Example: Consider
         
2
0
0
0
1
0 2 0 0 1
         
         
L = L(b1 , . . . , bd ) = L 
0 , 0 , 2 , 0 , 1 .
0 0 0 2 1
0
0
0
0
1
√
�
We have ||bi || = 2 for i = 1, . . . , 4, but ||b5 || = 5 > 2. Since b�5 := 2b5 − 4i=1 bi =
(0, 0, 0, 0, 2)T ∈ L, we know that λ1/2/3/4/5 = 2.
Another question is: What happens if we take the basis C := (b1 , . . . , b4 , b�5 )? Can
we achieve L(B) = L(C)? The answer is “No.”, because b5 �∈ L(C), what in particular
means that there is no unimodular matrix T ∈ GLd (Z) with BT = C (since b�5 = 2b5 . . .).
Now we come to the definitions of the most important lattice problems.
Definition ((γ-)SVP): The (approximate) shortest vector problem (γ-)SVP for γ ≥ 1
with
is defined as follows: Let L ⊆ Rn be a lattice. Find x ∈
� L�\ {0} �
� ||x|| ≤ (γ)λ1 (L).
1
0
Example: For an example consider the lattice L =
Z+
Z. The SVP leads
1
1
�� � � � � � � ��
0
0
1
−1
to the solution(s) x ∈
,
,
,
. So we see that the solution is not
1
−1
0
0
unique. There are at least two solutions v, −v.
Definition ((γ-)CVP): The (approximate) closest vector problem (γ-)CVP is defined as
follows: Let L ⊆ Rn be a lattice and t ∈ spanR (L). Find x ∈ L with ||t−x|| ≤ (γ)||t−w||
for all w ∈ L.
Example: Consider Figures 11 and 12.
t
b1
b1
0
0
t
b2
b2
Figure 12: No unique solution
for the CVP
Figure 11: Unique solution for
the CVP
We see that in Figure 12 we have L =
� �
� �
� �
1
1
1
Z+
Z and for t =
we do not
1
−1
0
obtain a unique solution for the CVP.
Definition ((γ-)SIVP): The (approximate) shortest independent vector problem (γ)SIVP is defined as follows: Let L ⊆ Rn be a lattice with dim (L) = d. Find v1 , . . . , vd
linearly independent such that max{||v1 ||, . . . , ||vd ||} ≤ (γ)λd (L).
25
In general, we do not know the values of λi (L) in advance and thus we cannot prove
the correctness of a “solution”. Still, we want to be able to make a statement about the
relative length of a vector or about the quality or “reducedness” of a basis.
For this purpose we use the Hermite-SVP.
Definition (Hermite-SVP): Given a lattice L ⊆ Rn with dim (L) = d and γ > 0. Find
x ∈ L \ {0} with ||x|| ≤ γ d det (L)1/d .
Example: Interestingly, easy and hard instances of this problem are very close solvable.
For γ = 1.02 the Hermite-SVP is solvable in practice, even in higher dimensions, but
for γ = 1.01 it becomes intractable for large d, say d ≥ 500. (It also depends on the
structure of L.)
Whether these problems are efficiently solvable, i.e. in polynomial time in n, depends
on the input description (basis) B of L: Therefore consider the following Figure 13.
0
hard
easy
0
do something
read off
Figure 13: The hardness of the problems relies on the size of the basis
If the vectors in B are short and almost orthogonal, we can basically read off the solutions. But if the basis consists of long vectors, it is harder and we have to “do something”
to solve those problems. Now we turn to what this “do something” is.
7. Lattice (Basis) Reduction
We start with lattices L ⊆ Rn of dimension d = 2 as there is a polynomial-time algorithm
in the input size that solves SVP (and others).
Since Gauß and Lagrange developed the same idea independently, the algorithm can be
called “Gauß algorithm” or “Lagrange algorithm”. This shall just be a remark for you
not to be confused reading the same algorithm in different papers with different names.
We will call it Gauß reduction algorithm here.
The Gauß reduction algorithm consists of two steps, called Normalize and Swap, that are
iterated until a certain condition holds.
26
• Normalize:
For Normalize, we require the Gram-Schmidt orthogonalization (GSO) that is computed with the GS-process.
. The GS-process does the
Definition: Given a matrix B = (b1 , . . . , bd ) ∈ Rn×d�
following: Set b̃1 := b1 and recursively define b̃i := bi − i−1
j=1 µi,j b̃j for i ≥ 2, where
�
�
bi , b̃j
the µi,j :=
denote the Gram-Schmidt coefficients.
||b̃j ||2
Example: Consider the two vectors b1 , b2 as in Figure 14.
b1
~
b2
b2
~
b1 = b1
Figure 14: Proceedings in the GS-process
The vector b1 stays the same (b̃1 := b1 ), but the second vector b2 is projected onto
the orthogonal space b⊥
1 of b1 . The output of the GS-process thus is B̃ := (b̃1 , b̃2 ).
An alternative notation that will be helpful later is that of orthogonal projections
of the basis B = (b1 , . . . , bd ) via πi : Rd → span (b1 , . . . , bi−1 )⊥ , in which we have
the special case of πi (bi ) = b̃i .
The GS-process can shorten and orthogonalize vectors. Why can we not just use
it to find an orthogonal basis of L = L(B) or its shortest vector? The answer is
that the process does not necessarily yield lattice vectors. It does not respect or
preserve the structure of the lattice. In particular, the matrix that corresponds to
πi is not unimodular.
But, it can be used as a guiding principle.
Normalize(b1 , b2 )
Input: b1 , b2 ∈ L with ||b1 || ≤ ||b2 ||
Output: b� ∈ L where b� := b2 − �µ2,1 � b1
When |µ2,1 | < 12 , nothing happens and we cannot improve b2 with b1 any further.
Observe that, after Normalize(b1 , b2 ), we have
2
�b� , b1 � = �b2 − �µ2,1 � b1 , b1 � = �xb⊥
1 + yb1 − �y� b1 , b1 � = (y − �y�)||b1 || ,
since one can write b2 as b2 = xb⊥
1 + yb1 because b1 , b2 are linearly independent.
The observation leads to another
27
b1
-b1
b2
new
b2
1
2
b1
Figure 15: Proceedings during the Normalize-step
1
Fact: After the Normalize-step we have |µnew
2,1 | ≤ 2 .
For the angle this means |∠(b1 , b2 )| ∈ [60◦ , 120◦ ], which is an easy task for the
reader to do him-/herself at home (using the cosine will help).
Definition: A normalized basis B ∈ Rn×d for d ∈ N is size-reduced iff |µi,i−1 | <
for i = 2, . . . , d.
1
2
This definition leads to the question: Why is Normalize not enough? To see this
we give another
� �
� �
3
6
�
and b2 :=
. We obtain µ2,1 = 46
Example: Let b1 :=
25 and thus b2 :=
4
7
� � � �
� �
6
3
0
1
−2
=
. Now, we have |µnew
b2 − �µ2,1 �b1 =
2,1 | ≤ 2 , but we see that
7
4
−1
we can shorten b1 with b�2 .
• Swap:
Therefore, we need the second operation Swap which switches the two vectors via
(b1 , b2 ) �→ (b2 , b1 ).
If we now have ||b1 || ≤ ||b2 ||, we can call Normalize again.
� � � �
0
3
Example: In the example above, we call Normalize with (
,
) and thus
−1
4
� � � �
� �
� � 0
3
3
=
.
obtain b�2 =
− −4
1
−1
0
4
After a polynomially bounded number (in the input length) of iterations of
Normalize; Swap;
28
we have ||b1 || ≤ ||b2 || and |µ2,1 | ≤ 12 and we can stop and obtain a so-called Gaußreduced basis B = (b1 , b2 ). This is because |µ2,1 | < 12 implies that we cannot
improve b2 with b1 . For |µ2,1 | = 12 , we would swap back and forth without actually
improving the lengths. In addition, swapping does not help because ||b2 || ≥ ||b1 ||.
Thus, adding b2 to b1 would only make the basis worse.
The Gauß reduction algorithm becomes
Gauß:
Input: basis (vectors) b1 , b2 ∈ L with L = L(b1 , b2 ) and ||b1 || ≤ ||b2 ||
Output: a Gauß-reduced basis b�1 , b�2 ∈ L with L = L(b�1 , b�2 )
while |µ2,1 | > 12 do
Normalize: b2 := b2 − �µ2,1 � b1
if ||b2 || < ||b1 || then Swap b1 and b2
return (b1 , b2 )
An important fact about the time needed for the Gauß reduction algorithm is the following:
�
�
Fact: The Gauß algorithm runs in time O (bitsize(B))2 .
And another fact is
Fact: The Gauß reduction algorithm finds b1 , b2 ∈ L where L = L(b1 , b2 ) with λ1 (L) =
||b1 || and λ2 (L) = ||b2 || which is the best possible.
Proposition: Given a basis B of L = L(B). Then the Gauß algorithm on input B
outputs a basis C with L = L(B) = L(C).
Proof : This is clear since the steps Normalize and Swap only perform unimodular operations. The detailed proof is left to the reader as an exercise.
The Gauß reduction algorithm can be generalized to lattice dimensions d ≤ 4 (non trivial!). Beyond that, this simple framework breaks down and we need a more sophisticated
approach.
8. Lattices in a post-quantum world
We want to consider the question: Why are lattice problems good for post-quantum
cryptography? This is due to the fact that SVP is N P-hard.
But, why is this a good reason for believing in the security of cryptographic schemes?
Consider the problem of factoring: Is factoring N P-hard? Of course, factoring is in
N P and the language to describe factoring is C := {(n, c) : n has a factor ≤ c}. Now
C ∈ P iff factoring is in P, since N − C = P ∪ {1}, so that there would be a polynomial
time algorithm for deciding whether a string s ∈ P or not. If we assume that C is
N P-complete, we can conclude P = N P. But, in cryptography we hope that P �= N P
(so that C is not N P-complete).
When you construct cryptosystems based on (N P-complete) problems you have to find
a way of constructing hard instances of the problem.
29