Lattices that Admit Logarithmic Worst-Case to Average-Case - - PowerPoint PPT Presentation

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Chris Peikert1 Alon Rosen2

1SRI International 2Harvard SEAS → IDC Herzliya

STOC 2007

1 / 15

Worst-case versus average-case complexity Lattices are an intriguing case study: ◮ Believed hard in the worst case ◮ Worst-case / average-case reductions

2 / 15

Worst-case versus average-case complexity Lattices are an intriguing case study: ◮ Believed hard in the worst case ◮ Worst-case / average-case reductions This Talk. . . ◮ Not (exactly) about crypto ◮ Special, natural class of algebraic lattices ◮ Very tight worst-case/average-case reductions

• Much tighter than known for general lattices

◮ Distinctions between decision and search ◮ Many open problems

2 / 15

Lattices

Let B = {b1, . . . , bn} ⊂ Rn be linearly independent. The n-dim lattice L having basis B is: L =

n

• i=1

(Z · bi)

b1 b2 3 / 15

Lattices

Let B = {b1, . . . , bn} ⊂ Rn be linearly independent. The n-dim lattice L having basis B is: L =

n

• i=1

(Z · bi)

b1 b2 P

Fundamental region: Parallelepiped P spanned by bis.

3 / 15

Lattices

Let B = {b1, . . . , bn} ⊂ Rn be linearly independent. The n-dim lattice L having basis B is: L =

n

• i=1

(Z · bi)

b1 b2 P λ1

Fundamental region: Parallelepiped P spanned by bis. Minimum distance: λ1 = length of shortest nonzero v ∈ L.

3 / 15

Lattices

Let B = {b1, . . . , bn} ⊂ Rn be linearly independent. The n-dim lattice L having basis B is: L =

n

• i=1

(Z · bi)

b1 b2 P λ1

Fundamental region: Parallelepiped P spanned by bis. Minimum distance: λ1 = length of shortest nonzero v ∈ L. Minkowski’s Theorem λ1 ≤ √n · vol(P)1/n

(Non-constructive, non-algorithmic proof. . . )

3 / 15

Shortest Vector Problem (SVP)

Approximation factor γ = γ(n). Decision: Given basis, distinguish λ1 ≤ 1 from λ1 > γ.

4 / 15

Shortest Vector Problem (SVP)

Approximation factor γ = γ(n). Decision: Given basis, distinguish λ1 ≤ 1 from λ1 > γ. Search: Given basis, find nonzero v ∈ L such that v ≤ γ · λ1.

4 / 15

Shortest Vector Problem (SVP)

Approximation factor γ = γ(n). Decision: Given basis, distinguish λ1 ≤ 1 from λ1 > γ. Search: Given basis, find nonzero v ∈ L such that v ≤ γ · λ1. Hardness ◮ Almost-polynomial factors γ(n) [Ajt,Mic,Kho,HaRe]

4 / 15

Shortest Vector Problem (SVP)

Approximation factor γ = γ(n). Decision: Given basis, distinguish λ1 ≤ 1 from λ1 > γ. Search: Given basis, find nonzero v ∈ L such that v ≤ γ · λ1. Hardness ◮ Almost-polynomial factors γ(n) [Ajt,Mic,Kho,HaRe] Algorithms for SVPγ ◮ γ(n) ∼ 2n approximation in poly-time [LLL] ◮ Can trade-off running time/approximation [Sch,AKS]

4 / 15

Worst-Case/Average-Case Connections [Ajtai,. . . ]

For some γ(n) = poly(n) (“connection factor”): SVPγ hard in the worst case ⇓ problems hard on the average

5 / 15

Worst-Case/Average-Case Connections [Ajtai,. . . ]

For some γ(n) = poly(n) (“connection factor”): SVPγ hard in the worst case ⇓ problems hard on the average Cryptographic Applications ◮ One-way & collision-resistant functions [Ajtai,GGH,. . . ] ◮ Public-key encryption [AjtaiDwork,Regev]

5 / 15

Worst-Case/Average-Case Connections [Ajtai,. . . ]

For some γ(n) = poly(n) (“connection factor”): SVPγ hard in the worst case ⇓ problems hard on the average Cryptographic Applications ◮ One-way & collision-resistant functions [Ajtai,GGH,. . . ] ◮ Public-key encryption [AjtaiDwork,Regev] Optimizing the Connection Factor γ ◮ Interesting to characterize complexity ◮ Important for crypto due to time/accuracy tradeoff ◮ Current best γ(n) ∼ n [MicciancioRegev]

5 / 15

This Work: Ideal Lattices

◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field.

6 / 15

This Work: Ideal Lattices

◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant.

6 / 15

This Work: Ideal Lattices

◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . .

6 / 15

This Work: Ideal Lattices

◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . . ◮ Decision-SVP is easy to approximate: λ1 ≈ Minkowski bound. Not NP-hard!

6 / 15

This Work: Ideal Lattices

◮ Ideal lattices: special class from algebraic number theory. Ideals in the ring of integers of a number field. ◮ Our interest: number fields with small root discriminant. SVP on Ideal Lattices ◮ Well-known bottleneck in number theory algorithms: Ideal reduction, unit & class group computation, . . . ◮ Decision-SVP is easy to approximate: λ1 ≈ Minkowski bound. Not NP-hard! ◮ Search-SVP appears hard, despite structure. Best known algorithms [LLL,Sch,AKS].

6 / 15

Our Results

Complexity of Ideal Lattices

1 Connection factors as low as γ = √log n.

• Based on search-SVP

.

(Decision is easy.)

• For SVP in any ℓp norm.

(Stay for CCC.)

Classic win-win situation.

2 Relations among problems on ideal lattices (SVP

, CVP).

7 / 15

Our Results

Complexity of Ideal Lattices

1 Connection factors as low as γ = √log n.

• Based on search-SVP

.

(Decision is easy.)

• For SVP in any ℓp norm.

(Stay for CCC.)

Classic win-win situation.

2 Relations among problems on ideal lattices (SVP

, CVP). Subtleties No efficient constructions of best number fields (yet). ⇒ Non-uniformity (preprocessing) in reductions. ⇒ Crypto is tricky. ⇒ Many interesting open problems!

7 / 15

Other Special Classes of Lattices

1 “Unique” shortest vector:

• One-way/CR functions [Ajtai,GGH]
• Public-key encryption [AjtaiDwork,Regev]

8 / 15

Other Special Classes of Lattices

1 “Unique” shortest vector:

• One-way/CR functions [Ajtai,GGH]
• Public-key encryption [AjtaiDwork,Regev]

2 Cyclic lattices:

• Efficient & compact OWFs [Micciancio]
• Collision-resistant hashing [PeikertRosen,LyubashevskyMicciancio]

8 / 15

Other Special Classes of Lattices

1 “Unique” shortest vector:

• One-way/CR functions [Ajtai,GGH]
• Public-key encryption [AjtaiDwork,Regev]

2 Cyclic lattices:

• Efficient & compact OWFs [Micciancio]
• Collision-resistant hashing [PeikertRosen,LyubashevskyMicciancio]

Structure used for functionality & efficiency. Connection factors γ ∼ n or more.

8 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

9 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

Reduction

1 Sample offset vectors i ∈ Rn, derive uniform ai’s 2 Get short solution z ∈ Zm 3 Output ( zi · i) ∈ L

9 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

Reduction

1 Sample offset vectors i ∈ Rn, derive uniform ai’s 2 Get short solution z ∈ Zm 3 Output ( zi · i) ∈ L

9 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

Reduction

1 Sample offset vectors i ∈ Rn, derive uniform ai’s 2 Get short solution z ∈ Zm 3 Output ( zi · i) ∈ L

9 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

Reduction

1 Sample offset vectors i ∈ Rn, derive uniform ai’s 2 Get short solution z ∈ Zm 3 Output ( zi · i) ∈ L

9 / 15

Worst-to-Average Reduction [Ajtai,. . . ]

Average-Case Problem For uniform a1, . . . , am ← Zn mod q, find short nonzero z ∈ Zm:

• ziai = 0 mod q.

Reduction

1 Sample offset vectors i ∈ Rn, derive uniform ai’s 2 Get short solution z ∈ Zm 3 Output ( zi · i) ∈ L

Connection Factor ◮ Size of solution z ∈ Zm ◮ Lengths of offset vectors

i

9 / 15

Our Approach

◮ Replace “1-dim” integers Z with “n-dim integers” OK. OK = ring of algebraic integers in number field K of degree n.

10 / 15

Our Approach

◮ Replace “1-dim” integers Z with “n-dim integers” OK. OK = ring of algebraic integers in number field K of degree n.

• Has + and ×, “absolute value” |·|, . . .

10 / 15

Our Approach

◮ Replace “1-dim” integers Z with “n-dim integers” OK. OK = ring of algebraic integers in number field K of degree n.

• Has + and ×, “absolute value” |·|, . . .
• Is an n-dim lattice under K’s canonical embedding.

Z OK

10 / 15

Our Approach

◮ Replace “1-dim” integers Z with “n-dim integers” OK. OK = ring of algebraic integers in number field K of degree n.

• Has + and ×, “absolute value” |·|, . . .
• Is an n-dim lattice under K’s canonical embedding.

Before After Worst-case object lattice in Rn: ideal in OK: (Z · bi) for bi ∈ Rn (OK · bi) for bi ∈ OK

10 / 15

Our Approach

◮ Replace “1-dim” integers Z with “n-dim integers” OK. OK = ring of algebraic integers in number field K of degree n.

• Has + and ×, “absolute value” |·|, . . .
• Is an n-dim lattice under K’s canonical embedding.

Before After Worst-case object lattice in Rn: ideal in OK: (Z · bi) for bi ∈ Rn (OK · bi) for bi ∈ OK Avg-case problem for ai ← Zn mod q for ai ← OK mod q find small zi ∈ Z: find “small” zi ∈ OK: ziai = 0 mod q ziai = 0 mod q

10 / 15

Improving the Reduction

◮ Replace Z with OK. ◮ Use K having constant root discriminant (as function of dim n).

11 / 15

Improving the Reduction

◮ Replace Z with OK. ◮ Use K having constant root discriminant (as function of dim n). Before After

• 1. Size of solution z

√n log n √log n

• 2. Length of offsets

≥ √n · λ1 λ1

11 / 15

Improving the Reduction

◮ Replace Z with OK. ◮ Use K having constant root discriminant (as function of dim n). Before After

• 1. Size of solution z

√n log n √log n

• 2. Length of offsets

≥ √n · λ1 λ1

1 Why shorter solutions?

• OK is much “denser” than Z.

11 / 15

Improving the Reduction

◮ Replace Z with OK. ◮ Use K having constant root discriminant (as function of dim n). Before After

• 1. Size of solution z

√n log n √log n

• 2. Length of offsets

≥ √n · λ1 λ1

1 Why shorter solutions?

• OK is much “denser” than Z.

2 Why shorter offsets?

• Ideal lattice primal & dual have (optimally) large λ1.

11 / 15

Crash Course in Algebraic Number Theory

12 / 15

Crash Course in Algebraic Number Theory

12 / 15

Pretty Pictures: Ideal Lattices

13 / 15

Pretty Pictures: Ideal Lattices

13 / 15

Pretty Pictures: Ideal Lattices

13 / 15

Pretty Pictures: Ideal Lattices

◮ Root discriminant DK = (fundamental volume)2/n

13 / 15

Pretty Pictures: Ideal Lattices

◮ Root discriminant DK = (fundamental volume)2/n

√n · p DK 13 / 15

Pretty Pictures: Ideal Lattices

◮ Root discriminant DK = (fundamental volume)2/n

x · y = 1 x · y = −1 x · y = 2

... ...

√n · p DK 13 / 15

Pretty Pictures: Ideal Lattices

◮ Root discriminant DK = (fundamental volume)2/n ◮ Minimum distance λ1 easy to estimate

x · y = 1 x · y = −1 x · y = 2

... ...

√n · p DK √n 13 / 15

Pretty Pictures: Ideal Lattices

◮ Root discriminant DK = (fundamental volume)2/n ◮ Minimum distance λ1 easy to estimate ◮ Same for dual lattice ⇒ short offsets

x · y = 1 x · y = −1 x · y = 2

... ...

√n · p DK √n 13 / 15

Shorter Average-Case Solutions

◮ OK is much denser than Z. Z |z| ≤ β ∼ 2β elements OK ∼ βn elements!

14 / 15

Shorter Average-Case Solutions

◮ OK is much denser than Z. Z |z| ≤ β ∼ 2β elements OK ∼ βn elements!

14 / 15

Shorter Average-Case Solutions

◮ OK is much denser than Z. Z |z| ≤ β ∼ 2β elements OK ∼ βn elements! ◮ Solutions taken over OK instead of Z.

14 / 15

Shorter Average-Case Solutions

◮ OK is much denser than Z. Z |z| ≤ β ∼ 2β elements OK ∼ βn elements! ◮ Solutions taken over OK instead of Z. ◮ Denser OK ⇒ denser, shorter solutions.

14 / 15

Open Problems

Good families of number fields K are crucial!

15 / 15

Open Problems

Good families of number fields K are crucial!

1 Need small root discriminant DK (as function of dim n).

Families with DK < 100 exist & are easy to verify. Q1: Are there efficient asymptotic constructions?

15 / 15

Open Problems

Good families of number fields K are crucial!

1 Need small root discriminant DK (as function of dim n).

Families with DK < 100 exist & are easy to verify. Q1: Are there efficient asymptotic constructions?

• Concrete good K known up to n ∼ 85
• Even DK ∼ n2/3 is useful

15 / 15

Open Problems

Good families of number fields K are crucial!

1 Need small root discriminant DK (as function of dim n).

Families with DK < 100 exist & are easy to verify. Q1: Are there efficient asymptotic constructions?

• Concrete good K known up to n ∼ 85
• Even DK ∼ n2/3 is useful

2 Reductions are non-uniform: need short basis for OK.

Q2: Can explicit constructions yield this advice “for free”?

15 / 15

Open Problems

Good families of number fields K are crucial!

1 Need small root discriminant DK (as function of dim n).

Families with DK < 100 exist & are easy to verify. Q1: Are there efficient asymptotic constructions?

• Concrete good K known up to n ∼ 85
• Even DK ∼ n2/3 is useful

2 Reductions are non-uniform: need short basis for OK.

Q2: Can explicit constructions yield this advice “for free”?

3 Crypto is tricky: must map {0, 1}∗ to short elts of OK.

Q3: Can this be done efficiently?

15 / 15