On the Quantitative Hardness of CVP Huck Bennett, Alexander - - PowerPoint PPT Presentation

On the Quantitative Hardness

• f CVP

Huck Bennett, Alexander Golovnev, Noah Stephens-Davidowitz NYCAC 2017

Outline

■ Closest Vector Problem ■ Applications ■ Hardness ■ Isolating Parallelepipeds

The Closest Vector Problem

Lattice

■ A lattice L is the set of all integer combinations of linearly independent basis vectors ⃗ b1, . . . ,⃗ bn ∈ Rd L = L(⃗ b1, . . . ,⃗ bn) := {

n

∑

i=1

zi⃗ bi : zi ∈ Z } n is the rank of , d is the (ambient) dimension

Lattice

■ A lattice L is the set of all integer combinations of linearly independent basis vectors ⃗ b1, . . . ,⃗ bn ∈ Rd L = L(⃗ b1, . . . ,⃗ bn) := {

n

∑

i=1

zi⃗ bi : zi ∈ Z } ■ n is the rank of L, d is the (ambient) dimension

• Lattice. Example

b1 b2

• Lattice. Example

b1 b2 b1 + b2

• Lattice. Example

b1 b2 b1 + b2 2b1 + b2

• Lattice. Example

b1 b2 b1 + b2 2b1 + b2

• Lattice. Example

b1 b2 b1 + b2 2b1 + b2 t

• Lattice. Example

b1 b2 b1 + b2 2b1 + b2 t

• Lattice. Example

b1 b2

• Lattice. Example

b1 b2 t

• Lattice. Example

b1 b2 t

Closest Vector Problem

■ Given a basis for a L ⊂ Rd and a target t ∈ Rd, compute the distance from t to L Distance is defjned in terms of the

p norm;

for 1 p : x p x1

p

x2

p

xd

p 1 p

for p : x

1 i d xi

CVPp —Closest Vector Problem in the

p norm

Closest Vector Problem

■ Given a basis for a L ⊂ Rd and a target t ∈ Rd, compute the distance from t to L ■ Distance is defjned in terms of the ℓp norm; for 1 ≤ p < ∞: ∥⃗ x∥p := (|x1|p + |x2|p + · · · + |xd|p)1/p for p = ∞: ∥⃗ x∥∞ := max

1≤i≤d |xi|

CVPp —Closest Vector Problem in the

p norm

Closest Vector Problem

■ Given a basis for a L ⊂ Rd and a target t ∈ Rd, compute the distance from t to L ■ Distance is defjned in terms of the ℓp norm; for 1 ≤ p < ∞: ∥⃗ x∥p := (|x1|p + |x2|p + · · · + |xd|p)1/p for p = ∞: ∥⃗ x∥∞ := max

1≤i≤d |xi|

■ CVPp —Closest Vector Problem in the ℓp norm

Applications

Applications

■ Factoring polynomials over the rationals [LLL’82] Integer Programming [Len83,Kan87,DPV11] Cryptanalysis [Odl90,JS98,NS01]

Applications

■ Factoring polynomials over the rationals [LLL’82] ■ Integer Programming [Len83,Kan87,DPV11] Cryptanalysis [Odl90,JS98,NS01]

Applications

■ Factoring polynomials over the rationals [LLL’82] ■ Integer Programming [Len83,Kan87,DPV11] ■ Cryptanalysis [Odl90,JS98,NS01]

Lattice-Based Cryptography

■ Conjectured Quantum Security Effjciency, Parallelism, Simplicity Worst-Case Hardness Proofs Powerful Cryptography: FHE, ABE About to be Deployed

Lattice-Based Cryptography

■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity Worst-Case Hardness Proofs Powerful Cryptography: FHE, ABE About to be Deployed

Lattice-Based Cryptography

■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs Powerful Cryptography: FHE, ABE About to be Deployed

Lattice-Based Cryptography

■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs ■ Powerful Cryptography: FHE, ABE About to be Deployed

Lattice-Based Cryptography

■ Conjectured Quantum Security ■ Effjciency, Parallelism, Simplicity ■ Worst-Case Hardness Proofs ■ Powerful Cryptography: FHE, ABE ■ About to be Deployed

Real Life Cryptography

Real Life Cryptography

Real Life Cryptography

Hardness

Hardness of CVP

■ CVPp is NP-hard for every 1 ≤ p ≤ ∞ [vEB81] CVP2 can be solved in 2n o n time [ADS15] Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2n 20-time algorithm would break these schemes in practice

Hardness of CVP

■ CVPp is NP-hard for every 1 ≤ p ≤ ∞ [vEB81] ■ CVP2 can be solved in 2n+o(n) time [ADS15] Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2n 20-time algorithm would break these schemes in practice

Hardness of CVP

■ CVPp is NP-hard for every 1 ≤ p ≤ ∞ [vEB81] ■ CVP2 can be solved in 2n+o(n) time [ADS15] ■ Cryptographic applications require quantitative hardness of CVP [ADPS16,BCD+16,NIS16]: a 2n/20-time algorithm would break these schemes in practice

k-SAT

■ (x1 ∨ ¬x2 ∨ . . . ∨ xk) ∧ . . . ∧ (x7 ∨ ¬x4 ∨ . . . ∨ x3) n Boolean vars, m clauses, clause length k SETH [IP99]. There exists a constant k: no algorithm solves k-SAT in 20 99n time Goal: Reduce k-SAT on n vars to CVP on a rank-n lattice

k-SAT

■ (x1 ∨ ¬x2 ∨ . . . ∨ xk) ∧ . . . ∧ (x7 ∨ ¬x4 ∨ . . . ∨ x3) ■ n Boolean vars, m clauses, clause length ≤k SETH [IP99]. There exists a constant k: no algorithm solves k-SAT in 20 99n time Goal: Reduce k-SAT on n vars to CVP on a rank-n lattice

k-SAT

■ (x1 ∨ ¬x2 ∨ . . . ∨ xk) ∧ . . . ∧ (x7 ∨ ¬x4 ∨ . . . ∨ x3) ■ n Boolean vars, m clauses, clause length ≤k ■ SETH [IP99]. There exists a constant k: no algorithm solves k-SAT in 20.99n time Goal: Reduce k-SAT on n vars to CVP on a rank-n lattice

k-SAT

■ (x1 ∨ ¬x2 ∨ . . . ∨ xk) ∧ . . . ∧ (x7 ∨ ¬x4 ∨ . . . ∨ x3) ■ n Boolean vars, m clauses, clause length ≤k ■ SETH [IP99]. There exists a constant k: no algorithm solves k-SAT in 20.99n time ■ Goal: Reduce k-SAT on n vars to CVP on a rank-n lattice

A Very Special Case: 2-SAT

x1 x2 · · · xn−1 xn x1 2α · · · x2 2α · · · . . . . . . . . . ... xn · · · 2α C1 = (x1 ∨ x2) 2 2 · · · C2 = (x1 ∨ xn) 2 · · · 2 . . . . . . . . . ... . . . . . . Cm = (xn−1 ∨ xn) · · · 2 2 α α . . . α 3 3 . . . 3

A Very Special Case: 2-SAT

x1 x2 · · · xn−1 xn x1 2α · · · x2 2α · · · . . . . . . . . . ... xn · · · 2α C1 = (x1 ∨ x2) 2 2 · · · C2 = (x1 ∨ xn) 2 · · · 2 . . . . . . . . . ... . . . . . . Cm = (xn−1 ∨ xn) · · · 2 2 α α . . . α 3 3 . . . 3

A Very Special Case: 2-SAT

x1 x2 · · · xn−1 xn x1 2α · · · x2 2α · · · . . . . . . . . . ... xn · · · 2α C1 = (x1 ∨ x2) 2 2 · · · C2 = (x1 ∨ xn) 2 · · · 2 . . . . . . . . . ... . . . . . . Cm = (xn−1 ∨ xn) · · · 2 2 α α . . . α 3 3 . . . 3

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 α is very large If x 0 1 n, fjrst n lines give distance n

p

If x 0 1 n, distance is n 1

p

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 α is very large If x ∈ {0, 1}n, fjrst n lines give distance nαp If x 0 1 n, distance is n 1

p

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 α is very large If x ∈ {0, 1}n, fjrst n lines give distance nαp If x ̸∈ {0, 1}n, distance is ≥ (n + 1)αp

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 x ∈ {0, 1}n sat clause con- tributes 1 to the distance unsat clause contributes 3p 1

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 x ∈ {0, 1}n sat clause con- tributes 1 to the distance unsat clause contributes 3p 1

A Very Special Case: 2-SAT. Proof

x1 x2 · · · xn−1 xn 2α · · · 2α · · · . . . . . . ... · · · 2α 2 2 · · · 2 · · · 2 . . . . . . ... . . . . . . · · · 2 2 α α . . . α 3 3 . . . 3 x ∈ {0, 1}n sat clause con- tributes 1 to the distance unsat clause contributes 3p > 1

MAX-2-SAT

■ Given an instance of 2-SAT, we construct an instance of CVPp, s.t.

■ If all clauses are sat —distance is small ■ If not all clauses are sat —distance is large

Actually, the reduction gives the number of satisfjable clauses This is an NP-hard problem MAX-2-SAT Best algorithm for MAX-2-SAT runs in 2 n 3 1 74n

MAX-2-SAT

■ Given an instance of 2-SAT, we construct an instance of CVPp, s.t.

■ If all clauses are sat —distance is small ■ If not all clauses are sat —distance is large

■ Actually, the reduction gives the number of satisfjable clauses This is an NP-hard problem MAX-2-SAT Best algorithm for MAX-2-SAT runs in 2 n 3 1 74n

MAX-2-SAT

■ Given an instance of 2-SAT, we construct an instance of CVPp, s.t.

■ If all clauses are sat —distance is small ■ If not all clauses are sat —distance is large

■ Actually, the reduction gives the number of satisfjable clauses ■ This is an NP-hard problem MAX-2-SAT Best algorithm for MAX-2-SAT runs in 2 n 3 1 74n

MAX-2-SAT

■ Given an instance of 2-SAT, we construct an instance of CVPp, s.t.

■ If all clauses are sat —distance is small ■ If not all clauses are sat —distance is large

■ Actually, the reduction gives the number of satisfjable clauses ■ This is an NP-hard problem MAX-2-SAT ■ Best algorithm for MAX-2-SAT runs in 2ωn/3 < 1.74n

Generalization to k-SAT?

■ For all values of k, we want to reduce k-SAT to CVPp This would give 1 99n-hardness of CVPp under SETH A 2-SAT clause is sat ifg # of sat literals is 1 or 2 2 and 4 are equidistant from 3! For k-SAT, we can’t fjnd k numbers which are equidistant from some other number...

Generalization to k-SAT?

■ For all values of k, we want to reduce k-SAT to CVPp ■ This would give 1.99n-hardness of CVPp under SETH A 2-SAT clause is sat ifg # of sat literals is 1 or 2 2 and 4 are equidistant from 3! For k-SAT, we can’t fjnd k numbers which are equidistant from some other number...

Generalization to k-SAT?

■ For all values of k, we want to reduce k-SAT to CVPp ■ This would give 1.99n-hardness of CVPp under SETH ■ A 2-SAT clause is sat ifg # of sat literals is 1 or 2 2 and 4 are equidistant from 3! For k-SAT, we can’t fjnd k numbers which are equidistant from some other number...

Generalization to k-SAT?

■ For all values of k, we want to reduce k-SAT to CVPp ■ This would give 1.99n-hardness of CVPp under SETH ■ A 2-SAT clause is sat ifg # of sat literals is 1 or 2 ■ 2 and 4 are equidistant from 3! For k-SAT, we can’t fjnd k numbers which are equidistant from some other number...

Generalization to k-SAT?

■ For all values of k, we want to reduce k-SAT to CVPp ■ This would give 1.99n-hardness of CVPp under SETH ■ A 2-SAT clause is sat ifg # of sat literals is 1 or 2 ■ 2 and 4 are equidistant from 3! ■ For k-SAT, we can’t fjnd k numbers which are equidistant from some other number...

Generalization to k-SAT!

■ We can fjnd k vectors which are equidistant from some other vector! Goal: Find k vectors V v1 vk

m k

and t

m, s.t.

for all non-zero y 0 1 k, Vy t p 1 for y 0k, Vy t p t p 1

Generalization to k-SAT!

■ We can fjnd k vectors which are equidistant from some other vector! ■ Goal: Find k vectors V = (⃗ v1, . . . , ⃗ vk) ∈ Rm×k and⃗ t ∈ Rm, s.t.

■ for all non-zero⃗

y ∈ {0, 1}k, ∥V⃗ y −⃗ t∥p = 1

■ for⃗

y = 0k, ∥V⃗ y −⃗ t∥p = ∥⃗ t∥p > 1

Generalization to k-SAT!

■ We can fjnd k vectors which are equidistant from some other vector! ■ Goal: Find k vectors V = (⃗ v1, . . . , ⃗ vk) ∈ Rm×k and⃗ t ∈ Rm, s.t.

■ for all non-zero⃗

y ∈ {0, 1}k, ∥V⃗ y −⃗ t∥p = 1

■ for⃗

y = 0k, ∥V⃗ y −⃗ t∥p = ∥⃗ t∥p > 1

v1 v2 v1 + v2 t∗

Isolating Parallelepipeds

Isolating Parallelepipeds

Defjnition (Isolating Parallelepiped) k vectors V = (⃗ v1, . . . , ⃗ vk) ∈ Rm×k and⃗ t ∈ Rm

■ for all non-zero⃗

y ∈ {0, 1}k, ∥V⃗ y −⃗ t∥p = 1

■ for⃗

y = 0k, ∥V⃗ y −⃗ t∥p = ∥⃗ t∥p > 1

Isolating Parallelepipeds in ℓ1

Defjnition (Isolating Parallelepiped) k vectors V = (⃗ v1, . . . , ⃗ vk) ∈ Rm×k and⃗ t ∈ Rm

■ for all non-zero⃗

y ∈ {0, 1}k, ∥V⃗ y −⃗ t∥p = 1

■ for⃗

y = 0k, ∥V⃗ y −⃗ t∥p = ∥⃗ t∥p > 1

(0, 0) (1, 1) (2, 2) (k, k) t∗ · · ·

Isolating Parallelepipeds in ℓ2

v1 v2 v1 + v2 t∗

Can we do for 3 vectors? No!

Isolating Parallelepipeds in ℓ2

v1 v2 v1 + v2 t∗

Can we do for 3 vectors? No!

Isolating Parallelepipeds in ℓ2

v1 v2 v1 + v2 t∗

Can we do for 3 vectors? No!

Isolating Parallelepipeds

■ If p is an odd integer, then IPs always exist If p is an even integer, then IPs exist only for at most k p vectors For any k and any p p0 n with n and n 0, they exist for suffjciently large n For any fjxed k, IPs exist for all but fjnitely many values of p

Isolating Parallelepipeds

■ If p is an odd integer, then IPs always exist ■ If p is an even integer, then IPs exist only for at most k ≤ p vectors For any k and any p p0 n with n and n 0, they exist for suffjciently large n For any fjxed k, IPs exist for all but fjnitely many values of p

Isolating Parallelepipeds

■ If p is an odd integer, then IPs always exist ■ If p is an even integer, then IPs exist only for at most k ≤ p vectors ■ For any k and any p = p0 + δ(n) with δ(n) ̸= 0 and δ(n) → 0, they exist for suffjciently large n For any fjxed k, IPs exist for all but fjnitely many values of p

Isolating Parallelepipeds

■ If p is an odd integer, then IPs always exist ■ If p is an even integer, then IPs exist only for at most k ≤ p vectors ■ For any k and any p = p0 + δ(n) with δ(n) ̸= 0 and δ(n) → 0, they exist for suffjciently large n ■ For any fjxed k, IPs exist for all but fjnitely many values of p

Candidate for odd p

V :=

3 2 2 2 1 1 1

              1 1 1 1 1 −1 1 −1 1 −1 1 1 1 −1 −1 −1 1 −1 −1 −1 1 −1 −1 −1               , ⃗ t :=               t t t t t t t t               .

Candidate for odd p

V := α3× α2× α2× α2× α1× α1× α1× α0×               1 1 1 1 1 −1 1 −1 1 −1 1 1 1 −1 −1 −1 1 −1 −1 −1 1 −1 −1 −1               , ⃗ t :=               t t t t t t t t               .

Constraints for odd p

■ This gives a system of k linear equations on α1, . . . , αk But we need a solution with all ’s non-negative M t k k

1 k k

M 1 1 . . . 1

Constraints for odd p

■ This gives a system of k linear equations on α1, . . . , αk ■ But we need a solution with all α’s non-negative M t k k

1 k k

M 1 1 . . . 1

Constraints for odd p

■ This gives a system of k linear equations on α1, . . . , αk ■ But we need a solution with all α’s non-negative ■ M ∈ R(t)k×k, α = (α1, . . . , αk) ∈ Rk : M · α =      1 + ε 1 . . . 1     

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible: Let M 1 e1

1 2 1k

M 1 1 1 T M is a piecewise combination of polynomials of degree k 1 p We show that at least one of these polynomials is non-zero

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible:

■ Let α′ = M−1 · e1

1 2 1k

M 1 1 1 T M is a piecewise combination of polynomials of degree k 1 p We show that at least one of these polynomials is non-zero

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible:

■ Let α′ = M−1 · e1 ■ α = δ1 · α′ + δ2 · 1k

M 1 1 1 T M is a piecewise combination of polynomials of degree k 1 p We show that at least one of these polynomials is non-zero

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible:

■ Let α′ = M−1 · e1 ■ α = δ1 · α′ + δ2 · 1k ■ M · α = (1 + ε, 1, · · · , 1)T

M is a piecewise combination of polynomials of degree k 1 p We show that at least one of these polynomials is non-zero

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible:

■ Let α′ = M−1 · e1 ■ α = δ1 · α′ + δ2 · 1k ■ M · α = (1 + ε, 1, · · · , 1)T

■ det(M) is a piecewise combination of polynomials of degree (k + 1)p We show that at least one of these polynomials is non-zero

Odd p. Proof

■ M is stochastic with a positive eigenvalue, so it suffjces to show M is invertible:

■ Let α′ = M−1 · e1 ■ α = δ1 · α′ + δ2 · 1k ■ M · α = (1 + ε, 1, · · · , 1)T

■ det(M) is a piecewise combination of polynomials of degree (k + 1)p ■ We show that at least one of these polynomials is non-zero

Conclusions

■ Isolating Parallelepipeds don’t exist for even p, and exist for almost any other p

■ If SETH holds, no 20.99n-algorithm solves

CVPp for these values of p Other hardness results for lattice problems SVP CVPPp Even hardness of approximation under Gap-ETH for all p

Conclusions

■ Isolating Parallelepipeds don’t exist for even p, and exist for almost any other p

■ If SETH holds, no 20.99n-algorithm solves

CVPp for these values of p ■ Other hardness results for lattice problems

■ SVP∞, CVPPp, . . .

Even hardness of approximation under Gap-ETH for all p

Conclusions

■ Isolating Parallelepipeds don’t exist for even p, and exist for almost any other p

■ If SETH holds, no 20.99n-algorithm solves

CVPp for these values of p ■ Other hardness results for lattice problems

■ SVP∞, CVPPp, . . .

■ Even hardness of approximation under Gap-ETH for all p

Thank you for your attention!