Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling - - PowerPoint PPT Presentation

Wenling Liu @ SJTU

Seminar of Lattice Analysis

01 Slide Reduction Revisited

Wenling Liu, Shanghai Jiao Tong University.

Wenling Liu @ SJTU

Table of Contents

Lattice Backgrounds Lenstra–Lenstra–Lov´ asz Reduction Hemite SVP reduction and DBKZ Algorithm Slide Reduction

Last Update: August 4, 2020

Wenling Liu @ SJTU

Section 1

Lattice Backgrounds

Wenling Liu @ SJTU

Lattice

Definition (Lattice)

An n-dimensional lattice L in Rm is the set of integer combinations L := {z1b1 + · · · + znbn : zi ∈ Z}

• f linearly independent basis vectors B = [b1, · · · , bn] ∈ Zm×n

q

. Remark.

• We call n the rank of L
• We say L is full-rank if n = m
• B is called a basis of L
• For simplicity, we mainly concerns

integer lattices, those lattices are subgroups of Zm.

Figure: A Lattice in R2

Wenling Liu @ SJTU

Basis of Lattice

A lattice can have different basis:

Figure: Different Basis of same Lattice

• Fact. A lattice has infinite number of bases.
• Fact. Integer lattices only have bases with integer entries.

A lattice is the set of integer combinations of any of its bases. A lattice with basis B is denoted by L(B) (denoted by Λ(B) in some literature). The notion are abused to non-basis B in some literature.

Wenling Liu @ SJTU

Fundamental Parallelepiped

Define the fundamental parallelepiped of a basis B as P(B) = {y ∈ Rn|y = Bx for some x ∈ [0, 1)n}

Figure: Fundamental Parallelepiped of different Basis

Fact

The fundamental parallelepiped contains no lattice points except 0.

Wenling Liu @ SJTU

Volume

Definition

Let B be any basis of lattice L, define the volume of L: vol(L) = √ BTB Remark.

• For any L(B1) = L(B2), it holds that BT

1 B1 = BT 2 B2.

• For n = m (i.e., B ∈ Rm×m), vol(L(B)) = | det B|.
• We often abuse the notion and denote

√ BTB by vol(B).

• Some literature write vol instead of det.

Geometrical view. The volume of a lattice is the volume of its fundamental

• parallelpiped. Refer to UCSD CSE 206A Lec 1 by Daniele Micciancio for more detail.

Wenling Liu @ SJTU

Gram-Schmidt Orthogonalization

For a lattice basis B = [b1, · · · , bn] ∈ Rm×n, the Gram-Schmidt orthogonal basis of B can be compute by b∗

1 = b1

b∗

2 = b2 − µ2,1b∗ 1

b∗

n = bn − n−1

• j=1

µn,j(b∗

j )

where µi,j = bi, b∗

j

b∗

j , b∗ j . We say B∗ = [b∗ 1, · · · , b∗ n] the Gram-Schmidt Orthogonal Form

• f B.
• Fact. Gram-Schmidt Orthogonalization never lengthen vectors.

Wenling Liu @ SJTU

Gram-Schmidt Orthogonalization

Fact

• det B = det B∗.
• vol(L(B)) = det B∗ =

n

• j=1

b∗

j

• For basis B of L, λ1(L) ≥ B∗.
• Remark. Usually, B∗ is not a basis of L(B).

Wenling Liu @ SJTU

Dual Lattice

Definition (Dual Lattice)

For any lattice L ∈ Rm, define its dual lattice L× = {w ∈ span(L) : w, y ∈ Z for all y ∈ L} Dual lattice of L(B) is the intersection of n sets of equidistant paralleled (n − 1)-dimensional hyperplanes which are perpendicular to bi.

Wenling Liu @ SJTU

Dual Basis

For lattice L, we call L the primal lattice, L× the dual lattice. Like its primal lattice, dual lattice has infinite number of basis.

Fact

For a lattice L = L(B), there exists a unique D s.t. BTD = DTB = I, and D is a basis of L×. Proof can be done by checking the definition. D is called the dual basis of B. The explicit construction of D is D := B(BTB)−1 We denote the reverse order of D by B−s, and call it the reversed dual basis of B.

Fact

• det D = 1/(det B).
• b∗

n = 1/dn

• vol(L×) = 1/ vol(L).

Wenling Liu @ SJTU

Hermite’s Constant

Successive Minimal. For any lattice L, define λ1(L) to be the length of shortest non-zero vector on L. The notion can be abused to bases. Definite the Hermite’s Constant γn := sup λ1(L)2 vol(L)2/n where the supremum is over lattices L ⊆ Rn with full rank n.

• Remark. For any n-dimensional lattice L, it holds that

λ1(L) ≤ √γn vol(L)1/n. γn is known for n ≤ 8 and n = 24, and it is known that γn = Θ(n).

Wenling Liu @ SJTU

Shortest Vector Problem

Definition

Shortest Vector Problem (SVP): Given lattice basis B of L, find the shortest nonzero vector on L. SVP is NP-hard.

Definition

γ-Approximate Shortest Vector Problem (SVPγ): Given the lattice basis B of L, find a non-zero vector z on lattice L s.t. z ≤ γ · λ1(L). Remark. SVPγ is written to γ-SVP in some literature. SVPγ is extremely hard for some γ, but get easier when γ grows very large.

Wenling Liu @ SJTU

Status of SVP (for beginners)

Hardness:

• NP-complete for not very small γ
• The hardest among lattice problems
• No known quantum acceleration
• No known subexponential algorithm for γ ≤ √n

Cryptographic Importance:

• γ = nc: the hardness basic of average-case problems (e.g., LWE)

Wenling Liu @ SJTU

Section 2

Lenstra–Lenstra–Lov´ asz Reduction

Wenling Liu @ SJTU

Lattice Basis Reduction

Good bases are helpful when solve problems on lattices. E.g., Given an orthodox basis of a lattice, one can immediately compute the shortest vector. Lattice Basis Reduction is a category of method of finding a “good” basis of the lattice given by a ”bad” basis. Famous basis reduction algorithms:

• LLL Reduction
• BKZ Reduction
• DBKZ Reduction
• HKZ Reduction
• Slide Reduction

Wenling Liu @ SJTU

LLL Reduction

Definition (LLL-reduced Basis)

Let B ∈ Rm×n, we say B is ǫ-LLL-reduced, if it satisfies the following:

• Size Reduced: for all i = j, |µi,j| < 1

2

• Lov´

asz’s condition: For all 1 < i ≤ n, b∗

i 2 ≤ (1 + ǫ)µi,i+1b∗ i + b∗ i+12.

Remark. We often set ǫ = 1

3.

Remark. We say B is a ǫ-LLL basis if it is ǫ-LLL-reduced. We now introduce LLL-algorithm, that turns any lattice basis into a ǫ-LLL-reduced basis.

Wenling Liu @ SJTU

LLL Algorithm

Input : Lattice Basis B ∈ Rm×n, real ǫ > 0 Output: A ǫ-LLL bassis of L(B)

1 Compute b∗ 1, · · · , b∗ n for i = 2 to n do 2

for j = i − 1 to 1 do

3

bi ← bi − ci,jbj where ci,j = ⌈bi, b∗

j /b∗ j , b∗ j ⌋ 4

end

5 end 6 if ∃i s.t. b∗ i 2 > (1 + ǫ)µi,i+1b∗ i + b∗ i+1

then

7

bi ↔ bi+1

8

go to 1

9 end 10 return b1, · · · , bn

Algorithm 1: LLL Algorithm Fact.

• For ǫ > 1/ poly(n), the algorithm

terminates in polynomial time

• b∗

n never decreases during the

execution

Wenling Liu @ SJTU

(D)SVP Reduction

Define the following reduced basis.

• δ-SVP-reduced: A basis B is δ-SVP-reduced if b1 ≤ δ · λ1(B).
• δ-DSVP-Reduced: A basis B is δ-DSVP-reduced if B−s is δ-SVP-reduced and B

is 1

3-LLL-reduced.

Given the access to δ-SVP oracle, δ-(D)SVP-reduce can be done efficiently:

• δ-SVP-reduce B: Call δ-SVP oracle to get z ∈ L(B) (s.t. z ≤ δ · λ1(B)) and

“substitute” the first vector of B with z.

• δ-DSVP-Reduce B: Work out B−s, and do δ-SVP-reduce on B−s. Then workout

the new B with reduced B−s and do 1

3-LLL-reduce on the new B. This procedure

works fine since b∗

n never decreases during the LLL-reduction.

Remark. B is 1/3-LLL-reduced implies bi ≤ 4bi+1.

Wenling Liu @ SJTU

Section 3

Hemite SVP reduction and DBKZ Algorithm

Wenling Liu @ SJTU

More Notions

Fix some lattice basis B ∈ Rm×n, define π : Rm → Rm by πi(bi) = bi −

• j<i

µi,j(bj) And B[i,j] denotes (πi(bi), πi(bi+1, · · · , πi(bj)). We denote [bi, bi+1, · · · , bj] by B(i,j).

Wenling Liu @ SJTU

(D)SVP Reduction

Define the following reduced basis.

• δ-HSVP-reduced: A basis B is δ-HSVP-reduced if b1 ≤ δ · vol(B)1/n.
• δ-DHSVP-Reduced: A basis B is δ-DHSVP-reduced if B−s is δ-HSVP-reduced.

Similar to (D)SVP reduction, given an efficient δ-HSVP reduction algorithm, one can do δ-DHSVP reduction efficiently. δ-twin-reduced: For basis B = [b1, · · · , bd+1], we say B is δ-twin-reduced if B[1,d] is δ-HSVP-reduced and B[2,d+1] is δ-DHSVP-reduced.

Wenling Liu @ SJTU

Twin Reduction Lemma

Lemma

Let B = [b1, · · · , bd+1] be δ-twin-reduced, then

• b1 ≤ δ2d/(d−1)b∗

i+1

• δ−d/(d−1)b1 ≤ vol(B)1/(d+1) ≤ δd/(d−1)b∗

d+1

• Proof. By def of HSVP-red, b1d ≤ δd vol(B[1,d]), then b1d−1 ≤ δd vol(B[2,d]).

By def of DHSVP-red, vol(B[2,d]) ≤ δdbd+1d−1. (recall that vol(L) = 1/ vol(L×)) Gluing the these 2 inequalities together, we get the 1st item. Notice that b1db∗

d+1 ≤ δd vol(B[1, d]) · b∗ d+1 = δd vol(B). Applying it to the

1st item, we get the 2nd item. Fact.

• B is δ-SVP-reduced ⇒ B is δ√γn-HSVP-reduced
• B is δ-DSVP-reduced ⇒ B is δ√γn-DHSVP-reduced

Wenling Liu @ SJTU

DBKZ Algorithm

The Self-Dual BKZ (DBKZ) Algorithm [MW16] proposed by Daniele Micciancio and Michael Walter is a algorithm that HSVP-reduce a lattice basis with given SVP-oracle of low dimension. In the algorithm, N is set to N := ⌈(2n2/(k − 1)2) · log(n log(5B)/ǫ)⌉ for some ǫ ∈ [2− poly(n), 1]. Input: Lattice Basis B ∈ Rm×n, real ǫ > 0 Result: A new basis of L(B)

1 for ℓ = 1 to N do 2

for i = 1 to n − k do

3

δ-SVP-reduce B[i,i+k−1]

4

end

5

for j = n − k + 1 to 1 do

6

δ-DSVP-reduce B[j,j+k−1]

7

end

8 end 9 δ-SVP-reduce B[1, k] 10 return B

Algorithm 2: DBKZ Algorithm

Wenling Liu @ SJTU

DBKZ Algorithm

Theorem

For approximation factor 1 ≤ δleq2k and an input basis B0 of L algorithm 2 outputs a basis B of L in polynomial time s.t. b1 ≤ (1 + ǫ)(δ2γk)

n−1 2(k−1) vol(L)1/n

by making N · (2n − 2k + 1) + 1 calls to δ-SVP oracle for lattices with rank k.

• Proof. See [MW16].

Wenling Liu @ SJTU

Section 4

Slide Reduction

Wenling Liu @ SJTU

Mordell’s Inequality

Mordell proved the Mordell’s inequality [Mor44] γn ≤ γ(n−1)/(k−1)

k

, for all 2 ≤ k ≤ n

• nonconstructively. But suggest a blockwise reduction for SVP algorithm.

[GN08] proposed the slide-reduction algorithm to achieve this.

Wenling Liu @ SJTU

Blockwise Reduction

Given a basis B ∈ Rm×n of L and an δ-SVP oracle with rank at most k, one can do the following:

• δ-SVP reduce a block size k in B: Output a basis

C = [b1, · · · , bi−1, ci, · · · , ci+k−1, bi+k, bn] of L s.t. C[i,i+k−1] is δ-SVP reduced and C∗ ≤ B∗.

• δ-DSVP reduce a block of size k in B: Output a basis

C = [b1, · · · , bi−1, ci, · · · , ci+k−1, bi+k, bn] of L s.t. C[i,i+k−1] is δ-DSVP reduced and C∗ ≤ 2kB∗.

Wenling Liu @ SJTU

Slide Reduction

Definition

Let n = pk where q ≤ k, a basis B is (δ, k)-slide-reduced if it is size-reduced and satisfies the following

• Primal Condition: for all i ∈ [1, p − 1],

B[ik+1,(i+1)k] are δ-SVP-reduced.

• Dual Condition: for all i ∈ [1, p − 2],

B[ik+2,(i+1)k+1] is δ-DSVP-reduced. Prime condition implies: b∗

ik+1k−1 ≤ (δγk)k/2 vol(B[ik+2,ik+k]).

Dual condition implies: vol(B[ik+2,ik+k]) ≤ (δγk)k/2b∗

ik+k+1k−1

The above 2 implies: b∗

1 ≤ (δγk)

ik k−1 b∗

ik+1

Wenling Liu @ SJTU

Slide Reduction

b1n = b∗

1pk ≤ (δγk)

k2 k−1 ·p−1 j=0 j

p−1

• i=0

b∗

ik+1k

= (δγk)

(n−k)n 2(k−1)

p−1

• i=0

b∗

ik+1 · b∗ ik+1k−1

≤ (δγk)

(n−k)n 2(k−1)

 

p−1

• i=0

b∗

ik+1

  ·  

p−1

• i=0

(δγk)k/2 vol(B[ik+2,ik+k])

 

= (δγk)

(n−1)n 2(k−1) vol(L)

Let v be the shortest vector of L, then u =

αi ui with some αm = 0. Let

q − ⌊(m − 1)/k⌋, then πqk+1(u) is a non-zero vector of L(B[qk+1,qk+k]), and b∗

qk+1 ≤ δ · πqk+1(u) ≤ δu ≤ δλ1(L). Then we have

b1 ≤ (δγk)

n−k n−1 λ1(L)

Wenling Liu @ SJTU

Slide Reduction

Due to the blocksize, the result of [GN08] should be b1 ≤

• γk(1 + ε)

⌈n⌉k −1 k−1

vol(L)1/n, b1 ≤ (γk(1 + ε))

⌈n⌉k −k k−1

λ1(L). The [ALNS19] suggests to remove ⌈·⌉k in [GN08] with DBKZ algorithm. Moreover, it proposed a slide-reduction method for n = k + q where q < k.

Wenling Liu @ SJTU

Slide Reduction Revisited for n < 2k

Definition

Let n = k + q where q ≤ k, a basis B is (δ, k)-slide reduced if

• Primal Condition: B[1,q] and B[i,n]

for i ∈ [q + 1, k] are δ-SVP-reduced.

• Dual Condition: B[2,q+1] is

δ-DSVP-reduced.

Wenling Liu @ SJTU

Slide Reduction Revisited for n < 2k I

Theorem

Let B ∈ Rn

q be a (δ, k)-slide reduced basis of lattice L, then

λ1

• L
• B[1,k]
• ≤ δ√γk
• δ2γq

q+1

q−1 · n−k 2k λ1(L)

• Proof. Case I: ∃i ∈ [q + 1, k] s.t. b∗

i > δ · λ1(L). Then shortest vector v of L

satisfies πi(v) = 0. And hence, v ∈ L(B[1,i−1]) ⊆ B[i,k], which implies λ1((L(B[1,k])) = λ1(L). Case II: b∗

i ≤ δ · λ(L) for all i ∈ [q + 1, k]. B1,q+1 is δ√γq-twin-reduced, therefore

Wenling Liu @ SJTU

Slide Reduction Revisited for n < 2k II

vol

• B[1,k]
• = vol
• B[1,q+1]
• ·

k

• i=q+2

b∗

i

≤ (δ√γq)q(q+1)/(q−1))

• b∗

q+1

• q+1 ·

k

• i=q+2

b∗

i

≤

• δ2γq

q+2

q−1 · n−k 2 (δλ1(L))k

By def of Hermite’s constant, we have λ1

• L
• B[1,k]
• ≤ √γk vol
• B[1,k]

1/k ≤ δ√γk

• δ2γq

q+1

q−1 · n−k 2k λ1(L)

Wenling Liu @ SJTU

Slide Reduction Revisited for n < 2k

When the algorithm terminates, it will output a ((1 + ǫ)δ, k)-slide-reduced basis.

Wenling Liu @ SJTU

Slide Reduction Revisited for n < 2k

Let B0 be the input basis and B be the current basis. Define integral potential P(B) := vol(B[1,q])2 ∈ Z+ Then log P(B0) ≤ 2q · log B0.

• Fact. Only line 8 modifies P(B) and it decrease P(B) of a factor at least (1 + ǫ)2.

The algorithm updates L(B[1,q] at most log P(B0)

2 log(1+ǫ) times.

Max δ-SVP calls: qk log B0

log(1+ǫ)

δS = δ2√γk

• (1 + ε)2δ2γq

q+1

q−1 · n−k 2k ≤ O

• δ2c+1nc

Wenling Liu @ SJTU

Slide Reduction Revisited for n > 2k

Definition

Let n = pk + q where q ≤ k, a basis B is (δ, k)-slide-reduced if it is size-reduced and satisfies the following

• Mordell condition: B[1,k+q] is

η-HSVP-reduced and B[2,k+q+1] is η-DHSVP-reduced for η = (δ2γk)

k+q−1 2(k−1)

• Primal Condition: for all i ∈ [1, p − 1],

B[ik+q+1,(i+1)k+q] are δ-SVP-reduced.

• Dual Condition: for all i ∈ [1, p − 2],

B[ik+q+2,(i+1)k+q+1] is δ-DSVP-reduced.

Wenling Liu @ SJTU

Slide Reduction Revisited for n > 2k

Theorem

For (δ, k)-slide-reduced basis B of L, we have b1 ≤

• δ2γk
• n−1

2(k−1) vol(L)1/n

If λ1(L(B[1,k+q]) > λ1(L), then b1 ≤ δ(δ2γk)

n−k k−1 λ1(L).

• Proof. Gluing the η-twin-reduced blocks together to prove the whole B is

twin-reduced.

Wenling Liu @ SJTU

Slide Reduction Revisited for n > 2k

Wenling Liu @ SJTU

Slide Reduction Revisited for n > 2k

Theorem

For ǫ ∈ [1/ poly(n), 1], the algorithm runs in polynomial time, makes polynomial δ-SVP oracle calls and outputs a ((1 + ǫ)δ, k)-slide-reduced basis of input lattice L. Proof. Consider the integral potential P(B) :=

p−1

• i=1

vol(B[1,ik+q])2 just as before.

Wenling Liu @ SJTU

Total Result

Theorem

For any δ ≥ 1 and ǫ ∈ [1/ poly(n), 1], there exists an efficient reduction from δS-SVP to δ-SVP on lattices with k. When n ≥ 2k, we have δS := (1 + ǫ)δ((1 + ǫ)2δ2γk)

n−k k−1 ≤ O(δ2c+1nc).

When n = k + q for some q < k, we have δS := √γk

• (1 + ε)2δ2γq

q+1

q−1 · n−k 2k ≤ O(δ2c+1nc).

Wenling Liu @ SJTU

A Little Drawback?

The original result in [GN08] is the version of 1-SVP oracle, it says:

Theorem

For any ǫ ∈ [1/ poly(n), 1], there exists an efficient reduction from δS-SVP to SVP on lattices with k. We have δS := ((1 + ǫ)γk)

⌈n⌉k −k k−1 .

When applied to δ-SVP, we should have δS := ((1 + ǫ)δγk)

⌈n⌉k −k k−1 .

which doesn’t have a square on δ.

Wenling Liu @ SJTU

End of the story?

Wenling Liu @ SJTU

No.

The most technical parts are the analyses

• f reduction algorithms, those are not

included in this paper.

Refer to [MW16, HPS11].

Wenling Liu @ SJTU

Bibliography

Wenling Liu @ SJTU

Bibliography I

Divesh Aggarwal, Jianwei Li, Phong Q. Nguyen, and Noah Stephens-Davidowitz. Slide reduction, revisited - filling the gaps in SVP approximation. CoRR, abs/1908.03724, 2019. Nicolas Gama and Phong Q. Nguyen. Finding short lattice vectors within mordell’s inequality. In Cynthia Dwork, editor, Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008, pages 207–216. ACM, 2008.

Wenling Liu @ SJTU

Bibliography II

Guillaume Hanrot, Xavier Pujol, and Damien Stehl´ e. Analyzing blockwise lattice algorithms using dynamical systems. In Phillip Rogaway, editor, Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, volume 6841 of Lecture Notes in Computer Science, pages 447–464. Springer, 2011.

• L. J. Mordell.

Observation on the Minimum of a Positive Quadratic Form in Eight Variables. Journal of the London Mathematical Society, 19(73 Part 1):3–6, 01 1944.

Wenling Liu @ SJTU

Bibliography III

Daniele Micciancio and Michael Walter. Practical, predictable lattice basis reduction. In Marc Fischlin and Jean-S´ ebastien Coron, editors, Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I, volume 9665 of Lecture Notes in Computer Science, pages 820–849. Springer, 2016.

Wenling Liu @ SJTU

The End

Thank You!