Using Discrete Gaussian Sampling Divesh Aggarwal National - - PowerPoint PPT Presentation

Solving SVP and CVP in 2𝑜 Time Using Discrete Gaussian Sampling

Divesh Aggarwal

National University of Singapore (NUS)

Daniel Dadush

Centrum Wiskunde en Informatica (CWI)

Oded Regev Noah Stephens-Davidowitz

New York University (NYU)

A lattice ℒ ⊆ ℝ𝑜 is all integral combinations of some basis B = 𝑐1, … , 𝑐𝑜 . ℒ(𝐶) denotes lattice generated by 𝐶.

ℒ

𝑐1 𝑐2

Lattices

Act I: The Shortest Vector Problem

Shortest Vector Problem (SVP)

Given: Lattice basis 𝐶 𝜗 ℚ𝑜×𝑜. Goal: Compute shortest non-zero vector in ℒ(𝐶).

ℒ

𝑧

Shortest Vector Problem (SVP)

𝜇1 ℒ = length of shortest non-zero vector

ℒ

𝑧

𝜇1 ℒ

Algorithms for SVP

Time Space

[Kan86,HS07,MW15]

(Enumeration)

𝑜𝑃(𝑜) poly 𝑜

[AKS01]

(Sieving)

2𝑃(𝑜) 2𝑃(𝑜)

[NV08, PS09, MV10a, …]

22.465𝑜+𝑝(𝑜) 21.233𝑜+𝑝(𝑜)

[MV10b]

(Voronoi cell, deterministic, CVP)

22𝑜+𝑝(𝑜) 2𝑜+𝑝(𝑜)

[ADRS15]

2𝑜+𝑝(𝑜) 2𝑜+𝑝(𝑜)

Our Algorithm

Gaussian Distribution

Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

Discrete Gaussian Distribution

shortest vector!

If we can obtain “enough” samples from the discrete Gaussian with the “right” (small) parameter, then we can solve SVP.

Discrete Gaussian Distribution

We need at most 1.38𝑜 vectors with 𝑡 ≈ 𝜇1 ℒ / 𝑜 [KL78]. (uses bounds on the kissing number) 𝐸ℒ,𝑡 is very well-studied for very high parameters, 𝑡 ≿ 𝜇𝑜(ℒ), i.e. above the “smoothing parameter” of the lattice. [Kle00, GPV08] show how to sample in this regime in polynomial time. (Previously could not do much better, even in exponential time.)

Discrete Gaussian Distribution

Easy Hard

Can we use samples from the LHS to get samples from the RHS?

Our goal

[Kle00, GPV08]

Discrete Gaussian Distribution

= 2

Discrete Gaussian Distribution

= ? 2

Discrete Gaussian Distribution

Discrete Gaussian Distribution

What if we condition on the result being in the lattice? Progress! Unfortunately, this requires us to throw out a lot of vectors. We only keep one from every ≈ 2𝑜 vectors each time we do this, leading to a very slow algorithm!

Converting Gaussian Vectors

+ = 2

Converting Gaussian Vectors

+ = 2 ?

Converting Gaussian Vectors

Converting Gaussian Vectors

What about the average of two discrete Gaussian vectors conditioned on the result being in the lattice?

Converting Gaussian Vectors

When do we have ?

We have 𝑧1 + 𝑧2 2 ∈ ℒ if and only if 𝑧1, 𝑧2 are in the same coset of 2ℒ . (Note that there are 2𝑜 cosets)

Converting Gaussian Vectors

What about the average of two discrete Gaussian vectors conditioned on the result being in the lattice?

Converting Gaussian Vectors

What about the average of two discrete Gaussian vectors conditioned on the result being in the lattice?

Converting Gaussian Vectors

ℒ × ℒ ℒ† = { 𝑧1, 𝑧2 ∶ 𝑧1 ≡ 𝑧2 mod 2ℒ }

avg 𝑧1, 𝑧2 = (𝑧1+𝑧2

2

, 𝑧1−𝑧2

2

)

What about the average of two discrete Gaussian vectors conditioned on the result being in the lattice?

Converting Gaussian Vectors

avg ℒ†

What about the average of two discrete Gaussian vectors conditioned on the result being in the lattice?

Converting Gaussian Vectors

= ℒ × ℒ

𝑧1, 𝑧2 ∼ 𝐸ℒ†,𝑡 ⇒ avg 𝑧1, 𝑧2 ∼ 𝐸ℒ×ℒ,

𝑡 2

Progress!

Converting Gaussian Vectors

avg ℒ† = ℒ × ℒ avg 𝑧1, 𝑧2 =

𝑧1+𝑧2 2

, 𝑧1−𝑧2

2

= (y1, 𝑧2) 2

If we sample 𝑧1, 𝑧2~𝐸ℒ,𝑡, then their average will be distributed as 𝐸ℒ,

𝑡 2,

if we condition on the result being in the lattice.

Pr

𝑧1,𝑧2~𝐸ℒ,𝑡 𝑧1+𝑧2 2

= 𝑧 | 𝑧1+𝑧2

2

∈ ℒ Pr 𝐸ℒ,𝑡 ∈ 𝒅

2

Pr

𝑧1,𝑧2~𝐸2ℒ+𝒅,𝑡 𝑧1+𝑧2 2

= 𝑧

∝ 𝒅∈ℒ(mod 2ℒ)

Stitching a Discrete Gaussian Together

Generating a single 𝑬𝓜,

𝒕 𝟑 sample:

• 1. Sample 𝒅 ∈ ℒ (𝑛𝑝𝑒 2ℒ) with probability ∝ Pr Dℒ,𝑡 ∈ 𝒅

2.

• 2. Output (𝑍

1 + 𝑍 2)/2 where 𝑍 1, 𝑍 2 ∼ 𝐸2ℒ+𝒅,𝑡.

Discrete Gaussian Combiner

Input: 𝑍

1, … , 𝑍 𝑁 iid 𝐸ℒ,𝑡 samples (𝑁 ≈ 2𝑜)

• 1. “Bucket” samples according to their coset (mod 2ℒ).
• 2. Repeat many times:
• 1. Sample coset 𝒅 with probability ∝ Pr Dℒ,𝑡 ∈ 𝒅

2.

• 2. Output (𝑍

𝑗 + 𝑍 𝑘)/2, for 𝑍 𝑗, 𝑍 𝑘 ∈ 𝒅.

• 3. Remove 𝑍

𝑗, 𝑍 𝑘 from list.

Don’t have access to this distribution!

Rejection Sampling

Achieving ∝ 𝐐𝐬 𝑬𝓜,𝒕 ∈ 𝒅

𝟑:

First Pass: Sample 𝒅 ∼ 𝐸ℒ,𝑡 (mod 2ℒ). Accept 𝒅 with probability Pr[𝐸ℒ,𝑡 ∈ 𝒅] o/w reject. Implementation: Sample 𝑍

1 ∼ 𝐸ℒ,𝑡 and let 𝒅 be 𝑍 1 (mod 2ℒ).

Sample 𝑍

2 ∼ 𝐸ℒ,𝑡.

Output 𝒅 if 𝑍

1 ≡ 𝑍 2 (mod 2ℒ).

Same as trivial strategy!

Rejection Sampling

Achieving ∝ 𝐐𝐬 𝑬𝓜,𝒕 ∈ 𝒅

𝟑:

Second Try: Sample 𝒅 ∼ 𝐸ℒ,𝑡 (mod 2ℒ). Accept 𝒅 with probability

Pr 𝐸ℒ,𝑡∈𝒅 𝑞max

• /w reject,

where 𝑞max = max

𝒄∈ℒ(mod 2ℒ) Pr[𝐸ℒ,𝑡 ∈ 𝒄]

Implementation: ???

Discrete Gaussian Combiner

Input: 𝑍

1, … , 𝑍 𝑁 iid 𝐸ℒ,𝑡 samples (𝑁 ≈ 2𝑜)

Use first 𝑁/6 samples to estimate 𝑞max.

𝟐 … 𝑁𝑞max/3

ℒ(𝑛𝑝𝑒 2ℒ) 2𝑜 buckets # samples in each bucket

First 1 𝑞max samples Last 1 𝑞max samples ⋯

Discrete Gaussian Combiner

Input: 𝑍

1, … , 𝑍 𝑁 iid 𝐸ℒ,𝑡 samples (𝑁 ≈ 2𝑜)

• 1. Compute 𝑞max and bucket counts (previous slide).
• 2. For 𝑗 ranging over last 𝑁/6 samples:
• 1. Let 𝒅 = 𝑍

𝑗 (𝑛𝑝𝑒 2ℒ).

• 2. Find first unused bucket count 𝑙𝒅 for coset 𝒅.
• 3. With probability min {1,

𝑙𝒅 𝑜𝑃(1)},

• utput (𝑍

𝑗 + 𝑍 𝑘)/2

where 𝑍

𝑘 is any sample contributing to 𝑙𝒅.

How Many Vectors Do We Get?

May drop to 𝑁 2

𝑜 2 after a single step!

𝑁 ≔ # input vectors # output vectors ≈ 𝑁 ⋅

𝒅 Pr 𝐸ℒ,𝑡∈𝒅

2

max

𝒄

Pr[𝐸ℒ,𝑡∈𝒄]

Worst case bound: probability is at least 1 |support|.

How Many Vectors Do We Get?

𝜍𝑡 ℒ ≔ 𝑧∈ℒ 𝑓−

𝑧 𝑡 2

How Many Vectors Do We Get?

𝜍𝑡 ℒ ≔ 𝑧∈ℒ 𝑓−

𝑧 𝑡 2

max

𝒅

𝜍𝑡(2ℒ + 𝐝) = 𝜍𝑡(2ℒ)

Setting 𝑁 ≈ 2𝑜 gives

Recall that we only need 1.38𝑜 samples to solve SVP!

How Many Vectors Do We Get?

𝜍𝑡 ℒ ≤ 2

𝑜 2𝜍 𝑡 2(ℒ)

Key Estimates

Poisson summation formula: “nice” function 𝑔 𝑧∈ℒ 𝑔 𝑧 + 𝐮 =

1 det(ℒ) 𝑦∈ℒ∗

𝑔 𝑦 𝑓2𝜌𝑗〈𝑦,𝐮〉 Plug in 𝑓−𝜌

𝑦 𝑡 2:

𝜍𝑡 ℒ + 𝐮 =

𝑡𝑜 det(ℒ) 𝑦∈ℒ∗ 𝑓−𝜌 𝑡𝑦 2 𝑓2𝜌𝑗〈𝑦,𝐮〉

𝜍𝑡 ℒ =

𝑡𝑜 det(ℒ) 𝜍 1 𝑡(ℒ∗)

Key Estimates

𝜍𝑡 ℒ + 𝐮 =

𝑡𝑜 det(ℒ) 𝑦∈ℒ∗ 𝑓−𝜌 𝑡𝑦 2 𝑓2𝜌𝑗〈𝑦,𝐮〉

𝜍𝑡 ℒ =

𝑡𝑜 det(ℒ) 𝜍 1 𝑡(ℒ∗)

Corollary 1: max

𝐮

𝜍𝑡 ℒ + 𝐮 = 𝜍𝑡(ℒ) Corollary 2: 𝜍𝛽𝑡 ℒ ≤ 𝛽𝑜𝜍𝑡(ℒ) for 𝛽 ≥ 1.

Final Algorithm

1. Use GPV to get ≈ 2𝑜 samples from 𝐸ℒ,𝑡 with 𝑡 ≫ 𝜇1(ℒ).

• 2. Run the (“squaring”) discrete Gaussian combiner on the result

repeatedly.

• 3. Output ≈ 2𝑜/2 samples from 𝐸ℒ,𝑡 with 𝑡 ≈

𝜇1(ℒ) 𝑜.

• 4. We can then simply output a shortest non-zero vector from our

samples. SVPSolver(ℒ)

Act II: The Closest Vector Problem

dist(𝐮, ℒ) 𝑧

Closest Vector Problem (CVP)

Given: Lattice basis 𝐶 𝜗 ℚ𝑜×𝑜, target 𝐮 𝜗 ℚ𝑜. Goal: Compute 𝑧 𝜗 ℒ(𝐶) minimizing 𝐮 − 𝑧 .

ℒ

𝐮

CVP seems to be the harder problem: there is a dimension preserving reduction from SVP to CVP [GMSS99].

Closest Vector Problem (CVP)

Time CVP? Deterministic? [Kan86,HS07,MW15] (Enumeration)

𝑜𝑃(𝑜)

Yes Yes [AKS02, BN09, HPS11, …] (Sieving)

2𝑃(𝑜)

Approximate No [MV10b] (Voronoi cell)

22𝑜+𝑝(𝑜)

Yes Yes [ADRS15] (Discrete Gaussian)

2𝑜+𝑝(𝑜)

Approximate No [ADS15]

2𝑜+𝑝(𝑜)

Yes No

Algorithms for CVP

Disclaimer

The algorithm is quite complicated, so the following is a over-simplified high level sketch.

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

The Discrete Gaussian Distribution

closest vectors!

The Discrete Gaussian Distribution

CVP trivially reduces to sampling from the discrete Gaussian distribution 𝐸ℒ,𝐮,𝑡 for a small enough parameter 𝑡.

“Rotation” Identity Generalizes

Great! So, we just need to run the squaring combiner and we’re done! Right!?

• The [GPV08] sampler does work for sampling shifted 𝐸ℒ,𝐮,𝑡,

but given basis 𝑐1, … 𝑐𝑜 for ℒ, it requires 𝑡 ≳ max

𝑗

𝑐𝑗 .

• When 𝐮 = 0, we can just throw out 𝑐𝑗 , with 𝑐𝑗

≫ 𝑡, effectively setting these coordinates to 0.

• When 𝐮 ≠ 0, we may not be able to do this.
• So, we must initialize with 𝑡 ≳ dist(𝐮, ℒ).

Even if apply the combiner 𝑜 times, we can

• nly sample at 𝑡 ≈ 2−𝑜dist(𝐮, ℒ).

Initialization Issues

Going from 𝑡 → 𝑡 2: Centered (𝐮 = 0):

𝜍

𝑡 2 ℒ 2

𝜍𝑡 ℒ 𝜍

𝑡 2(ℒ)

General 𝐮:

𝜍

𝑡 2(ℒ)𝜍 𝑡 2(ℒ−𝐮)

𝜍𝑡 ℒ max

𝒅∈ℒ/2ℒ 𝜍𝑡(𝒅−𝐮)

No obvious “magical cancelation”.

Combiner Loss Factor

Combiner Loss Factor

Theorem: Combiner loss going from 𝑡 → 𝑡𝑙 ≔ 𝑡2−𝑙/2 is no worse than

2−𝑜 max

𝒅∈ℒ/2ℒ Pr[𝐸ℒ,𝐮,𝑡𝑙∈𝒅].

If we start with 2𝑜+𝑝(𝑜) samples, we always “see” the heaviest coset at each stage.

Exact vs Approximate CVP

Shell of approx closest vectors Sphere of closest vectors

Can have arbitrarily many approximate closest vector for any 𝛿 > 1 !!

We Need Small Parameters

The reduction from CVP to DGS needs 𝑡 ≪ 𝜇1 ℒ , but we can only handle 𝑡 ≈ 2−𝑜 ⋅ dist(𝐮, ℒ).

For such parameters, we obtain approximate solutions with unreasonably good approximation factor 𝛿 ≈ 1 + 2−𝑜, but not exact solutions.

𝐮

Hope for exact CVP

For 𝛿 ≾ 1 + 1/𝑜, 𝛿-approximate closest vectors lie lower dimensional subspaces.

ℒ 2 lattice subspaces

To apply recursion, need to identify them and show that there are not too many. 2𝑜+𝑝(𝑜) time ≔ at most 2 sub-problems per dimension!

Clusters

Claim: There are at most 2𝑜 exact closest vectors. Sphere containing the closest vectors Must lie in different cosets of ℒ/2ℒ.

Clusters

Claim: The approximate closest vectors are contained in 2𝑜 ``clusters’’ of small diameter. Shell containing the approximate closest vectors Sphere containing the closest vectors 𝒗 𝒘

Clusters

Claim: 1 + 𝜗2 approx. CVP sols 𝑣 and 𝑤. 𝑤 − 𝑣 ∈ 2ℒ implies 𝑤 − 𝑣 ≤ 2𝜗 ⋅ dist(𝐮, ℒ). 𝒗 𝒘

𝑒 1 + 𝜗2 ⋅ 𝑒

Clusters

Claim: 1 + 𝜗2 approx. CVP sols 𝑣 and 𝑤. 𝑤 − 𝑣 ∈ 2ℒ implies 𝑤 − 𝑣 ≤ 2𝜗 ⋅ dist(𝐮, ℒ). 𝑤 − 𝑣 2 = 2 𝑤 − 𝐮 2 + 2 𝑣 − 𝐮 2 −4 𝑤 + 𝑣 2 − 𝐮 2 ≤ 4 1 + 𝜗2 ⋅ dist 𝐮, ℒ 2 −4 ⋅ dist 𝐮, ℒ 2 = 4𝜗2 ⋅ dist 𝐮, ℒ 2

Taking advantage of clusters

“nearly orthogonal” basis 𝑐1, … , 𝑐𝑜 of ℒ (lengths in approx. non-decreasing order) 1 + 2−𝑜 approx CVP sols 𝑧1, … , 𝑧𝑂 for 𝐮. 𝑧𝑘 = 𝑗 𝑏𝑗,𝑘𝑐𝑗 ∀𝑘 Theorem: ∃𝑙 such that last 𝑙 coefficients { 𝑏𝑜−𝑙+1,𝑘, … , 𝑏𝑜,𝑘 : 𝑘 ∈ 𝑂 } come from set of size ≈ 2𝑙.

Recurse on these!

Taking advantage of clusters

Assume: orthogonal lattice ℒ ℒ = { 𝑦1𝑐1, … , 𝑦𝑜𝑐𝑜 : 𝑦 ∈ ℤ𝑜} (0 ≤ 𝑐1 ≤ ⋯ ≤ 𝑐𝑜) 1 + 𝜗2 approx CVP sols 𝑧1, … , 𝑧𝑂 for 𝐮. 𝑧𝑘 = (𝑏1,𝑘𝑐1, … , 𝑏𝑜,𝑘𝑐

𝑘) ∀𝑘

Claim: If 𝑧𝑠 − 𝑧𝑡 ∈ 2ℒ and 𝑐𝑜−𝑙+1 > 𝑜𝜗𝑐𝑜 then 𝑏𝑜−𝑙+1,𝑠, … , 𝑏𝑜,𝑠 = (𝑏𝑜−𝑙+1,𝑡, … , 𝑏𝑜,𝑡)

For 𝜗 = 2−𝑜, all coordinates are fixed by parity unless there are exponential gaps in basis vector lengths. But such gaps can exist….

Taking advantage of clusters

Claim: If 𝑧𝑠 − 𝑧𝑡 ∈ 2ℒ and 𝑐𝑜−𝑙+1 ≥ 𝑜𝜗𝑐𝑜

• 1. dist 𝐮, ℒ ≤

1 2

𝑗 𝑐𝑗

2 ≤ 𝑜 2 𝑐𝑜

• 2. 𝑧𝑠 − 𝑧𝑡

≤ 2 𝜗 dist 𝐮, ℒ ≤ 𝑜 𝜗 𝑐𝑜 < 𝑐𝑜−𝑙+1 If 𝑧𝑠, 𝑧𝑡 differ on any coordinate 𝑗 ∈ {𝑜 − 𝑙 + 1, … , 𝑜} their difference would have norm at least 𝑐𝑜−𝑙+1.

This shows we have at most 2𝑜 clusters each of which is 𝑜 − 𝑙 dimensional, but we need 2𝑙 clusters!!!

Exploiting gaps in basis lengths

Idea: Only match parity on “high order bits”. 𝑐1 𝑐2 𝑐3 𝑐4 … 𝑐𝑜−𝑙+1 … 𝑐𝑜

Exploiting gaps in basis lengths

Idea: Only match parity on “high order bits”. 𝑐1 𝑐2 𝑐3 𝑐4 … 𝑐𝑜−𝑙+1 … 𝑐𝑜

Gap

Parity of last 𝑙 coefficients determines these coefficients exactly.

Exploiting gaps in basis lengths

Idea: Only match parity on “high order bits”. 𝑐1 𝑐2 𝑐3 𝑐4 … 𝑐𝑜−𝑙+1 … 𝑐𝑜

Gap

Idea: Can round first 𝑜 − 𝑙 coefficients to desired parity without increasing distance to 𝐮 by much.

Exploiting gaps in basis lengths

𝑐1 𝑐2 𝑐3 … … … 𝑐𝑜−1 𝑐𝑜 What if there are no large gaps?

Exploiting gaps in basis lengths

Idea: Again only match parity on last 𝑙 bits. 𝑐1 𝑐2 𝑐3 … 𝑐𝑜−𝑚+1 … 𝑐𝑜

Gap

𝑐𝑜−𝑙+1 Mostly determined Completely determined Can guarantee 𝑙 is large in this case.

High Level Algorithm

Input: 𝑜-dimensional lattice ℒ and target 𝐮. Output: Closest lattice vectors in ℒ to 𝐮. 1. Compute short basis 𝐶 of ℒ, and number 𝑙 of “high order coordinates”.

• 2. Get many 1 + 2−𝑜 approx. closest vectors via DGS.
• 3. Group them according to last 𝑙 coordinates with

respect to 𝐶 and recurse on each group .

Complexity Sketch

Initialization: (one shot 2𝑜+𝑝(𝑜) time) Compute short basis 𝐶 of ℒ, and number 𝑙 of “high

• rder coordinates” (can compute for each rec. level).

Per level work: (2𝑜+𝑝(𝑜) time) Sample many approx. closest vectors via DGS. Recursion: (≈ 2𝑙 subproblems of dim. 𝑜 − 𝑙) Group them according to last 𝑙 coordinates with respect to 𝐶 and recurse. Total runtime: 2𝑜+𝑝(𝑜)

Key Challenges

Runtime: 1. Getting many DGS samples at low parameters.

• 2. Show last 𝒍 coeffs ≈ determined by their parity.
• 3. Deal with ≈ 𝟑𝒍 subproblems in recursion analysis.

Correctness: Show that we hit last 𝒍 coeffs of an exact closest vector with high probability.

Summary of Results

Discussed in this talk

• 2𝑜+𝑝(𝑜) algorithm for SVP and CVP.
• How to sample 2

𝑜 2 vectors from 𝐸ℒ,𝑡 for any 𝑡 in time 2𝑜+𝑝(𝑜)

Additional results from this work

• 2

𝑜 2+𝑝(𝑜) -time algorithm for sampling 2𝑜/2 vectors above

smoothing.

• 1.93-GapSVP.
• . 422-BDD.

Recent work

• Sampling from DGS reduces to SVP. [Ste16]

(not equivalence because the reduction in the other direction requires 1.38𝑜 𝐸ℒ,𝑡 samples.)

• Other uses for discrete Gaussian sampling at arbitrary

parameters?

• Faster discrete centered Gaussian sampling?
• Strong lower bounds for CVP/SVP assuming SETH (or

something similar)?

• Deterministic / Las Vegas algorithms with same complexity?

Open Questions/Future Work

ℒ 𝑤1 𝑤6 𝑤5 𝑤4 𝑤3 𝑤2

Thanks!