 2 Lenstra–Lenstra–Lov´ asz Reduction Wenling Liu @ SJTU

Lattice Basis Reduction Good bases are helpful when solve problems on lattices. E.g., Given an orthodox basis of a lattice, one can immediately compute the shortest vector. Lattice Basis Reduction is a category of method of finding a “good” basis of the lattice given by a ”bad” basis. Famous basis reduction algorithms: • LLL Reduction • BKZ Reduction • DBKZ Reduction • HKZ Reduction • Slide Reduction Wenling Liu @ SJTU

LLL Reduction Definition (LLL-reduced Basis) Let B ∈ R m × n , we say B is ǫ -LLL-reduced, if it satisfies the following: • Size Reduced: for all i � = j , | µ i , j | < 1 2 i � 2 ≤ ( 1 + ǫ ) � µ i , i + 1 b ∗ • Lov´ asz’s condition: For all 1 < i ≤ n , � b ∗ i + b ∗ i + 1 � 2 . We often set ǫ = 1 3 . Remark. Remark. We say B is a ǫ -LLL basis if it is ǫ -LLL-reduced. We now introduce LLL-algorithm, that turns any lattice basis into a ǫ -LLL-reduced basis. Wenling Liu @ SJTU

LLL Algorithm Fact. : Lattice Basis B ∈ R m × n , real ǫ > 0 Input • For ǫ > 1 / poly( n ) , the algorithm Output: A ǫ -LLL bassis of L ( B ) 1 Compute b ∗ 1 , · · · , b ∗ terminates in polynomial time n for i = 2 to n do for j = i − 1 to 1 do • � b ∗ 2 n � never decreases during the b i ← b i − c i , j b j where execution 3 c i , j = ⌈� b i , b ∗ j � / � b ∗ j , b ∗ j �⌋ end 4 5 end i � 2 > ( 1 + ǫ ) � µ i , i + 1 b ∗ 6 if ∃ i s.t. � b ∗ i + b ∗ i + 1 � then b i ↔ b i + 1 7 go to 1 8 9 end 10 return b 1 , · · · , b n Algorithm 1: LLL Algorithm Wenling Liu @ SJTU

(D)SVP Reduction Define the following reduced basis. • δ -SVP-reduced: A basis B is δ -SVP-reduced if � b 1 � ≤ δ · λ 1 ( B ) . • δ -DSVP-Reduced: A basis B is δ -DSVP-reduced if B − s is δ -SVP-reduced and B is 1 3 -LLL-reduced. Given the access to δ -SVP oracle, δ -(D)SVP-reduce can be done efficiently: • δ -SVP-reduce B : Call δ -SVP oracle to get z ∈ L ( B ) (s.t. � z � ≤ δ · λ 1 ( B ) ) and “substitute” the first vector of B with z . • δ -DSVP-Reduce B : Work out B − s , and do δ -SVP-reduce on B − s . Then workout the new B with reduced B − s and do 1 3 -LLL-reduce on the new B . This procedure works fine since � b ∗ n � never decreases during the LLL-reduction. B is 1 / 3-LLL-reduced implies � b i � ≤ 4 � b i + 1 � . Remark. Wenling Liu @ SJTU

Section 3 Hemite SVP reduction and DBKZ Algorithm Wenling Liu @ SJTU

More Notions Fix some lattice basis B ∈ R m × n , define π : R m → R m by � π i ( b i ) = b i − µ i , j ( b j ) j < i And B [ i , j ] denotes ( π i ( b i ) , π i ( b i + 1 , · · · , π i ( b j )) . We denote [ b i , b i + 1 , · · · , b j ] by B ( i , j ) . Wenling Liu @ SJTU

(D)SVP Reduction Define the following reduced basis. • δ -HSVP-reduced: A basis B is δ -HSVP-reduced if � b 1 � ≤ δ · vol( B ) 1 / n . • δ -DHSVP-Reduced: A basis B is δ -DHSVP-reduced if B − s is δ -HSVP-reduced. Similar to (D)SVP reduction, given an efficient δ -HSVP reduction algorithm, one can do δ -DHSVP reduction efficiently. δ -twin-reduced: For basis B = [ b 1 , · · · , b d + 1 ] , we say B is δ -twin-reduced if B [ 1 , d ] is δ -HSVP-reduced and B [ 2 , d + 1 ] is δ -DHSVP-reduced. Wenling Liu @ SJTU

Twin Reduction Lemma Lemma Let B = [ b 1 , · · · , b d + 1 ] be δ -twin-reduced, then • � b 1 � ≤ δ 2 d / ( d − 1 ) � b ∗ i + 1 � • δ − d / ( d − 1 ) � b 1 � ≤ vol( B ) 1 / ( d + 1 ) ≤ δ d / ( d − 1 ) � b ∗ d + 1 � Proof. By def of HSVP-red, � b 1 � d ≤ δ d vol( B [ 1 , d ] ) , then � b 1 � d − 1 ≤ δ d vol( B [ 2 , d ] ) . By def of DHSVP-red, vol( B [ 2 , d ] ) ≤ δ d � b d + 1 � d − 1 . (recall that vol( L ) = 1 / vol( L × ) ) Gluing the these 2 inequalities together, we get the 1st item. d + 1 � ≤ δ d vol( B [ 1 , d ]) · � b ∗ d + 1 � = δ d vol( B ) . Applying it to the Notice that � b 1 � d � b ∗ 1st item, we get the 2nd item. Fact. • B is δ -SVP-reduced ⇒ B is δ √ γ n -HSVP-reduced • B is δ -DSVP-reduced ⇒ B is δ √ γ n -DHSVP-reduced Wenling Liu @ SJTU