Solving All Lattice Problems in Deterministic Single Exponential - - PowerPoint PPT Presentation

Solving All Lattice Problems in Deterministic Single Exponential Time

Daniele Micciancio (UCSD) (Joint work with P. Voulgaris, STOC 2010)

Barriers II Workshop, Princeton

August 27, 2010

Daniele Micciancio CVP in deterministic 2O(n) time

Lattices

Traditional area of mathematics

Bridge between number theory and geometry Studied by Lagrange, Gauss, ..., Minkowski, ...

Key to many algorithmic applications

Cryptanalysis, Coding Theory, Integer Programming

Foundation of Lattice based Cryptography

Exponentially hard to break, even by quantum adversary Asymptotically fast and easily parallelizable cryptographic functions Secure based on conjectured hardness of worst-case problems Extremely versatile: CPA/CCA encryption, digital signature, . . . ring signatures, threshold encryption, IBE, . . . , HIBE, . . . , fully homomorphic encryption

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of Lattice problems

Finding exact solutions Best known algorithms run in exponential time NP-hard: no subexponential time solution is expected Finding good (nO(1)) approximations Foundation of lattice based cryptography Not known how to solve substantially faster than exact version Finding exponential (2O(n)) approximations Extensively used in cryptanalysis Polynomial time algorithms, based on exact solution of small dimensional subproblems

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of Lattice problems

Finding exact solutions Best known algorithms run in exponential time NP-hard: no subexponential time solution is expected Finding good (nO(1)) approximations Foundation of lattice based cryptography Not known how to solve substantially faster than exact version Finding exponential (2O(n)) approximations Extensively used in cryptanalysis Polynomial time algorithms, based on exact solution of small dimensional subproblems

Daniele Micciancio CVP in deterministic 2O(n) time

Outline

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

Point Lattices

b1

• b2

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b1, . . . , bn} ⊂ Rn: Λ =

n

• i=1
• bi · Z

Daniele Micciancio CVP in deterministic 2O(n) time

Point Lattices

b1

• b2

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b1, . . . , bn} ⊂ Rn: Λ =

n

• i=1
• bi · Z = {B

x : x ∈ Zn}

Daniele Micciancio CVP in deterministic 2O(n) time

Point Lattices

b1

• b2
• c1
• c2

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b1, . . . , bn} ⊂ Rn: Λ =

n

• i=1
• bi · Z = {B

x : x ∈ Zn} The same lattice has many bases Λ =

n

• i=1
• ci · Z

Daniele Micciancio CVP in deterministic 2O(n) time

Point Lattices

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b1, . . . , bn} ⊂ Rn: Λ =

n

• i=1
• bi · Z = {B

x : x ∈ Zn} The same lattice has many bases Λ =

n

• i=1
• ci · Z

Definition (Lattice)

Discrete additive subgroup of Rn

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Vector Problem (SVP)

• b1
• b2

Definition (SVP)

Given a lattice L(B), find a (nonzero) lattice vector B x (with

• x ∈ Zk) of minimal length B

x Input: A lattice basis B

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Vector Problem (SVP)

• b1
• b2

Definition (SVP)

Given a lattice L(B), find a (nonzero) lattice vector B x (with

• x ∈ Zk) of minimal length B

x Input: A lattice basis B Output: A shortest nonzero vector s ∈ Λ

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Vector Problem (SVP)

• b1
• b2

Definition (SVP)

Given a lattice L(B), find a (nonzero) lattice vector B x (with

• x ∈ Zk) of minimal length B

x Input: A lattice basis B Output: A shortest nonzero vector s ∈ Λ The problem is hard when dimension n is high and basis is skewed

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Vector Problem (SVP)

• b1
• b2

Definition (SVP)

Given a lattice L(B), find a (nonzero) lattice vector B x (with

• x ∈ Zk) of minimal length B

x Input: A lattice basis B Output: A shortest nonzero vector s ∈ Λ The problem is hard when dimension n is high and basis is skewed Shortest vector can be much shorter than basis vectors

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Independent Vectors Problem (SIVP)

• b1
• b2

Definition (SIVP)

Given a lattice L(B), find n linearly independent lattice vectors s1, . . . , sn of minimal length maxi si Input: A lattice basis B

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Independent Vectors Problem (SIVP)

• b1
• b2

Definition (SIVP)

Given a lattice L(B), find n linearly independent lattice vectors s1, . . . , sn of minimal length maxi si Input: A lattice basis B Output: n shortest linearly independent lattice vectors

• s1, . . . ,

sn ∈ Λ

Daniele Micciancio CVP in deterministic 2O(n) time

Shortest Independent Vectors Problem (SIVP)

• b1
• b2

Definition (SIVP)

Given a lattice L(B), find n linearly independent lattice vectors s1, . . . , sn of minimal length maxi si Input: A lattice basis B Output: n shortest linearly independent lattice vectors

• s1, . . . ,

sn ∈ Λ The problem is hard when dimension n is high and basis is skewed

Daniele Micciancio CVP in deterministic 2O(n) time

Closest Vector Point (CVP)

• t

Inhomogeneous version of SVP

Definition (CVP)

Given a lattice L(B) and a target point t, find a lattice vector B x which minimizes the distance B x − t Input: A lattice Λ(B), and a target vector t

Daniele Micciancio CVP in deterministic 2O(n) time

Closest Vector Point (CVP)

• t
• c

Inhomogeneous version of SVP

Definition (CVP)

Given a lattice L(B) and a target point t, find a lattice vector B x which minimizes the distance B x − t Input: A lattice Λ(B), and a target vector t Output: A closest lattice point c ∈ Λ

Daniele Micciancio CVP in deterministic 2O(n) time

Closest Vector Point (CVP)

• t
• c

Inhomogeneous version of SVP

Definition (CVP)

Given a lattice L(B) and a target point t, find a lattice vector B x which minimizes the distance B x − t Input: A lattice Λ(B), and a target vector t Output: A closest lattice point c ∈ Λ NP-hard [vEB’81], even for fixed lattice [M’01]

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of SVP, SIVP, CVP

Efficient (dimension preserving) reductions

SVP, SIVP ≤ CVP [GMSS’99, M’08]

Fastest previous algorithm

SVP,SIVP,CVP : [Kannan’87] runs in nO(n) time SVP: [AKS’01] runs in randomized 2O(n) time and space Algorithms work in any ℓp norm [BN’07]

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of SVP, SIVP, CVP

Efficient (dimension preserving) reductions

SVP, SIVP ≤ CVP [GMSS’99, M’08]

Fastest previous algorithm

SVP,SIVP,CVP : [Kannan’87] runs in nO(n) time SVP: [AKS’01] runs in randomized 2O(n) time and space Algorithms work in any ℓp norm [BN’07]

Barriers

Can CVP, SIVP also be solved in 2c·n time? What is the smallest constant c? [NV’09,MP’10,PS’10]: c < 2.5 for SVP in ℓ2. Is randomization and exponential space useful/necessary?

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of SVP, SIVP, CVP

Efficient (dimension preserving) reductions

SVP, SIVP ≤ CVP [GMSS’99, M’08]

Fastest previous algorithm

SVP,SIVP,CVP : [Kannan’87] runs in nO(n) time SVP: [AKS’01] runs in randomized 2O(n) time and space Algorithms work in any ℓp norm [BN’07]

Barriers

Can CVP, SIVP also be solved in 2c·n time? Yes! (for ℓ2) What is the smallest constant c? [NV’09,MP’10,PS’10]: c < 2.5 for SVP in ℓ2. c ≤ 2 for SVP,SIVP,CVP! Is randomization and exponential space useful/necessary? Randomization is not!

Daniele Micciancio CVP in deterministic 2O(n) time

Complexity of SVP, SIVP, CVP

Efficient (dimension preserving) reductions

SVP, SIVP ≤ CVP [GMSS’99, M’08]

Fastest previous algorithm

SVP,SIVP,CVP ,IP: [Kannan’87] runs in nO(n) time SVP: [AKS’01] runs in randomized 2O(n) time and space Algorithms work in any ℓp norm [BN’07]

Barriers

Can CVP, SIVP also be solved in 2c·n time? Yes! (for ℓ2) What is the smallest constant c? [NV’09,MP’10,PS’10]: c < 2.5 for SVP in ℓ2. c ≤ 2 for SVP,SIVP,CVP! Is randomization and exponential space useful/necessary? Randomization is not! What about other norms and Integer Programming (IP)?

Daniele Micciancio CVP in deterministic 2O(n) time

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

Size Reduction

• b
• c
• b: (short) lattice vector
• c: arbitrary point

Daniele Micciancio CVP in deterministic 2O(n) time

Size Reduction

• b
• c
• b: (short) lattice vector
• c: arbitrary point

Can make c shorter by subtracting b from it

Daniele Micciancio CVP in deterministic 2O(n) time

Size Reduction

• b
• c
• c′
• b: (short) lattice vector
• c: arbitrary point

Can make c shorter by subtracting b from it Repeat until c closer to than to b

Daniele Micciancio CVP in deterministic 2O(n) time

Size Reduction

• b
• c
• c′
• b: (short) lattice vector
• c: arbitrary point

Can make c shorter by subtracting b from it Repeat until c closer to than to b or − b Remarks

• c −

c′ ∈ Λ Key step in [LLL’82] basis reduction algorithm Technique is used in most

• ther lattice algorithms

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t

Goal: Solve CVP(Λn, t)

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

b1

• b2
• t

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . .

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• t1
• v1

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• t2
• v1
• v2

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• t3
• v1
• v2
• v3

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• t4
• v1
• v2
• v3
• v4

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• v1
• v2
• v3
• v4

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t Only need to consider nearby layers

Dual LLL: 2n layers Dual SVP: n layers

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction

• t
• v1
• v2
• v3
• v4

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t Only need to consider nearby layers

Dual LLL: 2n layers Dual SVP: n layers

Select the best solution v1

Daniele Micciancio CVP in deterministic 2O(n) time

Rank reduction: CVP(Λn) ≤ 2n · CVP(Λn−1)

• t
• v1
• v2
• v3
• v4

Λ1 Goal: Solve CVP(Λn, t) Partition Λn into layers of the form: Λn−1 + c bn, c = 2, 1, 3, 0, . . . Find lattice point vi in each layer closest to (the projection of) t Only need to consider nearby layers

Dual LLL: 2n layers Dual SVP: n layers

Select the best solution v1 Notice: All layers contain same lattice Λn−1

Daniele Micciancio CVP in deterministic 2O(n) time

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

Solving CVP by rank reduction

Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)

LLL: k = 2n, SVP: k = n,

Daniele Micciancio CVP in deterministic 2O(n) time

Solving CVP by rank reduction

Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)

LLL: k = 2n, T = 2n2 SVP: k = n, T = nn

Iterate: CVP(Λn) ≤ k · CVP(Λn−1) ≤ · · · ≤ knCVP(Λ1) = kn

Daniele Micciancio CVP in deterministic 2O(n) time

Solving CVP by rank reduction

Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)

LLL: k = 2n, T = 2n2 SVP: k = n, T = nn

Iterate: CVP(Λn) ≤ k · CVP(Λn−1) ≤ · · · ≤ knCVP(Λ1) = kn Our approach

Exploit the fact that recursive calls use the same lower dimensional sublattices Preprocess the lattice to speed up the solution of many CVP instances

Daniele Micciancio CVP in deterministic 2O(n) time

CVP with Preprocessing (CVPP)

Problem (CVPP)

Find a function π and an efficient algorithm CVPP such that CVPP(π(Λ), t) = CVP(Λ, t) Only the running time of CVPP counts. The function π is arbitrary.

Daniele Micciancio CVP in deterministic 2O(n) time

CVP with Preprocessing (CVPP)

Problem (CVPP)

Find a function π and an efficient algorithm CVPP such that CVPP(π(Λ), t) = CVP(Λ, t) Only the running time of CVPP counts. The function π is arbitrary. Complexity

Still NP-hard [M’01]! [LLS’93,AR’04] approximates within nO(1) in polynomial time Polynomial time solutions require |π(Λ)| ≤ nO(1)

Daniele Micciancio CVP in deterministic 2O(n) time

CVP with Preprocessing (CVPP)

Problem (CVPP)

Find a function π and an efficient algorithm CVPP such that CVPP(π(Λ), t) = CVP(Λ, t) Only the running time of CVPP counts. The function π is arbitrary. Complexity

Still NP-hard [M’01]! [LLS’93,AR’04] approximates within nO(1) in polynomial time Polynomial time solutions require |π(Λ)| ≤ nO(1)

Our work:

CVPP(π(Λ), t) runs in 2O(n) time

Daniele Micciancio CVP in deterministic 2O(n) time

CVP with Preprocessing (CVPP)

Problem (CVPP)

Find a function π and an efficient algorithm CVPP such that CVPP(π(Λ), t) = CVP(Λ, t) Only the running time of CVPP counts. The function π is arbitrary. Complexity

Still NP-hard [M’01]! [LLS’93,AR’04] approximates within nO(1) in polynomial time Polynomial time solutions require |π(Λ)| ≤ nO(1)

Our work:

CVPP(π(Λ), t) runs in 2O(n) time π(Λ) has size 2O(n)

Daniele Micciancio CVP in deterministic 2O(n) time

CVP with Preprocessing (CVPP)

Problem (CVPP)

Find a function π and an efficient algorithm CVPP such that CVPP(π(Λ), t) = CVP(Λ, t) Only the running time of CVPP counts. The function π is arbitrary. Complexity

Still NP-hard [M’01]! [LLS’93,AR’04] approximates within nO(1) in polynomial time Polynomial time solutions require |π(Λ)| ≤ nO(1)

Our work:

CVPP(π(Λ), t) runs in 2O(n) time π(Λ) has size 2O(n) π(Λ) can also be computed in time 2O(n)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1) ≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1) ≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1) ≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1) ≤ 2O(n)2O(n)2O(n) + V(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1) ≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1) ≤ 2O(n)2O(n)2O(n) + V(Λn−1) = 2O(n) + V(Λn−1)

Daniele Micciancio CVP in deterministic 2O(n) time

Overview of CVP algorithm

Building blocks: π(Λ) = V(Λ): Voronoi cell of the lattice Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn) CVPP(V(Λn)) algorithm with running time 2n Voronoi cell computation V(Λn) ≤ 2nCVP(Λn) Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1) Computing the Voronoi cell of a lattice: V(Λn) ≤ 2O(n)CVP(Λn) ≤ 2O(n) · 2O(n) · CVP(Λn−1) ≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1) ≤ 2O(n)2O(n)2O(n) + V(Λn−1) = 2O(n) + V(Λn−1) ≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)

Daniele Micciancio CVP in deterministic 2O(n) time

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

Voronoi Cell

Definition (Voronoit Cell)

Set of points in Rn closer to 0 than to any other lattice point V(Λ) = { x : ∀ v ∈ Λ, x ≤ x− v}

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1

Each v ∈ Λ defines H

v = {

x : x ≤ x − v}

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈Λ

H

v

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈Λ

H

v

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3
• v4

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈Λ

H

v

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3
• v4
• v5

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈Λ

H

v

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3
• v4
• v5
• v6

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈Λ

H

v

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3
• v4
• v5
• v6

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈R

H

v, R ⊂ Λ

Not all v ∈ Λ are needed

Daniele Micciancio CVP in deterministic 2O(n) time

Representing the Voronoi cell

• v1
• v2
• v3
• v4
• v5
• v6

Each v ∈ Λ defines H

v = {

x : x ≤ x − v} V is the intersection V =

• v∈R

H

v, R ⊂ Λ

Not all v ∈ Λ are needed

Theorem (Voronoi)

The numer of relevant points is at most |R| ≤ 2 · (2n − 1)

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1

• v2

− v2

• v3

− v3 Why is |R| ≤ 2 · (2n − 1)?

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1

• v2

− v2 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1

• v2

− v2 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn)

• v1

− v1

• v2

− v2

• v3

− v3 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to

Daniele Micciancio CVP in deterministic 2O(n) time

Computing V(Λn) ≤ 2nCVP(Λn)

• v1

− v1

• v2

− v2

• v3

− v3 Why is |R| ≤ 2 · (2n − 1)? Partition Λ into cosets modulo 2Λ There are 2n − 1 nonzero cosets From each coset, select the pair v, − v closest to R is the set of all such pairs Each pair is found by a CVP computation in lattice 2Λ CVP(2Λ) is equivalent to CVP(Λ)

Daniele Micciancio CVP in deterministic 2O(n) time

1

Introduction Lattices Lattice Problems Algorithmic Techniques

2

New Algorithm Overview Voronoi Cell CVPP Algorithm

3

Final Remarks and Open Problems

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v
• t’

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

• t ∈

v + V ≡ t − v ∈ V

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v
• t’

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

• t ∈

v + V ≡ t − v ∈ V CVP goal: bring t inside V by shifting it by v ∈ Λ

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v
• t’

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

• t ∈

v + V ≡ t − v ∈ V CVP goal: bring t inside V by shifting it by v ∈ Λ Algorithm [SFS’09]:

While t / ∈ V: Select v ∈ R . t / ∈ H

v

size reduce t using v

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v
• t’

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

• t ∈

v + V ≡ t − v ∈ V CVP goal: bring t inside V by shifting it by v ∈ Λ Algorithm [SFS’09]:

While t / ∈ V: Select v ∈ R . t / ∈ H

v

size reduce t using v

[SFS’09] only proves termination

Daniele Micciancio CVP in deterministic 2O(n) time

CVP and Voronoi cell

• t
• v
• t’

Definition (CVP)

Given Λ and t, find v ∈ Λ such that t ∈ v + V

• t ∈

v + V ≡ t − v ∈ V CVP goal: bring t inside V by shifting it by v ∈ Λ Algorithm [SFS’09]:

While t / ∈ V: Select v ∈ R . t / ∈ H

v

size reduce t using v

[SFS’09] only proves termination Question: What is a good selection strategy for v ∈ R?

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t

Assume t∈ 2V

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V:

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1
• t′

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV Subtract the relevant vector associated to corresponding facet

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1
• t′

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV Subtract the relevant vector associated to corresponding facet

Why does it work?

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1
• t′

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV Subtract the relevant vector associated to corresponding facet

Why does it work?

The new vector t′ is shorter than t

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1
• t′

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV Subtract the relevant vector associated to corresponding facet

Why does it work?

The new vector t′ is shorter than t still t′ ∈ 2V

Daniele Micciancio CVP in deterministic 2O(n) time

Our selection strategy

• t
• u1
• t′

Assume t∈ 2V Goal: find t′ ∈ t − Λ ∩ V: Strategy:

Compute smallest k ∈ R such that t ∈ kV Subtract the relevant vector associated to corresponding facet

Why does it work?

The new vector t′ is shorter than t still t′ ∈ 2V |( t − Λ) ∩ 2V| ≤ 2n

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t
• t1

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t
• t1

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t
• t1
• t2

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t
• t1
• t2

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Doubling the Voronoi Cell

• t
• t1
• t2
• t3

Solve CVP for any t: Find k ∈ Z such that

• t ∈ 2kV

Use CVP2V to go from 2kV to 2k−1V

Daniele Micciancio CVP in deterministic 2O(n) time

Summary

CVP can be solved deterministically in time 2c·n Algorithms for SVP, SIVP and many other problems follow by reduction Question: what is the best possible c?

Under ETH, c = Ω(1) In this talk, we didn’t optimize c With some more work, we can reduce c = 2

SVP: improves previous c < 2.5, deterministically! CVP: First 2O(n) time algorithm, and first asymptotic improvement since [K’87]

Daniele Micciancio CVP in deterministic 2O(n) time

Open Problems

Practical barrier in lattice cryptography:

Evaluate appropriate key size to achieve security Current state of the art lattice reduction algorithms are poorly understood Problem: find better, practical lattice algorithms that allow to extrapolate running time/complexity of approximation to very high dimension

Reduce space complexity to polynomial Design polynomial time CVPP approximation algorithms based on approximate Voronoi cell Extend to ℓ∞

Most relevant norm for cryptanalysis Application to Integer Proramming

Question

Is the number of ℓ∞-relevant points still bounded by 2O(n)

Daniele Micciancio CVP in deterministic 2O(n) time

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing the number of Subcases

Given m linearly independent vectors b1, b2, . . . , bm ∈ Rn, the lattice Λ generated by these vectors is defined as Λ = Λ(b1, . . . , bm) = {m

i=1 λibi : λi ∈ Z} .

The set of vectors b1, . . . , bm, or similarly B = [b1, . . . , bm], is called a basis for the lattice Λ. The dual lattice Λ∗ is given by Λ∗ = {v ∈ span(B) : vTbi ∈ Z ∀ i = 1, . . . , m}. The covering radius µ(Λ) is the smallest number α such that the closed balls of radius α centered at the lattice points cover all of Rn. Theorem 0.1 (Theorem (Banaszcyk)). Let Λ ⊂ Rn be a lattice with n ≥ 1. Then λ(Λ)µ(Λ∗) ≤ f(n) ≤ 1

2n.

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing the number of Subcases

Algorithm 2 Rank reduction procedure for CVP function RankReduceCVP(t, Bk, Vk−1, H) ht ← t, b∗

k/b∗ k, b∗ k

for all h that: |h − ht| < H do v ← CVPP(t − hbk, Vk−1) + hbk c ← The closest v to t found so far return c

Daniele Micciancio CVP in deterministic 2O(n) time

Lemma On input basis Bk = {b1, . . . , bk} for a k-rank lattice Λk and an integer H such that µ(Λk)/||b∗

k|| ≤ H, the algorithm

RankReduceCVP (Algorithm (2)) solves a CVP instance on Λk with 2H + 1 calls to CVP on the (k − 1)-rank sublattice Λk−1 = L(b1, . . . , bk−1). Proof.

• By definition of the covering radius, t has distance at

most µ(Λk) to a closest vector.

• The distance of all lattice points in the layer hbk+Λk−1 from

t is at least |h − ht|||b∗

k||, where ht = t, b∗ k/b∗ k, b∗ k (this is

the projection)

• therefore, lattice points closest to t are in layers hbk + Λk−1

such that |h − ht| ≤ µ(Λk)/||b∗

k||.

Reducing the number of Subcases

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing the number of Subcases

LLL Reduced Bases (Lenstra, Lenstra, Lovasz)

• 1. Finds a “more orthogonal” basis in polynomial time
• 2. Specifically, ||b∗

i+1||2 ≥ ||b∗ i ||2/2

• 3. Therefore, 1/||b∗

n||2 ≤ 2nλ(Λ∗)

HKZ Reduced Basis (Kannan)

• 1. Very strong reduced basis, nO(n) time to compute.

Block Reduced Basis (Schnorr)

• 1. For any fixed 1 < k < n, finds a further reduced basis
• 2. For k = n, solves the shortest vector problem with b1

being a shortest vector.

• 3. Has the property that 1/||b∗

n||2 ≤ kn/kλ(Λ∗)

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing the number of Subcases

Algorithm 5 Optimized Preprocessing function OptPreprocess(B) for k = n downto 2 do Run dual block reduction with block size k/4 on Bk = {b1, . . . , bk} and replace Bk with the output basis. return B

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing the number of Subcases

Lemma On input a basis for an n-rank lattice Λ, the Opt- Preprocess subroutine outputs new basis B for the same lattice with the following property: For every sub-lattice of the form Λk = L(b1, . . . , bk); k ≤ n, we have µ(Λk)/||b∗

k|| ≤ k5. The sub-

routine is deterministic and its complexity is ˜ O(2n). Proof.

• We achieve this by running block basis reduction

algorithms from [23, 48] to the dual of the input lattice.

• The dual block reduction, on input a basis for an n-rank

lattice

• utputs a basis B for such that µ(Λ)/||b∗

n|| ≤ nβn/β.

• Choose β = n/4. We can compute this with polynomially

many calls to a SVP oracle for β-rank lattices.

• Use SVP algorithm we presented, which takes ˜

O(23n) time on n rank lattices, and hence requires only ˜ O(2n) time.

Daniele Micciancio CVP in deterministic 2O(n) time

Reducing work via Tricky Buisness

Finally we show why it is possible to improve the Voronoi cell computation subroutine. Recall that ComputeVCell com- putes the Voronoi cell of Λk+1 with the help of H ˜ O(2k) calls to CVPP for the lower rank lattice Λk, where H an integer such that µ(Λk+1)/||b∗

k+1|| ≤ H. It turns out that the CVP instances

solved by CVPP have a very special structure that allows for more efficient strategies to compute them. In particular, it is possible to group them in such a way that solving a group of 2k CVP instances on Λk can be reduced to a single instance of the following problem on Λk: Definition Enum2¯

V for target t on Λ: Given a basis B for an

n-rank lattice Λ and a target vector t on the span of Λ, enumerate all the vectors of the set Λ+t∩2V, where V is the (open) Voronoi cell of Λ.

Daniele Micciancio CVP in deterministic 2

Algorithm 6 Enum2¯

V Algorithm

function Enum2¯

V(B, V, t)

// The following arrays are indexed // by p ∈ {0, 1}n and initialized to none. Visited[] ← Array of 2n vectors Accessible[] ← Array of 2n vectors s0 ← t − CV PP(t, B, V ) Visit(s0, B, Visited, Accessible) while no more Accessible vectors do s ← Shortest Accessible vector Visit(s, B, Visited, Accessible) return Visited

Daniele Micciancio CVP in deterministic 2O(n) time

function Visit(s, B, Visited, Accessible) p ← parity(s, B) Visited[p] = s Accessible[p] = none for v ∈ V do t ← s + v pt ← parity(t, B) if Visited[pt] = none then tprev ← Accessible[pt] if tprev = none OR tprev > t then Accessible[pt] = t Where: p ←parity(s, B) ⇔ s ∈ 2Λ + B · p, p ∈ {0, 1}n

Daniele Micciancio CVP in deterministic 2O(n) time

Lemma 4.11 Let Bn, Λn, Bn−1, Λn−1, b∗

n, Vn−1, Vn−1

as defined above. On input the Voronoi cell of Λn−1 and an integer H such that µ(Λn)/b∗

n ≤ H, the

OptComputeVCell computes the relevant vectors of Λn in time H2 · ˜ O(22n) and space H · ˜ O(2n). Algorithm 7 Voronoi cell computation function OptComputeVCell(Bk, Vk−1, H) Vk ← Vk−1 for all h that: |h| < H do Vk,h ← Enum2¯

V(Bk, Vk, h(bk − b∗ k))

Add hb∗

k to every element of Vk,h

Vk ← Vk Vk,h Vk ← RemoveNonRelevant(Vk) return Vk

Compute Voroni Cell from previous Voroni Cell

Daniele Micciancio CVP in deterministic 2O(n) time

Corollary 4.3 There is a deterministic ˜ O(22n) time algorithm to solve SVP, and to compute the kissing number of a lattice. Once the Voronoi cell of Λn has been computed, then we can solve CVP using the CVPP algorithm. Corollary 4.4 There is a deterministic ˜ O(22n) time, ˜ O(2n) space algorithm to solve CVP. Corollary 4.5 There is a deterministic ˜ O(22n) time, ˜ O(2n) space algorithm to solve SIVP, SAP, GCVP and SMP.

Final Results