Solving All Lattice Problems in Deterministic Single Exponential - PowerPoint PPT Presentation

Complexity of SVP, SIVP, CVP Efficient (dimension preserving) reductions SVP, SIVP ≤ CVP [GMSS’99, M’08] Fastest previous algorithm SVP,SIVP,CVP ,IP: [Kannan’87] runs in n O ( n ) time SVP: [AKS’01] runs in randomized 2 O ( n ) time and space Algorithms work in any ℓ p norm [BN’07] Barriers Can CVP, SIVP also be solved in 2 c · n time? Yes! (for ℓ 2 ) What is the smallest constant c ? [NV’09,MP’10,PS’10]: c < 2 . 5 for SVP in ℓ 2 . c ≤ 2 for SVP,SIVP,CVP! Is randomization and exponential space useful/necessary? Randomization is not! What about other norms and Integer Programming (IP)? CVP in deterministic 2 O ( n ) time Daniele Micciancio

Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Size Reduction � b : (short) lattice vector � c : arbitrary point � c � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Size Reduction � b : (short) lattice vector � c : arbitrary point � c Can make � c shorter by subtracting � b from it � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Size Reduction � b : (short) lattice vector � c : arbitrary point c � Can make � c shorter by c ′ � subtracting � b from it c closer to � Repeat until � 0 than to � b � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Size Reduction � b : (short) lattice vector � c : arbitrary point � c Can make � c shorter by c ′ � subtracting � b from it c closer to � Repeat until � 0 than to � b or − � b � Remarks b c ′ ∈ Λ 0 � c − � Key step in [LLL’82] basis reduction algorithm Technique is used in most other lattice algorithms CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction Goal: Solve CVP (Λ n ,� t ) � t 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � t c = 2 , 1 , 3 , 0 , . . . � b 2 0 � b 1 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of � t 1 the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . Find lattice point � v i in each layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each � t 2 layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) � t 3 Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . � v 2 Find lattice point � v i in each layer closest to (the � t 4 projection of) � t � v 4 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers Select the best solution � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Rank reduction: CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers Select the best solution � v 1 Notice: All layers contain same lattice Λ n − 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , SVP: k = n , CVP in deterministic 2 O ( n ) time Daniele Micciancio

Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , T = 2 n 2 SVP: k = n , T = n n Iterate: CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) ≤ · · · ≤ k n CVP (Λ 1 ) = k n CVP in deterministic 2 O ( n ) time Daniele Micciancio

Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , T = 2 n 2 SVP: k = n , T = n n Iterate: CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) ≤ · · · ≤ k n CVP (Λ 1 ) = k n Our approach Exploit the fact that recursive calls use the same lower dimensional sublattices Preprocess the lattice to speed up the solution of many CVP instances CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� π (Λ) has size 2 O ( n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� π (Λ) has size 2 O ( n ) π (Λ) can also be computed in time 2 O ( n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ 2 O ( n ) + V (Λ n − 1 ) = CVP in deterministic 2 O ( n ) time Daniele Micciancio

Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ 2 O ( n ) + V (Λ n − 1 ) = 2 O ( n ) + 2 O ( n ) + V (Λ n − 2 ) ≤ . . . ≤ 2 O ( n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Voronoi Cell Definition (Voronoit Cell) Set of points in R n closer to 0 than to any other lattice point V (Λ) = { � x : ∀ � v ∈ Λ , � � x � ≤ � � x − � v �} 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} � v 1 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ 0 � v 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 v 5 � CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 � v 5 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v , R ⊂ Λ � v 2 � v ∈ R � v 4 0 Not all � v ∈ Λ are needed � v 3 v 5 � CVP in deterministic 2 O ( n ) time Daniele Micciancio

Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v , R ⊂ Λ � v 2 � v ∈ R � v 4 0 Not all � v ∈ Λ are needed � v 3 v 5 � Theorem (Voronoi) The numer of relevant points is at most | R | ≤ 2 · (2 n − 1) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? � v 1 − � v 3 � v 2 0 − � v 2 � v 3 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero cosets 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero cosets From each coset, select the v closest to � pair � v , − � 0 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the v closest to � pair � v , − � 0 0 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the v closest to � pair � v , − � 0 0 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the � v 2 v closest to � pair � v , − � 0 0 − � v 2 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the � v 2 v closest to � pair � v , − � 0 0 − � v 2 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the − � v 3 � v 2 v closest to � pair � v , − � 0 0 − � v 2 � v 3 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

Computing V (Λ n ) ≤ 2 n CVP (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the − � v 3 � v 2 v closest to � pair � v , − � 0 0 R is the set of all such pairs − � v 2 � v 3 Each pair is found by a CVP computation in lattice 2Λ − � v 1 CVP (2Λ) is equivalent to CVP (Λ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V v � � t � v + V ≡ � t ∈ � t − � v ∈ V 0 � t ’ CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V v � � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 � t ’ CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v [SFS’09] only proves termination CVP in deterministic 2 O ( n ) time Daniele Micciancio

CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v [SFS’09] only proves termination Question: What is a good selection strategy for � v ∈ R ? CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V � u 1 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 0 � t ′ � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 � t ′ � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t ′ ∈ 2 V t still � CVP in deterministic 2 O ( n ) time Daniele Micciancio

Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t ′ ∈ 2 V t still � | ( � t − Λ) ∩ 2 V| ≤ 2 n CVP in deterministic 2 O ( n ) time Daniele Micciancio

Doubling the Voronoi Cell Solve CVP for any � t : Find � k ∈ Z such that � t ∈ 2 k V Use CVP 2 V to go from 2 k V � t to 2 k − 1 V CVP in deterministic 2 O ( n ) time Daniele Micciancio

Doubling the Voronoi Cell Solve CVP for any � t : Find � k ∈ Z such that � t ∈ 2 k V Use CVP 2 V to go from 2 k V � t to 2 k − 1 V CVP in deterministic 2 O ( n ) time Daniele Micciancio