SLIDE 1
Lattice algorithms for the closest vector problem with preprocessing
Thijs Laarhoven
mail@thijs.com http://www.thijs.com/
RISC seminar, Amsterdam, The Netherlands
(May 3, 2019)
Lattices
Basics
Lattice algorithms for the closest vector problem with preprocessing - - PowerPoint PPT Presentation
Lattice algorithms for the closest vector problem with preprocessing - - PowerPoint PPT Presentation
Lattice algorithms for the closest vector problem with preprocessing Thijs Laarhoven mail@thijs.com http://www.thijs.com/ RISC seminar, Amsterdam, The Netherlands (May 3, 2019) Lattices Basics Lattices Basics O Lattices Basics b 2 b 1
SLIDE 2
SLIDE 3
O
Lattices
Basics
SLIDE 4
b1 b2 O
Lattices
Basics
SLIDE 5
b1 b2 O
Lattices
Basics
SLIDE 6
b1 b2 O
Lattices
Volume
SLIDE 7
r1 r2 b1 b2 O
Lattices
Lattice basis reduction
SLIDE 8
b1 b2 O
Lattice problems
Shortest Vector Problem (SVP)
SLIDE 9
b1 b2 O
Lattice problems
Shortest Vector Problem (SVP)
SLIDE 10
b1 b2 t O
Lattice problems
Closest Vector Problem (CVP)
SLIDE 11
t b1 b2 O
Lattice problems
Closest Vector Problem (CVP)
SLIDE 12
t b1 b2 O
Lattice problems
Closest Vector Problem (CVP)
SLIDE 13
t b1 b2 O
Lattice problems
SVP/CVP asymptotics
Algorithm log2(Time) log2(Space) Experiments
Worst-case SVP
Enumeration [Poh81, Kan83, ..., MW15, AN17] O(nlogn) O(logn) 152 AKS-sieve [AKS01, NV08, MV10, HPS11] 3.398n 1.985n – Birthday sieves [PS09, HPS11] 2.465n 1.233n – Enumeration/DGS hybrid [CCL17] 2.048n 0.500n – Voronoi cell algorithm [AEVZ02, MV10b, BD15] 2.000n 1.000n 40 Quantum sieve [LMP13, LMP15] 1.799n 1.286n – Quantum enum/DGS [CCL17] 1.256n 0.500n – Discrete Gaussian sampling [ADRS15, ADS15, AS18] 1.000n 1.000n –
Average-case SVP
The Nguyen–Vidick sieve [NV08] 0.415n 0.208n 50 GaussSieve [MV10, ..., IKMT14, BNvdP16, YKYC17] 0.415n 0.208n 130* Triple sieve [BLS16, HK17] 0.396n 0.189n 80 Kleinjung sieve [Kle14] 0.379n 0.189n 116 Leveled sieving [WLTB11, ZPH13] 0.378n 0.283n – Overlattice sieve [BGJ14] 0.377n 0.293n 90 Triple sieve with NNS [HK17, HKL18] 0.359n 0.189n 76 Single filters [DL17, ADH+19] 0.349n 0.246n 155 Hyperplane LSH [Cha02, FBB+14, Laa15, ..., LM18] 0.337n 0.337n 107 Hypercube LSH [TT07, Laa17] 0.322n 0.322n – May–Ozerov NNS [MO15, BGJ15] 0.311n 0.311n – Quantum sieve [LMP13] 0.311n 0.208n – Spherical LSH [AINR14, LdW15] 0.297n 0.297n – Cross-polytope LSH [TT07, AILRS15, BL16, KW17] 0.297n 0.297n 80 Spherical LSF [BDGL16, MLB17, ALRW17, Chr17] 0.292n 0.292n 92 Quantum NNS sieve [LMP15, Laa16] 0.265n 0.265n –
SLIDE 14
b1 b2 O
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 15
r1 r2 b1 b2 O
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 16
r1 r2 O
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 17
r1 r2 O
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 18
r1 r2 O
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 19
r1 r2 O t
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 20
r1 r2 O t v
Lattice problems
Closest Vector Problem with Preprocessing (CVPP)
SLIDE 21
b1 b2 O
Lattice problems
Batch Closest Vector Problem
SLIDE 22
b1 b2 O
Lattice problems
Batch Closest Vector Problem
SLIDE 23
b1 b2 O
Lattice problems
Batch Closest Vector Problem
SLIDE 24
b1 b2 O
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 25
r1 r2 b1 b2 O
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 26
r1 r2 O
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 27
r1 r2 O
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 28
r1 r2 O t
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 29
r1 r2 O t
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 30
r1 r2 O t v
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 31
r1 r2 O t
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 32
r1 r2 O t
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 33
r1 r2 O t v
Babai’s algorithms
Rounding algorithm [Len84, Bab86]
SLIDE 34
r1 r2 O
Babai’s algorithms
Gram-Schmidt orthogonalization
SLIDE 35
r1 r2 O
Babai’s algorithms
Gram-Schmidt orthogonalization
SLIDE 36
r1 r2 O
Babai’s algorithms
Gram-Schmidt orthogonalization
SLIDE 37
r1
*
r2
*
O
Babai’s algorithms
Gram-Schmidt orthogonalization
SLIDE 38
r1
*
r2
*
O
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 39
r1
*
r2
*
O
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 40
r1
*
r2
*
O t
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 41
r1
*
r2
*
O t
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 42
r1
*
r2
*
O t
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 43
r1
*
r2
*
O t v
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 44
r1
*
r2
*
O t
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 45
r1
*
r2
*
O t
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 46
r1
*
r2
*
O t v
Babai’s algorithms
Nearest plane algorithm [Bab86]
SLIDE 47
r1
*
r2
*
O t v
Babai’s algorithms
Overview
- Preprocessing: find a short basis (2O(n) time, poly(n) space)
SLIDE 48
r1
*
r2
*
O t v
Babai’s algorithms
Overview
- Preprocessing: find a short basis (2O(n) time, poly(n) space)
- Query: round-off or nearest-planes (poly(n) time)
SLIDE 49
r1
*
r2
*
O t v
Babai’s algorithms
Overview
- Preprocessing: find a short basis (2O(n) time, poly(n) space)
- Query: round-off or nearest-planes (poly(n) time)
- Strengths: fast and simple algorithms
SLIDE 50
r1
*
r2
*
O t v
Babai’s algorithms
Overview
- Preprocessing: find a short basis (2O(n) time, poly(n) space)
- Query: round-off or nearest-planes (poly(n) time)
- Strengths: fast and simple algorithms
- Limitations: does not always solve CVPP
SLIDE 51
O
Voronoi cells
Round-off tiling
SLIDE 52
O
Voronoi cells
Nearest-plane tiling
SLIDE 53
O
Voronoi cells
Voronoi tiling
SLIDE 54
O
Voronoi cells
Relevant vectors
SLIDE 55
r1 r2 r3 r4 r5 r6 O
Voronoi cells
Relevant vectors
SLIDE 56
r1 r2 r3 r4 r5 r6 O
Voronoi cells
Relevant vectors
SLIDE 57
O
Voronoi cells
Relevant vectors
SLIDE 58
O
Voronoi cells
Relevant vectors
SLIDE 59
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 60
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 61
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 62
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 63
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 64
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 65
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 66
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 67
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 68
O
Voronoi cells
Iterative slicer [SFS09]
SLIDE 69
O
Voronoi cells
Overview
- Preprocessing: find the relevant vectors (22n+o(n) time, 2n+o(n) space [MV10])
SLIDE 70
O
Voronoi cells
Overview
- Preprocessing: find the relevant vectors (22n+o(n) time, 2n+o(n) space [MV10])
- Query: reduce with the relevant vectors (2n+o(n) time [BD15])
SLIDE 71
O
Voronoi cells
Overview
- Preprocessing: find the relevant vectors (22n+o(n) time, 2n+o(n) space [MV10])
- Query: reduce with the relevant vectors (2n+o(n) time [BD15])
- Strengths: provably solves CVPP for arbitrary targets and lattices
SLIDE 72
O
Voronoi cells
Overview
- Preprocessing: find the relevant vectors (22n+o(n) time, 2n+o(n) space [MV10])
- Query: reduce with the relevant vectors (2n+o(n) time [BD15])
- Strengths: provably solves CVPP for arbitrary targets and lattices
- Limitations: large time and memory requirements
SLIDE 73
O
Approximate Voronoi cells
Decrease list size
SLIDE 74
v1 v2 v3 v4 O
Approximate Voronoi cells
Decrease list size
SLIDE 75
v1 v2 v3 v4 O
Approximate Voronoi cells
Decrease list size
SLIDE 76
v1 v2 v3 v4 O
Approximate Voronoi cells
Decrease list size
SLIDE 77
O
Approximate Voronoi cells
Decrease list size
SLIDE 78
O
Approximate Voronoi cells
Improper tiling
SLIDE 79
O
Approximate Voronoi cells
Improper tiling
SLIDE 80
O
Approximate Voronoi cells
Improper tiling
SLIDE 81
O
Approximate Voronoi cells
Improper tiling
SLIDE 82
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 83
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 84
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 85
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 86
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 87
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 88
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 89
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 90
O
Approximate Voronoi cells
Iterative slicer [SFS09]
SLIDE 91
O
Approximate Voronoi cells
Randomized slicer
SLIDE 92
O
Approximate Voronoi cells
Randomized slicer
SLIDE 93
O
Approximate Voronoi cells
Randomized slicer
SLIDE 94
O
Approximate Voronoi cells
Randomized slicer
SLIDE 95
O
Approximate Voronoi cells
Randomized slicer
SLIDE 96
Approximate Voronoi cells
Randomized slicer
SLIDE 97
Approximate Voronoi cells
Randomized slicer
SLIDE 98
Approximate Voronoi cells
Estimating the volume [Laa16, DLW19]
Lemma (Good approximations, with heuristics)
Let L consist of the αn+o(n) shortest vectors of a lattice L, with α ≥
- 2 + o(1). Then:
vol(VL) vol(V) = 1 + o(1). (1)
Lemma (Arbitrary approximations, with heuristics)
Let L consist of the αn+o(n) shortest vectors of a lattice L, with α ∈ (1.03396,
- 2). Then:
vol(VL) vol(V) ≤
- 16α4
α2 − 1
- −9α8 + 64α6 − 104α4 + 64α2 − 16
n/2+o(n) . (2)
SLIDE 99
Approximate Voronoi cells
Results for CVPP
SLIDE 100
Approximate Voronoi cells
Results for BDDP
SLIDE 101
Approximate Voronoi cells
Overview
- Preprocessing: find many short vectors (2O(n) time, 2O(n) space)
SLIDE 102
Approximate Voronoi cells
Overview
- Preprocessing: find many short vectors (2O(n) time, 2O(n) space)
- Query: (randomized) reduction with short vectors (2O(n) time [Laa16, DLW19])
SLIDE 103
Approximate Voronoi cells
Overview
- Preprocessing: find many short vectors (2O(n) time, 2O(n) space)
- Query: (randomized) reduction with short vectors (2O(n) time [Laa16, DLW19])
- Strengths: efficient method for hard CVPP instances
SLIDE 104
Approximate Voronoi cells
Overview
- Preprocessing: find many short vectors (2O(n) time, 2O(n) space)
- Query: (randomized) reduction with short vectors (2O(n) time [Laa16, DLW19])
- Strengths: efficient method for hard CVPP instances
- Limitations: does not scale well for BDDP instances
SLIDE 105
O
Dual approach
Dual lattices
SLIDE 106
O
Dual approach
Dual lattices
SLIDE 107
O
Dual approach
Distinguisher
L∗ = {x ∈ n : 〈x,v〉 ∈ ,∀v ∈ L}
- Primal target vector t = v + e with v ∈ L
- Short dual vector v∗ ∈ L∗
- Distinguisher:
〈t,v∗〉 mod 1 = 0 if e = 0; 〈t,v∗〉 mod 1 ≈ 0 if e ≈ 0 and v∗ small; 〈t,v∗〉 mod 1 ∼ U(− 1
2, 1 2)
if e ≫ 0.
SLIDE 108
O
Dual approach
Overview
- Preprocessing: find many short dual vectors (2O(n) time, 2O(n) space)
SLIDE 109
O
Dual approach
Overview
- Preprocessing: find many short dual vectors (2O(n) time, 2O(n) space)
- Query: distinguish based on dot products modulo 1
SLIDE 110
O
Dual approach
Overview
- Preprocessing: find many short dual vectors (2O(n) time, 2O(n) space)
- Query: distinguish based on dot products modulo 1
- Strengths: smooth trade-offs for BDDP
SLIDE 111
O
Dual approach
Overview
- Preprocessing: find many short dual vectors (2O(n) time, 2O(n) space)
- Query: distinguish based on dot products modulo 1
- Strengths: smooth trade-offs for BDDP
- Limitations: traditionally only solves decisional BDD(P)
SLIDE 112
O
Conclusion
Summary
Babai’s algorithms
- Fast and simple algorithms
- Targets must lie close to the lattice
Voronoi cells
- Provable, deterministic algorithm
- Requires 2n+o(n) time and space
Approximate Voronoi cells
- Heuristic alternative to exact Voronoi cells
- Nearest neighbor speed-ups
- Does not scale well for BDDP
Dual approach
- Distinguisher using short dual vectors
- Works better when target is somewhat close to lattice
- Traditionally only solves decisional problem
SLIDE 113
O
Conclusion
Open problems / Work in progress
Approximate Voronoi cells
- Eliminate lower bound on space complexity
- Improve upper bound on volume ratio
- Apply other nearest neighbor techniques
Dual approach
- Analyze method heuristically
- Efficient conversion to search-CVPP
- Find cross-over point with other methods