Algorithms for the Densest Sublattice Problem Daniele Micciancio - - PowerPoint PPT Presentation

Algorithms for the Densest Sublattice Problem

Daniele Micciancio (UCSD) (Joint work with D. Dadush – SODA 2013) January 2013

Daniele Micciancio Algorithms for the Densest Sublattice Problem

(Point) Lattices

Traditional area of mathematics

• ◦ ◦

Lagrange Gauss Minkowski

Daniele Micciancio Algorithms for the Densest Sublattice Problem

(Point) Lattices

Traditional area of mathematics

• ◦ ◦

Lagrange Gauss Minkowski Key to many algorithmic applications

Cryptanalysis (e.g., breaking low-exponent RSA) Coding Theory (e.g., wireless communications) Optimization (e.g., Integer Programming with fixed number of variables) Cryptography (e.g., Cryptographic functions from worst-case complexity assumptions, Fully Homomorphic Encryption)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Outline

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattices: Definition

e1 e2 The simplest lattice in n-dimensional space is the integer lattice Λ = Zn

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattices: Definition

e1 e2 The simplest lattice in n-dimensional space is the integer lattice Λ = Zn b1 b2 Other lattices are obtained by applying a linear transformation Λ = BZn (B ∈ Rd×n)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice Determinant / Density

e1 e2 b1 b2

Definition (Determinant)

The determinant of a lattice is the volume of a fundamental region det(BZn) = voln (B[0, 1)n) = 1 density(Λ)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

The Densest Sublattice Problem (DSP)

Definition (Densest Sublattice Problem (k-DSP))

Given a lattice Λ, find a k-dimensional sublattice Λ′ ⊆ Λ that minimizes det(Λ′).

Daniele Micciancio Algorithms for the Densest Sublattice Problem

The Densest Sublattice Problem (DSP)

Definition (Densest Sublattice Problem (k-DSP))

Given a lattice Λ, find a k-dimensional sublattice Λ′ ⊆ Λ that minimizes det(Λ′). Λ′ = Λ ∩ S, dim(S) = k Λ′ = bZ and det(Λ′) = b

Daniele Micciancio Algorithms for the Densest Sublattice Problem

The Densest Sublattice Problem (DSP)

Definition (Densest Sublattice Problem (k-DSP))

Given a lattice Λ, find a k-dimensional sublattice Λ′ ⊆ Λ that minimizes det(Λ′). Λ′ = Λ ∩ S, dim(S) = k Λ′ = bZ and det(Λ′) = b Small det ⇔ High density

Daniele Micciancio Algorithms for the Densest Sublattice Problem

The Densest Sublattice Problem (DSP)

Definition (Densest Sublattice Problem (k-DSP))

Given a lattice Λ, find a k-dimensional sublattice Λ′ ⊆ Λ that minimizes det(Λ′). Λ′ = Λ ∩ S, dim(S) = k Λ′ = bZ and det(Λ′) = b Small det ⇔ High density 1-DSP = SVP (Shortest Vector Problem)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

b∗

1 = b1

b2 b∗

2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ b∗

1 = b1

b2 b∗

2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ Any t can be efficiently rounded to v ∈ Λ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ Any t can be efficiently rounded to v ∈ Λ t − v ≤ 1

2

• i b∗

i 2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ Any t can be efficiently rounded to v ∈ Λ t − v ≤ 1

2

• i b∗

i 2

v solves CVP when t − v ≤ min b∗

i /2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Lattice rounding

Gram-Schmidt

• rthogonalization B∗[0, 1]n

is also a fundamental region for Λ Any t can be efficiently rounded to v ∈ Λ t − v ≤ 1

2

• i b∗

i 2

v solves CVP when t − v ≤ min b∗

i /2

Lemma (Nearest Plane Algorithm [Babai 1986])

Rounding w.r.t B∗ approximates CVP within √n · maxi b∗

i

mini b∗

i Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Sort b1 ≤ b2 ≤ . . . ≤ bn

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Sort b1 ≤ b2 ≤ . . . ≤ bn Still, typically b∗

1 > b∗ 2 > . . . > b∗ n

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Sort b1 ≤ b2 ≤ . . . ≤ bn Still, typically b∗

1 > b∗ 2 > . . . > b∗ n

This is unavoidable, even for k = 2, e.g., for “exagonal” lattice b1 b∗

2 = b1 · b1

b1 · b∗

2 = b12

det(Λ) ≤ γ2 = 2 √ 3 ≈ 1.1547

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Sort b1 ≤ b2 ≤ . . . ≤ bn Still, typically b∗

1 > b∗ 2 > . . . > b∗ n

This is unavoidable, even for k = 2, e.g., for “exagonal” lattice b1 b∗

2 = b1 · b1

b1 · b∗

2 = b12

det(Λ) ≤ γ2 = 2 √ 3 ≈ 1.1547 Minimizing b1/b∗

2 is equivalent to SVP

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Basis reduction

Definition (Basis reduction problem)

Given a lattice, find a basis such that b∗

i ≈ det(Λ)1/n, or, more

generally, the b∗

i do not decrease too quickly.

Sort b1 ≤ b2 ≤ . . . ≤ bn Still, typically b∗

1 > b∗ 2 > . . . > b∗ n

This is unavoidable, even for k = 2, e.g., for “exagonal” lattice b1 b∗

2 = b1 · b1

b1 · b∗

2 = b12

det(Λ) ≤ γ2 = 2 √ 3 ≈ 1.1547 Minimizing b1/b∗

2 is equivalent to SVP

Hemite constant: γn = sup

Λ

inf

B

• b1

det(Λ)1/n 2 = Θ(n)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

LLL basis reduction algorithm

Theorem (Lenstra, Lenstra, Lovasz (LLL) 1982)

Every lattice has an efficiently computable basis such that b∗

i+1 ≥ ˜

γ2 · b∗

i for all i, and maxi b∗

i

mini b∗

i = 2O(n) Daniele Micciancio Algorithms for the Densest Sublattice Problem

LLL basis reduction algorithm

Theorem (Lenstra, Lenstra, Lovasz (LLL) 1982)

Every lattice has an efficiently computable basis such that b∗

i+1 ≥ ˜

γ2 · b∗

i for all i, and maxi b∗

i

mini b∗

i = 2O(n)

B = [b1, . . . , bn]

Daniele Micciancio Algorithms for the Densest Sublattice Problem

LLL basis reduction algorithm

Theorem (Lenstra, Lenstra, Lovasz (LLL) 1982)

Every lattice has an efficiently computable basis such that b∗

i+1 ≥ ˜

γ2 · b∗

i for all i, and maxi b∗

i

mini b∗

i = 2O(n)

B = [b1, . . . , bn] Locally modify each 2-dim sublattice [bi, bi+1] so b∗

i is

(almost) minimal

Daniele Micciancio Algorithms for the Densest Sublattice Problem

LLL basis reduction algorithm

Theorem (Lenstra, Lenstra, Lovasz (LLL) 1982)

Every lattice has an efficiently computable basis such that b∗

i+1 ≥ ˜

γ2 · b∗

i for all i, and maxi b∗

i

mini b∗

i = 2O(n)

B = [b1, . . . , bn] Locally modify each 2-dim sublattice [bi, bi+1] so b∗

i is

(almost) minimal LLL terminates because each local modification makes “progress” towards reducing the basis

Daniele Micciancio Algorithms for the Densest Sublattice Problem

LLL basis reduction algorithm

Theorem (Lenstra, Lenstra, Lovasz (LLL) 1982)

Every lattice has an efficiently computable basis such that b∗

i+1 ≥ ˜

γ2 · b∗

i for all i, and maxi b∗

i

mini b∗

i = 2O(n)

B = [b1, . . . , bn] Locally modify each 2-dim sublattice [bi, bi+1] so b∗

i is

(almost) minimal LLL terminates because each local modification makes “progress” towards reducing the basis Polynomial time termination for any ˜ γ2 > γ2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Block Basis Reduction Algorithm

Locally modify each pair of blocks [Bi, Bi+1] so to minimize the product b∗

j · · · b∗ k corresponding to Bi = [bj, . . . , bk]

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Block Basis Reduction Algorithm

Locally modify each pair of blocks [Bi, Bi+1] so to minimize the product b∗

j · · · b∗ k corresponding to Bi = [bj, . . . , bk]

Local modification is a dim(Bi)-DSP instance in dimension dim(Bi) + dim(Bi+1)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Block Basis Reduction Algorithm

Locally modify each pair of blocks [Bi, Bi+1] so to minimize the product b∗

j · · · b∗ k corresponding to Bi = [bj, . . . , bk]

Local modification is a dim(Bi)-DSP instance in dimension dim(Bi) + dim(Bi+1) LLL is a special case where dim(Bi) = 1, and 1-DSP = SVP

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Block Basis Reduction Algorithm

Locally modify each pair of blocks [Bi, Bi+1] so to minimize the product b∗

j · · · b∗ k corresponding to Bi = [bj, . . . , bk]

Local modification is a dim(Bi)-DSP instance in dimension dim(Bi) + dim(Bi+1) LLL is a special case where dim(Bi) = 1, and 1-DSP = SVP Sliding Reduction [Gama, Nguyen 2008] corresponds to dim(B2i) = 1 and dim(B2i+1) = k. Still, 1-DSP=SVP

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Generalized basis reduction algorithm

Partition basis vectors into blocks B = [B1, . . . , Bm]

Block Basis Reduction Algorithm

Locally modify each pair of blocks [Bi, Bi+1] so to minimize the product b∗

j · · · b∗ k corresponding to Bi = [bj, . . . , bk]

Local modification is a dim(Bi)-DSP instance in dimension dim(Bi) + dim(Bi+1) LLL is a special case where dim(Bi) = 1, and 1-DSP = SVP Sliding Reduction [Gama, Nguyen 2008] corresponds to dim(B2i) = 1 and dim(B2i+1) = k. Still, 1-DSP=SVP [Gama,Howgrave-Graham,Koy,Nguyen 2006]: dim(Bi) = k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

DSP and LLL [GHKN’06]

Assume [b1, . . . , bk] generate the densest k-dimensional sublattice of B = [b1, . . . , bk, bk+1, . . . , bn]

Daniele Micciancio Algorithms for the Densest Sublattice Problem

DSP and LLL [GHKN’06]

Assume [b1, . . . , bk] generate the densest k-dimensional sublattice of B = [b1, . . . , bk, bk+1, . . . , bn] Applying LLL to B does not modify Λ′ = [b1, . . . , bk]Zk

Daniele Micciancio Algorithms for the Densest Sublattice Problem

DSP and LLL [GHKN’06]

Assume [b1, . . . , bk] generate the densest k-dimensional sublattice of B = [b1, . . . , bk, bk+1, . . . , bn] Applying LLL to B does not modify Λ′ = [b1, . . . , bk]Zk Algorithm for k-DSP: enumerate all LLL reduced bases for the input lattice, and select the smallest det([b1, . . . , bk])

Daniele Micciancio Algorithms for the Densest Sublattice Problem

DSP and LLL [GHKN’06]

Assume [b1, . . . , bk] generate the densest k-dimensional sublattice of B = [b1, . . . , bk, bk+1, . . . , bn] Applying LLL to B does not modify Λ′ = [b1, . . . , bk]Zk Algorithm for k-DSP: enumerate all LLL reduced bases for the input lattice, and select the smallest det([b1, . . . , bk]) A lattice can have as many as 2O(n3) reduced bases!

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Better solutions for DSP?

Recursive approach to find solution M to k-DSP

Minimize det(M) = b∗

1 · · · b∗ k where M = [b1, . . . , bk]

First find some b1 ∈ M, somehow. Then minimize b∗

2 · · · b∗ k, i.e. solve (k − 1)-DSP in

projection of Λ orthogonal to b1.

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Better solutions for DSP?

Recursive approach to find solution M to k-DSP

Minimize det(M) = b∗

1 · · · b∗ k where M = [b1, . . . , bk]

First find some b1 ∈ M, somehow. Then minimize b∗

2 · · · b∗ k, i.e. solve (k − 1)-DSP in

projection of Λ orthogonal to b1.

How can we find b1 ∈ M?

Greedily set b1 to shortest lattice vector

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Better solutions for DSP?

Recursive approach to find solution M to k-DSP

Minimize det(M) = b∗

1 · · · b∗ k where M = [b1, . . . , bk]

First find some b1 ∈ M, somehow. Then minimize b∗

2 · · · b∗ k, i.e. solve (k − 1)-DSP in

projection of Λ orthogonal to b1.

How can we find b1 ∈ M?

Greedily set b1 to shortest lattice vector Does not work! E.g., k-DSP for k = 2, n = 3:

SVP b1 = (a, a, a)

• 1/2 < a <
• 2/3

2-DSP b2 = (1, −1, 0) b3 = (0, −1, 1)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Main Lemma and Algorithm

Lemma

For any k-DSP solution M ⊂ Λ, either M contains (every) shortest lattice vector v ∈ Λ, or M contains k linearly independent vectors

• f length ≤ kv

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Main Lemma and Algorithm

Lemma

For any k-DSP solution M ⊂ Λ, either M contains (every) shortest lattice vector v ∈ Λ, or M contains k linearly independent vectors

• f length ≤ kv

Algorithm (by cases): Find shortest lattice vector v, and recurtively solve (k − 1)-DSP in Λ⊥v

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Main Lemma and Algorithm

Lemma

For any k-DSP solution M ⊂ Λ, either M contains (every) shortest lattice vector v ∈ Λ, or M contains k linearly independent vectors

• f length ≤ kv

Algorithm (by cases): Find shortest lattice vector v, and recurtively solve (k − 1)-DSP in Λ⊥v List all (L) vectors of length ≤ kv, and consider all subsets

• f L of size k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Main Lemma and Algorithm

Lemma

For any k-DSP solution M ⊂ Λ, either M contains (every) shortest lattice vector v ∈ Λ, or M contains k linearly independent vectors

• f length ≤ kv

Algorithm (by cases): Find shortest lattice vector v, and recurtively solve (k − 1)-DSP in Λ⊥v List all (L) vectors of length ≤ kv, and consider all subsets

• f L of size k

Select the best solution found

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Main Lemma and Algorithm

Lemma

For any k-DSP solution M ⊂ Λ, either M contains (every) shortest lattice vector v ∈ Λ, or M contains k linearly independent vectors

• f length ≤ kv

Algorithm (by cases): Find shortest lattice vector v, and recurtively solve (k − 1)-DSP in Λ⊥v List all (L) vectors of length ≤ kv, and consider all subsets

• f L of size k

Select the best solution found Running time is T ≈ 2O(n) + L

k

• Daniele Micciancio

Algorithms for the Densest Sublattice Problem

Bounding the list size

Put a sphere of radius λ/2 around every point in L Spheres are disjoint All spheres belong to larger sphere of radius (k + 1

2)λ

Volume bound: |L| · 1 2 n ≤

• k + 1

2 n kλ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Bounding the list size

Put a sphere of radius λ/2 around every point in L Spheres are disjoint All spheres belong to larger sphere of radius (k + 1

2)λ

Volume bound: |L| · 1 2 n ≤

• k + 1

2 n kλ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Bounding the list size

Put a sphere of radius λ/2 around every point in L Spheres are disjoint All spheres belong to larger sphere of radius (k + 1

2)λ

Volume bound: |L| · 1 2 n ≤

• k + 1

2 n kλ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Bounding the list size

Put a sphere of radius λ/2 around every point in L Spheres are disjoint All spheres belong to larger sphere of radius (k + 1

2)λ

Volume bound: |L| · 1 2 n ≤

• k + 1

2 n kλ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Bounding the list size

Put a sphere of radius λ/2 around every point in L Spheres are disjoint All spheres belong to larger sphere of radius (k + 1

2)λ

Volume bound: |L| · 1 2 n ≤

• k + 1

2 n kλ

Theorem (Main)

k-DSP can be solved in time T ≈ |L|k = (2k + 1)kn = kO(kn)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Conclusion

First shot at algorithmic solution of Densest Sublattice Problem Problem/Solution extends to arbitrary norms, achieving similar asymptotic running times

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Conclusion

First shot at algorithmic solution of Densest Sublattice Problem Problem/Solution extends to arbitrary norms, achieving similar asymptotic running times Potential applications to lattice basis reduction

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Conclusion

First shot at algorithmic solution of Densest Sublattice Problem Problem/Solution extends to arbitrary norms, achieving similar asymptotic running times Potential applications to lattice basis reduction Plenty of open problems!

Basic algorithm is far from practical. Develop fast heuristic implementations Evaluate performance in practice when run on random lattices within block basis reduction Reduce time dependency on k (currently kO(k·n): can k-DSP be solved in time 2O(n) Explore applications

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Conclusion

First shot at algorithmic solution of Densest Sublattice Problem Problem/Solution extends to arbitrary norms, achieving similar asymptotic running times Potential applications to lattice basis reduction Plenty of open problems!

Basic algorithm is far from practical. Develop fast heuristic implementations Evaluate performance in practice when run on random lattices within block basis reduction Reduce time dependency on k (currently kO(k·n): can k-DSP be solved in time 2O(n) Explore applications

Thanks! Questions?

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ γk = Θ(n), but γk < < k (e.g., γk ≤ 2 for all k = 1, . . . , 8)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ γk = Θ(n), but γk < < k (e.g., γk ≤ 2 for all k = 1, . . . , 8) Notice: M may not contain k linearly independent vectors of length ≤ γkv

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ γk = Θ(n), but γk < < k (e.g., γk ≤ 2 for all k = 1, . . . , 8) Notice: M may not contain k linearly independent vectors of length ≤ γkv Still, lemma is useful to restrict search for b1 to subset of L

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ γk = Θ(n), but γk < < k (e.g., γk ≤ 2 for all k = 1, . . . , 8) Notice: M may not contain k linearly independent vectors of length ≤ γkv Still, lemma is useful to restrict search for b1 to subset of L One can project and recurse for b2, . . . , bk

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Optimizations

k-DSP solution M satisfies other useful properties

Lemma

Any k-DSP solution M always contains a vector of length ≤ γkλ γk = Θ(n), but γk < < k (e.g., γk ≤ 2 for all k = 1, . . . , 8) Notice: M may not contain k linearly independent vectors of length ≤ γkv Still, lemma is useful to restrict search for b1 to subset of L One can project and recurse for b2, . . . , bk Asymptotic running time is still kO(kn)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Noneuclidean norms

ℓ1 and ℓ∞ norms naturally arise in many combinatorial applications, e.g., integer programming

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Noneuclidean norms

ℓ1 and ℓ∞ norms naturally arise in many combinatorial applications, e.g., integer programming Non ℓp norm naturally arise when “projecting” ℓ1 or ℓ∞ norms to lower dimensional subspaces

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Noneuclidean norms

ℓ1 and ℓ∞ norms naturally arise in many combinatorial applications, e.g., integer programming Non ℓp norm naturally arise when “projecting” ℓ1 or ℓ∞ norms to lower dimensional subspaces Our algorithm can be adapted to arbitrary norms, achieving similar running time

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Noneuclidean norms

ℓ1 and ℓ∞ norms naturally arise in many combinatorial applications, e.g., integer programming Non ℓp norm naturally arise when “projecting” ℓ1 or ℓ∞ norms to lower dimensional subspaces Our algorithm can be adapted to arbitrary norms, achieving similar running time Generalization is conceptually simple, but technically involved, using methods from high dimensional convex geometry

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Noneuclidean norms

ℓ1 and ℓ∞ norms naturally arise in many combinatorial applications, e.g., integer programming Non ℓp norm naturally arise when “projecting” ℓ1 or ℓ∞ norms to lower dimensional subspaces Our algorithm can be adapted to arbitrary norms, achieving similar running time Generalization is conceptually simple, but technically involved, using methods from high dimensional convex geometry Even the definition of DSP is not completely obvious

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance in practice

Strightforward implementation of DSP algorithm unlikely to be practical Work in progress: implementation of optimized versions of algorithm for small values of k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance in practice

Strightforward implementation of DSP algorithm unlikely to be practical Work in progress: implementation of optimized versions of algorithm for small values of k [Schnorr,Euchner 1996] . . . [Gama, Nguyen, Regev 2010]: heuristic pruning methods for SVP/CVP (n ≈ 100) [Nguyen,Stehle 2006] . . . [Chen,Nguyen 2012] LLL-like algoriths much better in practice than γn

2 worst-case bound

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance in practice

Strightforward implementation of DSP algorithm unlikely to be practical Work in progress: implementation of optimized versions of algorithm for small values of k [Schnorr,Euchner 1996] . . . [Gama, Nguyen, Regev 2010]: heuristic pruning methods for SVP/CVP (n ≈ 100) [Nguyen,Stehle 2006] . . . [Chen,Nguyen 2012] LLL-like algoriths much better in practice than γn

2 worst-case bound

Open Problem

Develop effective pruning strategies/heuristics to speed up DSP computation, and evaluate performance in practice on random lattices.

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Single exponential time?

Our algorithm solves k-DSP in TIME(2O(n)) when k = O(1)

Open Problem

Can DSP be solved in time 2O(n) for arbitrary k?

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Single exponential time?

Our algorithm solves k-DSP in TIME(2O(n)) when k = O(1)

Open Problem

Can DSP be solved in time 2O(n) for arbitrary k? It may be tempting to assume that k-DSP must be exponential in k because solution consists of k vectors

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Single exponential time?

Our algorithm solves k-DSP in TIME(2O(n)) when k = O(1)

Open Problem

Can DSP be solved in time 2O(n) for arbitrary k? It may be tempting to assume that k-DSP must be exponential in k because solution consists of k vectors But there is not reason for this to be so:

Shortest Independent Vectors Problem (k-SIVP): Find k linearly independent vectors such that max{v1, . . . , vk} k-DSP similar to k-SIVP, with “det” instead of “max”

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Single exponential time?

Our algorithm solves k-DSP in TIME(2O(n)) when k = O(1)

Open Problem

Can DSP be solved in time 2O(n) for arbitrary k? It may be tempting to assume that k-DSP must be exponential in k because solution consists of k vectors But there is not reason for this to be so:

Shortest Independent Vectors Problem (k-SIVP): Find k linearly independent vectors such that max{v1, . . . , vk} k-DSP similar to k-SIVP, with “det” instead of “max” SIVP reduces to CVP [Micciancio 2008], and therefore it can be solved in time 2O(n) [Micciancio, Voulgaris 2010].

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Single exponential time?

Our algorithm solves k-DSP in TIME(2O(n)) when k = O(1)

Open Problem

Can DSP be solved in time 2O(n) for arbitrary k? It may be tempting to assume that k-DSP must be exponential in k because solution consists of k vectors But there is not reason for this to be so:

Shortest Independent Vectors Problem (k-SIVP): Find k linearly independent vectors such that max{v1, . . . , vk} k-DSP similar to k-SIVP, with “det” instead of “max” SIVP reduces to CVP [Micciancio 2008], and therefore it can be solved in time 2O(n) [Micciancio, Voulgaris 2010].

Alternatively, offer evidence that k-DSP cannot be solved in 2O(n), e.g., reduce higher dimensional CVP problem to DSP

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Rankin constant (Generalizing Hermite γn = γn,1)

γn,k = sup

Λ

inf

B

• det(b1, . . . , bk)1/k

det(Λ)1/n 2k (Rankin 1955)

1 1 2

2 √ 3

1 3

3

√ 2

3

√ 2 1 4 √ 2 3/2 √ 2 1 5 23/5 23/5 1 6

6

• 64/3

32/3 32/3

6

• 64/3

1 7 26/7 26/7 1 8 2 3 4 4 4 3 2 1 24 4 4 1 n/k 1 2 3 4 5 6 7 23 24

DSP algorithm can be used to obtain lower bounds on γn,k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Rankin constant (Generalizing Hermite γn = γn,1)

γn,k = sup

Λ

inf

B

• det(b1, . . . , bk)1/k

det(Λ)1/n 2k (Rankin 1955)

1 1 2

2 √ 3

1 3

3

√ 2

3

√ 2 1 4 √ 2 3/2 √ 2 1 5 23/5 23/5 1 6

6

• 64/3

32/3 32/3

6

• 64/3

1 7 26/7 26/7 1 8 2 3 4 4 4 3 2 1 24 4 4 1 n/k 1 2 3 4 5 6 7 23 24

DSP algorithm can be used to obtain lower bounds on γn,k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh)

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time Open Problem: Determine optimal values of k, h in theory and/or practice

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time Open Problem: Determine optimal values of k, h in theory and/or practice [Gama,Nguyen 2008] suggests that k = 1 offers better tradeoff than k = h/2

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time Open Problem: Determine optimal values of k, h in theory and/or practice [Gama,Nguyen 2008] suggests that k = 1 offers better tradeoff than k = h/2 But k = 2 produces better bases than k = 1!

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time Open Problem: Determine optimal values of k, h in theory and/or practice [Gama,Nguyen 2008] suggests that k = 1 offers better tradeoff than k = h/2 But k = 2 produces better bases than k = 1! CVP with preprocessing: once a reduced basis is found, it can be used multiple times with different targets

Daniele Micciancio Algorithms for the Densest Sublattice Problem

Performance of DSP Basis Reduction

Using k-DSP algorithm on h-dimensional blocks

Running time kO(kh) SVP approximation factor ≈ γn/k(h−k)

h,k

For h = 2, k = 1, we get LLL factor γn

2

Tradeoff between quality and running time Open Problem: Determine optimal values of k, h in theory and/or practice [Gama,Nguyen 2008] suggests that k = 1 offers better tradeoff than k = h/2 But k = 2 produces better bases than k = 1! CVP with preprocessing: once a reduced basis is found, it can be used multiple times with different targets Using “dynamic” h, k may produce even better bases

Daniele Micciancio Algorithms for the Densest Sublattice Problem