Solving All Lattice Problems in Deterministic Single Exponential - PowerPoint PPT Presentation

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Lattices Traditional area of mathematics Bridge between number theory and geometry Studied by Lagrange, Gauss, ..., Minkowski, ... Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer Programming Foundation of Lattice based Cryptography Exponentially hard to break, even by quantum adversary Asymptotically fast and easily parallelizable cryptographic functions Secure based on conjectured hardness of worst-case problems Extremely versatile: CPA/CCA encryption, digital signature, . . . group and ring signatures, threshold cryptography, IBE, . . . , HIBE, . . . , FHE, . . . CVP in deterministic 2 O ( n ) time Daniele Micciancio

Outline Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Point Lattices A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { � b 1 , . . . , � b n } ⊂ R n : n � c 2 � � x ∈ Z n } Λ = b i · Z = { B � x : � c 1 � i =1 � b 2 The same lattice has many bases 0 � b 1 n � Λ = � c i · Z i =1 Definition (Lattice) Discrete additive subgroup of R n CVP in deterministic 2 O ( n ) time Daniele Micciancio

Shortest Vector Problem (SVP) Definition (SVP) � Given a lattice L ( B ), find a b 2 (nonzero) lattice vector B � x (with x ∈ Z k ) of minimal length � B � � x � � b 1 � b 2 Input: A lattice basis B Output: A shortest nonzero � 0 b 1 vector � s ∈ Λ The problem is hard when dimension n is high and basis is skewed Shortest vector can be much shorter than basis vectors CVP in deterministic 2 O ( n ) time Daniele Micciancio

Shortest Independent Vectors Problem (SIVP) Definition (SIVP) � Given a lattice L ( B ), find n b 2 linearly independent lattice vectors � s 1 , . . . , � s n of minimal � length max i � � s i � b 1 � b 2 Input: A lattice basis B � 0 b 1 Output: n shortest linearly independent lattice vectors � s 1 , . . . ,� s n ∈ Λ The problem is hard when dimension n is high and basis is skewed CVP in deterministic 2 O ( n ) time Daniele Micciancio

Closest Vector Point (CVP) Inhomogeneous version of SVP Definition (CVP) � c Given a lattice L ( B ) and a target � t point � t , find a lattice vector B � x which minimizes the distance x − � � B � t � Input: A lattice Λ( B ), 0 and a target vector � t Output: A closest lattice point � c ∈ Λ NP-hard [vEB’81], even for fixed lattice [M’01] CVP in deterministic 2 O ( n ) time Daniele Micciancio

Lattice problems, Cryptography, Algorithms Approximating SVP, SIVP, CVP Best known polynomial time algorithm only find poor (2 ω ( n / log n ) ) approximations Lattice based cryptography is based on the conjectured hardness of finding good ( n O (1) ) approximate solutions Solving SVP, SIVP, CVP exactly NP-hard: no subexponential time solution is expected Best known exact algorithms run in exponential time 2 Ω( n ) Applications of exact SVP, SIVP, CVP Some applications involve low dimensional lattices Efficient approximation algorithms are based on exact solution of small dimensional subproblems How fast we we solve SVP, SIVP, CVP? (E.g., 2 n / 2 < 2 100 · n < n n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Complexity of SVP, SIVP, CVP Efficient (dimension preserving) reductions SVP, SIVP ≤ CVP [GMSS’99, M’08] Fastest previous algorithm SVP,SIVP,CVP ,IP: [Kannan’87] runs in n O ( n ) time SVP: [AKS’01] runs in randomized 2 O ( n ) time and space Algorithms work in any ℓ p norm [BN’07] Questions Can CVP, SIVP also be solved in 2 c · n time? Yes! (for ℓ 2 ) What is the smallest constant c ? [NV’09,MP’10,PS’10]: c < 2 . 5 for SVP in ℓ 2 . c ≤ 2 for SVP,SIVP,CVP! Is randomization and exponential space useful/necessary? Randomization is not! What about other norms and Integer Programming (IP)? CVP in deterministic 2 O ( n ) time Daniele Micciancio

Size Reduction � b : (short) lattice vector � c : arbitrary point � c Can make � c shorter by c ′ � subtracting � b from it c closer to � Repeat until � 0 than to � b or − � b � Remarks b c ′ ∈ Λ 0 � c − � Key step in [LLL’82] basis reduction algorithm Technique is used in most other lattice algorithms CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction: CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) � v 3 Goal: Solve CVP (Λ n ,� t ) � t 3 Partition Λ n into layers of � t 1 the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . � v 2 Find lattice point � v i in each � t 2 layer closest to (the � t 4 � b 2 projection of) � t � v 4 Only need to consider 0 � b 1 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers Select the best solution � v 1 Notice: All layers contain same lattice Λ n − 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , T = 2 n 2 SVP: k = n , T = n n Iterate: CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) ≤ · · · ≤ k n CVP (Λ 1 ) = k n Our approach Exploit the fact that recursive calls use the same lower dimensional sublattices Preprocess the lattice to speed up the solution of many CVP instances CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� π (Λ) has size 2 O ( n ) π (Λ) can also be computed in time 2 O ( n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 O ( n ) Voronoi cell computation V (Λ n ) ≤ 2 O ( n ) CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 O ( n ) · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ 2 O ( n ) + V (Λ n − 1 ) = 2 O ( n ) + 2 O ( n ) + V (Λ n − 2 ) ≤ . . . ≤ 2 O ( n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Voronoi Cell Definition (Voronoit Cell) Set of points in R n closer to 0 than to any other lattice point V (Λ) = { � x : ∀ � v ∈ Λ , � � x � ≤ � � x − � v �} 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v , R ⊂ Λ v 2 � � v ∈ Λ R � v 4 0 Not all � v ∈ Λ are needed � v 3 v 5 � Theorem (Voronoi) The numer of relevant points is at most | R | ≤ 2 · (2 n − 1) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) ≤ 2 n CVP (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the − � v 3 v 2 � v closest to � pair � v , − � 0 0 R is the set of all such pairs − � v 2 v 3 � Each pair is found by a CVP computation in lattice 2Λ − � v 1 CVP (2Λ) is equivalent to CVP (Λ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v [SFS’09] only proves termination Question: What is a good selection strategy for � v ∈ R ? CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � t ′ � shorter than � t � t ′ ∈ 2 V t still � | ( � t − Λ) ∩ 2 V| ≤ 2 n CVP in deterministic 2 O ( n ) time Daniele Micciancio

Doubling the Voronoi Cell Solve CVP for any � t : Find � k ∈ Z such that t ∈ 2 k V � Use CVP 2 V to go from 2 k V � t to 2 k − 1 V � t 1 � t 3 � t 2 CVP in deterministic 2 O ( n ) time Daniele Micciancio