solving all lattice problems in deterministic single
play

Solving All Lattice Problems in Deterministic Single Exponential - PowerPoint PPT Presentation

Sep 15, 2022 •132 likes •1.33k views

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD) (Joint work with P. Voulgaris, STOC 2010) Barriers II Workshop, Princeton August 27, 2010 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  1. Complexity of SVP, SIVP, CVP Efficient (dimension preserving) reductions SVP, SIVP ≤ CVP [GMSS’99, M’08] Fastest previous algorithm SVP,SIVP,CVP ,IP: [Kannan’87] runs in n O ( n ) time SVP: [AKS’01] runs in randomized 2 O ( n ) time and space Algorithms work in any ℓ p norm [BN’07] Barriers Can CVP, SIVP also be solved in 2 c · n time? Yes! (for ℓ 2 ) What is the smallest constant c ? [NV’09,MP’10,PS’10]: c < 2 . 5 for SVP in ℓ 2 . c ≤ 2 for SVP,SIVP,CVP! Is randomization and exponential space useful/necessary? Randomization is not! What about other norms and Integer Programming (IP)? CVP in deterministic 2 O ( n ) time Daniele Micciancio

  2. Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  3. Size Reduction � b : (short) lattice vector � c : arbitrary point � c � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  4. Size Reduction � b : (short) lattice vector � c : arbitrary point � c Can make � c shorter by subtracting � b from it � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  5. Size Reduction � b : (short) lattice vector � c : arbitrary point c � Can make � c shorter by c ′ � subtracting � b from it c closer to � Repeat until � 0 than to � b � b 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  6. Size Reduction � b : (short) lattice vector � c : arbitrary point � c Can make � c shorter by c ′ � subtracting � b from it c closer to � Repeat until � 0 than to � b or − � b � Remarks b c ′ ∈ Λ 0 � c − � Key step in [LLL’82] basis reduction algorithm Technique is used in most other lattice algorithms CVP in deterministic 2 O ( n ) time Daniele Micciancio

  7. Rank reduction Goal: Solve CVP (Λ n ,� t ) � t 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  8. Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � t c = 2 , 1 , 3 , 0 , . . . � b 2 0 � b 1 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  9. Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of � t 1 the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . Find lattice point � v i in each layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  10. Rank reduction Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each � t 2 layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  11. Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) � t 3 Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  12. Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . � v 2 Find lattice point � v i in each layer closest to (the � t 4 projection of) � t � v 4 0 Λ 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  13. Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers CVP in deterministic 2 O ( n ) time Daniele Micciancio

  14. Rank reduction � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers Select the best solution � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  15. Rank reduction: CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) � v 3 Goal: Solve CVP (Λ n ,� t ) Partition Λ n into layers of the form: Λ n − 1 + c � b n , � v 1 � t c = 2 , 1 , 3 , 0 , . . . v 2 � Find lattice point � v i in each layer closest to (the projection of) � t � v 4 Only need to consider 0 Λ 1 nearby layers Dual LLL: 2 n layers Dual SVP: n layers Select the best solution � v 1 Notice: All layers contain same lattice Λ n − 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  16. Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  17. Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , SVP: k = n , CVP in deterministic 2 O ( n ) time Daniele Micciancio

  18. Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , T = 2 n 2 SVP: k = n , T = n n Iterate: CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) ≤ · · · ≤ k n CVP (Λ 1 ) = k n CVP in deterministic 2 O ( n ) time Daniele Micciancio

  19. Solving CVP by rank reduction Rank reduction CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) LLL: k = 2 n , T = 2 n 2 SVP: k = n , T = n n Iterate: CVP (Λ n ) ≤ k · CVP (Λ n − 1 ) ≤ · · · ≤ k n CVP (Λ 1 ) = k n Our approach Exploit the fact that recursive calls use the same lower dimensional sublattices Preprocess the lattice to speed up the solution of many CVP instances CVP in deterministic 2 O ( n ) time Daniele Micciancio

  20. CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. CVP in deterministic 2 O ( n ) time Daniele Micciancio

  21. CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  22. CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� CVP in deterministic 2 O ( n ) time Daniele Micciancio

  23. CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� π (Λ) has size 2 O ( n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  24. CVP with Preprocessing (CVPP) Problem (CVPP) Find a function π and an efficient algorithm CVPP such that CVPP ( π (Λ) ,� t ) = CVP (Λ ,� t ) Only the running time of CVPP counts. The function π is arbitrary. Complexity Still NP-hard [M’01]! [LLS’93,AR’04] approximates within n O (1) in polynomial time Polynomial time solutions require | π (Λ) | ≤ n O (1) Our work: t ) runs in 2 O ( n ) time CVPP ( π (Λ) ,� π (Λ) has size 2 O ( n ) π (Λ) can also be computed in time 2 O ( n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  25. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice CVP in deterministic 2 O ( n ) time Daniele Micciancio

  26. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  27. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n CVP in deterministic 2 O ( n ) time Daniele Micciancio

  28. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  29. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  30. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  31. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: V (Λ n ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  32. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  33. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  34. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  35. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  36. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  37. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  38. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  39. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ 2 O ( n ) + V (Λ n − 1 ) = CVP in deterministic 2 O ( n ) time Daniele Micciancio

  40. Overview of CVP algorithm Building blocks: π (Λ) = V (Λ): Voronoi cell of the lattice Our approach: CVP (Λ n ) ≤ CVPP ( V (Λ n )) + V (Λ n ) CVPP ( V (Λ n )) algorithm with running time 2 n Voronoi cell computation V (Λ n ) ≤ 2 n CVP (Λ n ) Dimension reduction CVP (Λ n ) ≤ 2 n · CVP (Λ n − 1 ) Computing the Voronoi cell of a lattice: 2 O ( n ) CVP (Λ n ) V (Λ n ) ≤ 2 O ( n ) · 2 O ( n ) · CVP (Λ n − 1 ) ≤ 2 O ( n ) · 2 O ( n ) · CVPP ( V (Λ n − 1 )) + V (Λ n − 1 ) ≤ 2 O ( n ) 2 O ( n ) 2 O ( n ) + V (Λ n − 1 ) ≤ 2 O ( n ) + V (Λ n − 1 ) = 2 O ( n ) + 2 O ( n ) + V (Λ n − 2 ) ≤ . . . ≤ 2 O ( n ) ≤ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  41. Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  42. Voronoi Cell Definition (Voronoit Cell) Set of points in R n closer to 0 than to any other lattice point V (Λ) = { � x : ∀ � v ∈ Λ , � � x � ≤ � � x − � v �} 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  43. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} � v 1 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  44. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  45. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ 0 � v 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  46. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  47. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 v 5 � CVP in deterministic 2 O ( n ) time Daniele Micciancio

  48. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v � v 2 � v ∈ Λ � v 4 0 � v 3 � v 5 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  49. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v , R ⊂ Λ � v 2 � v ∈ R � v 4 0 Not all � v ∈ Λ are needed � v 3 v 5 � CVP in deterministic 2 O ( n ) time Daniele Micciancio

  50. Representing the Voronoi cell Each � v ∈ Λ defines H � v = { � x : � � x � ≤ � � x − � v �} V is the intersection � v 1 � v 6 � V = H � v , R ⊂ Λ � v 2 � v ∈ R � v 4 0 Not all � v ∈ Λ are needed � v 3 v 5 � Theorem (Voronoi) The numer of relevant points is at most | R | ≤ 2 · (2 n − 1) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  51. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? � v 1 − � v 3 � v 2 0 − � v 2 � v 3 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  52. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  53. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero cosets 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  54. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero cosets From each coset, select the v closest to � pair � v , − � 0 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  55. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the v closest to � pair � v , − � 0 0 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  56. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the v closest to � pair � v , − � 0 0 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  57. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the � v 2 v closest to � pair � v , − � 0 0 − � v 2 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  58. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the � v 2 v closest to � pair � v , − � 0 0 − � v 2 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  59. Computing V (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the − � v 3 � v 2 v closest to � pair � v , − � 0 0 − � v 2 � v 3 − � v 1 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  60. Computing V (Λ n ) ≤ 2 n CVP (Λ n ) Why is | R | ≤ 2 · (2 n − 1)? Partition Λ into cosets modulo 2Λ There are 2 n − 1 nonzero � cosets v 1 From each coset, select the − � v 3 � v 2 v closest to � pair � v , − � 0 0 R is the set of all such pairs − � v 2 � v 3 Each pair is found by a CVP computation in lattice 2Λ − � v 1 CVP (2Λ) is equivalent to CVP (Λ) CVP in deterministic 2 O ( n ) time Daniele Micciancio

  61. Introduction Lattices 1 Lattice Problems Algorithmic Techniques New Algorithm 2 Overview Voronoi Cell CVPP Algorithm Final Remarks and Open Problems 3 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  62. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t 0 CVP in deterministic 2 O ( n ) time Daniele Micciancio

  63. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V v � � t � v + V ≡ � t ∈ � t − � v ∈ V 0 � t ’ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  64. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V v � � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 � t ’ CVP in deterministic 2 O ( n ) time Daniele Micciancio

  65. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v CVP in deterministic 2 O ( n ) time Daniele Micciancio

  66. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v [SFS’09] only proves termination CVP in deterministic 2 O ( n ) time Daniele Micciancio

  67. CVP and Voronoi cell Definition (CVP) Given Λ and � t , find � v ∈ Λ such that � t ∈ � v + V � v � t � v + V ≡ � t ∈ � t − � v ∈ V CVP goal: bring � t inside V by shifting it by � v ∈ Λ 0 Algorithm [SFS’09]: � t ’ While � t / ∈ V : v ∈ R . � Select � t / ∈ H � v size reduce � t using � v [SFS’09] only proves termination Question: What is a good selection strategy for � v ∈ R ? CVP in deterministic 2 O ( n ) time Daniele Micciancio

  68. Our selection strategy Assume � t ∈ 2 V 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  69. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  70. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V � u 1 0 � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  71. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 0 � t ′ � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  72. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 � t ′ � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  73. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t CVP in deterministic 2 O ( n ) time Daniele Micciancio

  74. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t ′ ∈ 2 V t still � CVP in deterministic 2 O ( n ) time Daniele Micciancio

  75. Our selection strategy Assume � t ∈ 2 V t ′ ∈ � Goal: find � t − Λ ∩ V : Strategy: Compute smallest k ∈ R such that � t ∈ k V Subtract the relevant vector associated to corresponding facet � u 1 Why does it work? 0 t ′ is The new vector � � t ′ shorter than � t � t ′ ∈ 2 V t still � | ( � t − Λ) ∩ 2 V| ≤ 2 n CVP in deterministic 2 O ( n ) time Daniele Micciancio

  76. Doubling the Voronoi Cell Solve CVP for any � t : Find � k ∈ Z such that � t ∈ 2 k V Use CVP 2 V to go from 2 k V � t to 2 k − 1 V CVP in deterministic 2 O ( n ) time Daniele Micciancio

  77. Doubling the Voronoi Cell Solve CVP for any � t : Find � k ∈ Z such that � t ∈ 2 k V Use CVP 2 V to go from 2 k V � t to 2 k − 1 V CVP in deterministic 2 O ( n ) time Daniele Micciancio

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (Joint

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (Joint

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 CVP in deterministic 2 O ( n ) time Daniele Micciancio Lattices Traditional area of

510 views • 22 slides
Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD)

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD)

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD) (Joint work with P. Voulgaris, STOC 2010) Barriers II Workshop, Princeton August 27, 2010 CVP in deterministic 2 O ( n ) time Daniele Micciancio

1.44k views • 107 slides
Solving Non-deterministic Planning Problems with Pattern Database Heuristics Pascal Bercher

Solving Non-deterministic Planning Problems with Pattern Database Heuristics Pascal Bercher

, Formalization &amp; Search PDB-Heuristic Benchmarks Conclusion Solving Non-deterministic Planning Problems with Pattern Database Heuristics Pascal Bercher Robert Mattm uller Institute of Artificial Intelligence Department of Computer

865 views • 28 slides
1 Solving MDPs Example Optimal Policies In deterministic single-agent search problems, want

1 Solving MDPs Example Optimal Policies In deterministic single-agent search problems, want

Announcements Introduction to Artificial Intelligence Assignment 1 graded V22.0472-001 Fall 2009 Come and see me after class if you have Lecture 9: Markov Decision Processes Lecture 9: Markov Decision Processes questions questions Rob

290 views • 6 slides
Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems

Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems

Slide 1 / 142 Slide 2 / 142 Table of Contents Strategies &amp; Plans for Problem Solving Rate Problems Solving Percent Problems Word Problems Find a Pattern Estimation Problems Fraction Problems Pre-Algebra LCM / GCF Problems Combination

477 views • 24 slides
Deterministic walks on a square lattice Ra ul Rechtman Instituto de Energ as Renovables,

Deterministic walks on a square lattice Ra ul Rechtman Instituto de Energ as Renovables,

Deterministic walks on a square lattice Ra ul Rechtman Instituto de Energ as Renovables, Universidad Nacional Aut onoma de M exico, Temixco, Mor., Mexico rrs@cie.unam.mx Advances in Nonequilibrium Statistical Mechanics: large

929 views • 65 slides
Foundations of AI 3. Solving Problems by Searching Problem-Solving Agents, Formulating

Foundations of AI 3. Solving Problems by Searching Problem-Solving Agents, Formulating

Foundations of AI 3. Solving Problems by Searching Problem-Solving Agents, Formulating Problems, Search Strategies Luc De Raedt and Wolfram Burgard and Bernhard Nebel Contents Problem-Solving Agents Formulating Problems Problem

662 views • 41 slides
Solving Word Problems The strategy for solving word problems, presented in written form, may be

Solving Word Problems The strategy for solving word problems, presented in written form, may be

Solving Word Problems The strategy for solving word problems, presented in written form, may be summarized in three words: Alan H. SteinUniversity of Connecticut Solving Word Problems The strategy for solving word problems, presented in written

877 views • 49 slides
Contents Foundations of Artificial Intelligence Problem-Solving Agents 1 3. Solving Problems by

Contents Foundations of Artificial Intelligence Problem-Solving Agents 1 3. Solving Problems by

Contents Foundations of Artificial Intelligence Problem-Solving Agents 1 3. Solving Problems by Searching Formulating Problems 2 Problem-Solving Agents, Formulating Problems, Search Strategies Problem Types 3 Wolfram Burgard, Bernhard

319 views • 12 slides
The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single

The lattice model (continued) This satisfies the definition of lattice. There is a single source and sink. The least upper bound of the security classes {x} and {z} is {x,z} and the greatest lower bound of the security classes {x,y} and

698 views • 31 slides
Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule

Solving Very Hard Problems: Cube-and-Conquer, a Hybrid SAT Solving Method Marijn J.H. Heule Joint work with Armin Biere, Oliver Kullmann, and Victor W. Marek Parallel Constraint Reasoning August 6, 2017 1/19 Satisfiability (SAT) Solving Has

463 views • 31 slides
Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

902 views • 58 slides
Continuous Improvement Solving Problems That Change Lives CI Skills Development Problem Solving

Continuous Improvement Solving Problems That Change Lives CI Skills Development Problem Solving

Continuous Improvement Solving Problems That Change Lives CI Skills Development Problem Solving Identify and solve the root causes of problems using CI tools 2 Agenda Welcome Ground Rules Introductions Problem Solving Tools

1.37k views • 51 slides
Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan Lattice QCD and Nuclei Nuclear theory predictions are needed to extract or constrain new physics from intensity frontier experiments Lattice QCD can

359 views • 20 slides
Solving Problems by Searching Chapter 3 Ch. 03 p.1/49 Outline Problem-solving agents

Solving Problems by Searching Chapter 3 Ch. 03 p.1/49 Outline Problem-solving agents

Solving Problems by Searching Chapter 3 Ch. 03 p.1/49 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Ch. 03 p.2/49 Problem-solving agents

1.4k views • 49 slides
Solving AI Planning Problems with SAT SAT solving Invariants Conclusion References Jussi

Solving AI Planning Problems with SAT SAT solving Invariants Conclusion References Jussi

Planning with SAT Introduction Encodings Solver Calls Solving AI Planning Problems with SAT SAT solving Invariants Conclusion References Jussi Rintanen EPCL, Dresden, November 2013 Reduction of AI Planning to SAT Kautz and Selman 1992

1.49k views • 111 slides
10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and

10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and

10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and Blockchain Technology Dr. Steven Bassey (Ph.D., DTh, CPMA, CEH, CHFI, USLPI/CSM, EC Council Certified) Chair Subcommittee on Data Protection

866 views • 14 slides
Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling Preventing Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

984 views • 67 slides
Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash algorithms NIST SHA-3 Competition MD6 Algorithm and Mode of Operation Research Objective Approach Introduction to hash algorithms Hash

454 views • 14 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
A tale of quantum computers Alexandru Gheorghiu gheorghiuandru@gmail.com The University of

A tale of quantum computers Alexandru Gheorghiu gheorghiuandru@gmail.com The University of

A tale of quantum computers Alexandru Gheorghiu gheorghiuandru@gmail.com The University of Edinburgh I V N E U R S E I H T Y T O H F G R E U D B I N A long time ago in a galaxy not so far away... Quantum Mechanics

1.64k views • 131 slides
Submittal of Plans Project Development Memo 01 10 Future of KYTC Plan Submittals

Submittal of Plans Project Development Memo 01 10 Future of KYTC Plan Submittals

Submittal of Plans Project Development Memo 01 10 Future of KYTC Plan Submittals Process for Plan Submittal Importance of the Index Files Request for InRoads Data Final contract plans plotted on mylar and signed by the

439 views • 18 slides
Auditors report on XBRL-based financial statements in the Netherlands November 6, 2015 About

Auditors report on XBRL-based financial statements in the Netherlands November 6, 2015 About

Auditors report on XBRL-based financial statements in the Netherlands November 6, 2015 About me Experience: 2011 - present Thauris : Managing director 2010 - present Logius: Consultant to SBR program 2003 - 2011 PwC : Senior Manager

632 views • 17 slides
E-ID, MOBILEID 7.9.2016 HARALDUR BJARNASON, CEO, AUKENNI AUKENNI Aukenni was founded

E-ID, MOBILEID 7.9.2016 HARALDUR BJARNASON, CEO, AUKENNI AUKENNI Aukenni was founded

E-ID, MOBILEID 7.9.2016 HARALDUR BJARNASON, CEO, AUKENNI AUKENNI Aukenni was founded by banks and others in 2000 Currently owned by all banks and one of the major Telco in Iceland Since the turn of the century Icelandic

675 views • 31 slides

More recommend