On Bounded Distance Decoding, Unique Shortest Vectors, and the - - PowerPoint PPT Presentation

on bounded distance decoding unique shortest vectors and
SMART_READER_LITE
LIVE PREVIEW

On Bounded Distance Decoding, Unique Shortest Vectors, and the - - PowerPoint PPT Presentation

Apr 06, 2024 945 likes •1.33k views

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set of linearly independent

slide-1
SLIDE 1

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Vadim Lyubashevsky Daniele Micciancio

slide-2
SLIDE 2

Lattices

Lattice: A discrete additive subgroup of Rn

slide-3
SLIDE 3

Lattices

Basis: A set of linearly independent vectors that generate the lattice.

slide-4
SLIDE 4

Lattices

Basis: A set of linearly independent vectors that generate the lattice.

slide-5
SLIDE 5

Why are Lattices Interesting?

(In Cryptography)

Ajtai ('96) showed that solving “average”

instances of some lattice problem implies solving all instances of a lattice problem

Possible to base cryptography on worst-case

instances of lattice problems

slide-6
SLIDE 6

SIVP

Minicrypt primitives

[Ajt '96,...]

slide-7
SLIDE 7

Shortest Independent Vector Problem (SIVP)

Find n short linearly independent vectors

slide-8
SLIDE 8

Shortest Independent Vector Problem (SIVP)

Find n short linearly independent vectors

slide-9
SLIDE 9

Approximate Shortest Independent Vector Problem

Find n pretty short linearly independent vectors

slide-10
SLIDE 10

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

slide-11
SLIDE 11

Minimum Distance Problem (GapSVP)

Find the minimum distance between the vectors in the lattice

slide-12
SLIDE 12

Minimum Distance Problem (GapSVP)

Find the minimum distance between the vectors in the lattice

d

slide-13
SLIDE 13

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

slide-14
SLIDE 14

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

uSVP

Cryptosystems Ajtai-Dwork '97 Regev '03

slide-15
SLIDE 15

Unique Shortest Vector Problem (uSVP)

Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

slide-16
SLIDE 16

Unique Shortest Vector Problem (uSVP)

Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

slide-17
SLIDE 17

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

uSVP

Cryptosystems Ajtai-Dwork '97 Regev '03

≈1

[Reg '03]

slide-18
SLIDE 18

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

uSVP

Cryptosystems Ajtai-Dwork '97 Regev '03

≈1

[Reg '03] Cryptosystem Regev '05

(quantum reduction)

slide-19
SLIDE 19

SIVP

n

[Ban '93]

GapSVP

Minicrypt primitives

[Ajt '96,...]

uSVP

Cryptosystems Ajtai-Dwork '97 Regev '03

≈1

[Reg '03] Cryptosystems Regev '05 Peikert '09

(quantum reduction)

slide-20
SLIDE 20

GapSVP BDD uSVP SIVP

n n (quantum reduction)

Cryptosystems Ajtai-Dwork '97 Regev '03 [Ban '93] [Reg '05] [GG '97,Pei '09]

Minicrypt primitives

[Ajt '96,...] Cryptosystems Regev '05 Peikert '09

≈1

[Reg '03]

slide-21
SLIDE 21

Bounded Distance Decoding (BDD)

Given a target vector that's close to the lattice, find the nearest lattice vector

slide-22
SLIDE 22

GapSVP BDD uSVP

1 2 1

SIVP

n n (quantum reduction)

Cryptosystems Ajtai-Dwork '97 Regev '03 [Ban '93] [Reg '05] [GG '97,Pei '09]

Minicrypt primitives

[Ajt '96,...] Cryptosystems Regev '05 Peikert '09

slide-23
SLIDE 23

GapSVP BDD uSVP SIVP

(quantum reduction)

Minicrypt primitives Crypto- systems

slide-24
SLIDE 24

Cryptosystem Hardness Assumptions

uSVP BDD GapSVP SIVP (quantum) Ajtai-Dwork '97 Regev '03 Regev '05

  • Peikert '09

O(n2) O(n2) O(n2.5) O(n3) O(n1.5) O(n1.5) O(n2) O(n2.5) O(n1.5) O(n1.5) O(n1.5) O(n2) O(n2.5)

Implications of our results

slide-25
SLIDE 25

Lattice-Based Primitives

Minicrypt

  • One-way functions [Ajt '96]
  • Collision-resistant hash

functions [Ajt '96,MR '07]

  • Identification schemes

[MV '03,Lyu '08, KTX '08]

  • Signature schemes [LM '08,

GPV '08]

Public-Key Cryptosystems

  • [AD '97] (uSVP)
  • [Reg '03] (uSVP)
  • [Reg '05] (SIVP and GapSVP under

quantum reductions)

  • [Pei '09] (GapSVP)

All Based on GapSVP and SIVP All Based on GapSVP and quantum SIVP Major Open Problem: Construct cryptosystems based on SIVP

slide-26
SLIDE 26

Reductions

GapSVP BDD uSVP

1 2 1

slide-27
SLIDE 27

Proof Sketch (BDD < uSVP)

slide-28
SLIDE 28

Proof Sketch (BDD < uSVP)

slide-29
SLIDE 29

Proof Sketch (BDD < uSVP)

slide-30
SLIDE 30

Proof Sketch (BDD < uSVP)

slide-31
SLIDE 31

Proof Sketch (BDD < uSVP)

slide-32
SLIDE 32

Proof Sketch (BDD < uSVP)

New basis vector used exactly once in constructing the unique shortest vector

slide-33
SLIDE 33

Proof Sketch (BDD < uSVP)

New basis vector used exactly once in constructing the unique shortest vector

slide-34
SLIDE 34

Proof Sketch (BDD < uSVP)

New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

slide-35
SLIDE 35

Open Problems

Can we construct cryptosystems based on SIVP

− (SVP would be even better!)

Can the reduction GapSVP < BDD be tightened? Can the reduction BDD < uSVP be tightened?

slide-36
SLIDE 36

Thanks!