𝑛
Solving CVP in 2 time
via Discrete Gaussian Sampling
Divesh Aggarwal
École Polytechnique Fédérale de Lausanne (EPFL)
Daniel Dadush
Centrum Wiskunde en Informatica (CWI)
Noah Stephens-Davidowitz
New York University (NYU)
Mathematics of Cryptography
Simons Institute 2015
Lattices
A lattice ℒ ⊆ ℝ𝑛 is all integral
combinations of some basis
B = 𝑏1 , … , 𝑏𝑛 .
ℒ(𝐵) denotes lattice
generated by 𝐵.
Define 𝐵 = max 𝑏𝑖 .
𝑖
𝑏2
𝑏1
ℒ
Closest Vector Problem (CVP)
Given: Lattice basis 𝐵 𝜖 ℚ𝑛×𝑛 , target 𝑡 𝜖 ℚ𝑛 .
Goal: Compute 𝑦 𝜖 ℒ(𝐵) minimizing 𝑡 − 𝑦
𝑦
𝑡
ℒ
2.
Applications of SVP & CVP
Optimization: Integer and Linear Programming
Number Theory: Factoring Polynomials, Number Field Sieve
Communication Theory: Decoding Gaussian Channels
Database Search: Approximate Nearest Neighbor Search
Cryptanalysis: RSA with Small Exponent, Knapsack Crypto Systems
Cryptography: Lattice based Crypto (hardness of LWE / SIS)
Hardness of CVP
𝛼-SVP ≤ 𝛼-CVP (CVP is the ``hardest’’ lattice problem)
1
𝑛𝑐/log log 𝑛
NP-Hard
𝑛 log 𝑛
𝑛
NP ∩ coAM NP ∩ coNP
2𝑐𝑛 log log 𝑛
P
log 𝑛
Main Result
Method
Basis
Reduction
Apx
𝑛
𝑂 𝑘
𝑘
1
Time
Space
22𝑘 poly 𝑛 2𝑘 poly(𝑛)
𝑛𝑛/2
2𝑛
LLL 83, Kan. 87,
…, HS 08
1 𝑛
𝑂(𝑛)
2
𝜖
AKS 01, AKS 02,
BN 07, …
1+𝜖
Voronoi Cell
1
22𝑛
2𝑛
Discrete
Gaussian
1
2𝑛
2𝑛
𝜖
LLL 83, Sch. 85,
Bab. 86, MV 10
poly(𝑛)
Randomized
Sieve
2𝑂(𝑛) 1
Authors
SFS 09, MV 13
ADS 15
Outline
1. Approximate CVP via (shifted) DGS sampling.
Relation between parameter and approx. factor.
2. A shifted DGS sampler.
Number of samples we can generate at desired
parameters.
3. Sample clustering & recursion for exact CVP.
Learning the coordinates of a closest vector.
Shifted Discrete Gaussian
𝜌𝑠 𝐴 ≔
𝑦∈𝐴 𝑒
−𝜋 𝑦 𝑠 2
.
𝐷ℒ−𝑡,𝑠 ≔ discrete Gaussian distribution over
ℒ − 𝑡 with parameter 𝑠,
Pr
𝑋∼𝐷ℒ−𝑡,𝑠
𝑋=𝑦 =
𝜌𝑠 (𝑦)
for 𝑦
𝜌𝑠 (ℒ−𝑡)
∈ ℒ − 𝑡.
Shifted Discrete Gaussian
𝑠 = 10
𝑠=4
The discrete Gaussian
is more concentrated
as the parameter
decreases.
Discrete Gaussian and CVP
Closest vectors to 𝑡 in ℒ correspond to
shortest vectors in ℒ − 𝑡.
Question: Can we hit closest vectors by sampling from
𝐷ℒ−𝑡,𝑠 for small enough 𝑠?
Discrete Gaussian and CVP
Problem: Can have arbitrarily many approximate
closest vectors!
Let 𝑑 ℒ, 𝑡 = min 𝑦 − 𝑡 denote distance of ℒ to 𝑡.
𝑦∈ℒ
𝑡
𝑑 (1+𝜖)𝑑
ℒ
Discrete Gaussian and CVP
Problem: Have little chance that 𝐷ℒ−𝑡,𝑠 hits a
closest vector unless 𝑠 is tiny.
𝑡
𝑑 (1+𝜖)𝑑
ℒ
Approximate CVP via DGS
Lemma: For 𝑋 ∼ 𝐷ℒ−𝑡,𝑠 , if 𝑑 ≤ 2𝑛 𝑠, then
2
2
2
−𝑛2
Pr ‖𝑋‖ ≥ 𝑑 + 𝑠𝑛
≤𝑒 .
Note
𝑑2
+ 𝑠𝑛
2
𝑡
≤𝑑 1+
𝑑
𝑠𝑛
𝑑
𝑑 2 + 𝑠𝑛
2
ℒ
Approximate CVP via DGS
To get 1 + 𝜖 -approximate closest vector to 𝑡
it suffices to sample once from 𝐷ℒ−𝑡,𝑠 for 𝑠 ≤ 𝜖𝑑
.
𝑛
𝑡
𝑑
𝑑 2 + 𝑠𝑛
2
ℒ
Hermite-Korkine-Zolotarev Basis
For a basis 𝐵 = (𝑏1 , … , 𝑏𝑛 ), define the projections
𝜋𝑖 ≔ orthog. projection onto span 𝑏1 , … , 𝑏𝑖−1 ⊥ .
Define the GSO 𝐵 = (𝑏1 , … , 𝑏𝑛 ) of 𝐵 by
𝑏𝑖 = 𝜋𝑖 𝑏𝑖 for 𝑖 ∈ [𝑛].
𝐵 is a Hermite-Korkine-Zolotarev (HKZ)
basis for ℒ if 𝑏𝑖 = 𝜆1 (𝜋𝑖 ℒ ) for 𝑖 ∈ [𝑛].
Computable with 𝑛 calls to an SVP oracle.
Shifted DGS Sampler
Theorem: ℒ an 𝑛-dimensional lattice, 𝑡 ∈ ℝ𝑛 ,
and 𝑠 ≥ 2−𝑜 𝑛 log 𝑛 𝐵 .
There is an algorithm which generates at least
𝜌𝑠 ℒ−𝑡
max
𝑐∈ℒ/2ℒ 𝜌𝑠 𝑐−𝑡
≥ 1 samples
with joint distribution 𝜖-close to i.i.d. 𝐷ℒ−𝑡,𝑠
𝑛+𝑜(𝑛)
in time 2
−𝑛𝑂(1)
for any 𝜖 = 2
.
Can hit all “high weight” cosets in ℒ / 2ℒ.
Shifted DGS Sampler
Theorem: ℒ an 𝑛-dimensional lattice, 𝑡 ∈ ℝ𝑛 ,
and 𝑠 ≥ 2−𝑜 𝑛 log 𝑛 𝐵 .
There is an algorithm which generates at least
𝜌𝑠 ℒ−𝑡
max
𝑐∈ℒ/2ℒ 𝜌𝑠 𝑐−𝑡
≥ 1 samples
with joint distribution 𝜖-close to i.i.d. 𝐷ℒ−𝑡,𝑠
𝑛+𝑜(𝑛)
in time 2
If 𝑑 ℒ, 𝑡 ≥
𝐵
poly(𝑛)
−𝑛𝑂(1)
for any 𝜖 = 2
gives (1 + 2−𝑜
𝑛 log 𝑛
.
)-approx!
Shifted DGS Sampler
Theorem: ℒ an 𝑛-dimensional lattice, 𝑡 ∈ ℝ𝑛 ,
and 𝑠 ≥ 2−𝑜 𝑛 log 𝑛 𝐵 .
There is an algorithm which generates at least
𝜌𝑠 ℒ−𝑡
max
𝑐∈ℒ/2ℒ 𝜌𝑠 𝑐−𝑡
≥ 1 samples
with joint distribution 𝜖-close to i.i.d. 𝐷ℒ−𝑡,𝑠
𝑛+𝑜(𝑛)
in time 2
−𝑛𝑂(1)
for any 𝜖 = 2
.
More importantly, will suffice to solve exact CVP.
Averaging Discrete Gaussians
Let 𝑡1 , 𝑡2 ∈ ℝ𝑛 , 𝑡 + = 𝑡1 + 𝑡2 2, 𝑡 − = 𝑡1 − 𝑡2 2.
Then for 𝑋1 ∼ 𝐷ℒ+𝑡1,𝑠 , 𝑋2 ∼ 𝐷ℒ+𝑡2,𝑠 and 𝑦 ∈ ℒ + 𝑡 + ,
Pr
𝑋1 +𝑋2
2
=𝑦 =
𝜌𝑠 2 𝑦 𝜌𝑠 2 (ℒ+𝑡 − )
.
𝜌𝑠 ℒ+𝑡1 𝜌𝑠 (ℒ+𝑡2 )
Hence 𝑋1 + 𝑋2 2 conditioned on landing in
ℒ + 𝑡 + is distributed as 𝐷ℒ+𝑡 + ,𝑠 2 .
Averaging Discrete Gaussians
Let 𝑡1 , 𝑡2 ∈ ℝ𝑛 , 𝑡 + = 𝑡1 + 𝑡2 2, 𝑡 − = 𝑡1 − 𝑡2
Then for 𝑋1 ∼ 𝐷ℒ+𝑡1,𝑠 , 𝑋2 ∼ 𝐷ℒ+𝑡2,𝑠
Pr
𝑋1 +𝑋2
2
∈ ℒ + 𝑡+ =
=
2.
𝜌𝑠 2 ℒ+𝑡 + 𝜌𝑠 2 (ℒ+𝑡 − )
𝜌𝑠 ℒ+𝑡1 𝜌𝑠 (ℒ+𝑡2 )
𝜌𝑠 𝑐+𝑡1 𝜌𝑠 𝑐+𝑡2
𝑐∈ℒ/2ℒ 𝜌 ℒ+𝑡 𝜌 (ℒ+𝑡 ) .
𝑠
1 𝑠
2
With above identity can show amazing inequalities.
Shifted DGS Combiner
Input: 𝑋1 , … , 𝑋𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠 .
Output: 𝑋1 , … , 𝑋𝐿𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠/ 2 .
Initialization:
Apply SVP solver to compute HKZ basis 𝐵 for ℒ.
Use [GPV08,BLPRS13] sampler on 𝐵 to produce
𝐷ℒ−𝑡,𝑠 samples at 𝑠 = 𝑂
𝐵
in polytime.
Shifted DGS Combiner
Input: 𝑋1 , … , 𝑋𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠 .
Output: 𝑋1 , … , 𝑋𝐿𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠/ 2 .
Meta Procedure: Repeat 𝐿𝑀 times
1. Sample 𝑐 ∈ ℒ/2ℒ with probability
𝜌𝑠 𝑐−𝑡 2
.
2
𝑧∈ℒ/2ℒ 𝜌𝑠 𝑧−𝑡
2. Pick unused 𝑋𝑖 , 𝑋𝑗 ∈ 𝑐 − 𝑡, return (𝑋𝑖 + 𝑋𝑗 )/2.
Shifted DGS Combiner
Input: 𝑋1 , … , 𝑋𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠 .
Output: 𝑋1 , … , 𝑋𝐿𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠/ 2 .
Question: How big can 𝐿 be?
Should at least not exhaust supply on expectation.
2𝜌𝑠 𝑐−𝑡 2
2
𝑧∈ℒ/2ℒ 𝜌𝑠 𝑧−𝑡
𝐿𝑀 ≤
𝜌𝑠 𝑐−𝑡
𝜌𝑠 ℒ−𝑡
𝑀 ∀ 𝑐 ∈ ℒ/2ℒ
Shifted DGS Combiner
Input: 𝑋1 , … , 𝑋𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠 .
Output: 𝑋1 , … , 𝑋𝐿𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠/ 2 .
Question: How big can 𝐿 be?
Worst case for 𝑐 ∗ ∈ ℒ/2ℒ maximizing 𝜌𝑠 𝑐 ∗ − 𝑡 .
2𝜌𝑠 𝑐−𝑡 2
2
𝑧∈ℒ/2ℒ 𝜌𝑠 𝑧−𝑡
𝐿𝑀 ≤
𝜌𝑠 𝑐−𝑡
𝜌𝑠 ℒ−𝑡
𝑀 ∀ 𝑐 ∈ ℒ/2ℒ
Shifted DGS Combiner
Input: 𝑋1 , … , 𝑋𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠 .
Output: 𝑋1 , … , 𝑋𝐿𝑀 i.i.d. samples from 𝐷ℒ−𝑡,𝑠/ 2 .
Question: How big can 𝐿 be?
Worst case for 𝑐 ∗ ∈ ℒ/2ℒ maximizing 𝜌𝑠 𝑐 ∗ − 𝑡 .
𝐿≤
2
𝜌
𝑧−𝑡
𝑠
𝑧∈ℒ 2ℒ
2𝜌𝑠 𝑐 ∗ −𝑡 𝜌𝑠 ℒ−𝑡
=
𝜌𝑠 2 ℒ 𝜌𝑠 2 (ℒ−𝑡)
2𝜌𝑠 𝑐 ∗ −𝑡 𝜌𝑠 ℒ−𝑡
Shifted DGS Combiner
Let 𝑠𝑘 = 𝑠
𝑘
2 , 𝑐𝑘∗ ∈ ℒ/2ℒ maximizes 𝜌𝑠𝑘 𝑐𝑘∗ − 𝑡 .
Theorem: The loss after 𝑘 steps
𝜌𝑠𝑘 ℒ 𝜌𝑠𝑘 (ℒ−𝑡)
∗ −𝑡 𝜌
𝑖∈[𝑘] 2𝜌
𝑐
𝑠𝑘−1 𝑘−1
𝑠𝑘−1 ℒ−𝑡
Need at least 2
𝑛+𝑘
≥2
− 𝑛+𝑘
𝜌𝑠𝑘 ℒ−𝑡
𝜌𝑠𝑘 𝑐𝑘∗ −𝑡
initial samples to go 𝑘 steps.
Key Inequality
𝑘
2 , 𝑐𝑘∗ ∈ ℒ/2ℒ maximize 𝜌𝑠𝑘 𝑐𝑘∗ − 𝑡 .
Let 𝑠𝑘 = 𝑠
Lemma:
∗
𝜌𝑠𝑘 𝑐𝑘 − 𝑡
2
≤
∗
𝜌𝑠𝑘+1 𝑐𝑘+1
− 𝑡 𝜌𝑠𝑘+1 ℒ .
Proof:
∗
Take 𝑡1 ∈ 𝑐𝑘 − 𝑡 and 𝑡2 = 0. Then
∗
𝜌𝑠𝑘 𝑐𝑘 − 𝑡 2 = 𝜌𝑠𝑘 2ℒ + 𝑡1 2 = 𝜌𝑠𝑘+2 ℒ + 𝑡1 /2
=
≤
𝑐∈ℒ/2ℒ 𝜌𝑠𝑘+1
∗
𝜌𝑠𝑘+1 𝑐𝑘+1
−
𝑐 + 𝑡1 𝜌𝑠𝑘+1 (𝑐)
𝑡
𝑐∈ℒ 2ℒ 𝜌𝑠𝑘+1
𝑐
2
Key Inequality
𝑘
2 , 𝑐𝑘∗ ∈ ℒ/2ℒ maximize 𝜌𝑠𝑘 𝑐𝑘∗ − 𝑡 .
Let 𝑠𝑘 = 𝑠
Lemma:
∗
𝜌𝑠𝑘 𝑐𝑘 − 𝑡
2
≤
∗
𝜌𝑠𝑘+1 𝑐𝑘+1
− 𝑡 𝜌𝑠𝑘+1 ℒ .
Proof:
∗
Take 𝑡1 ∈ 𝑐𝑘 − 𝑡 and 𝑡2 = 0. Then
∗
𝜌𝑠𝑘 𝑐𝑘 − 𝑡 2 = 𝜌𝑠𝑘 2ℒ + 𝑡1 2 = 𝜌𝑠𝑘+2 ℒ + 𝑡1 /2
=
≤
𝑐∈ℒ/2ℒ 𝜌𝑠𝑘+1
∗
𝜌𝑠𝑘+1 𝑐𝑘+1
−
𝑐 + 𝑡1 𝜌𝑠𝑘+1 (𝑐)
𝑡 𝜌𝑠𝑘+1 (ℒ)
2
Hope for Exact CVP
From approximate CVP solutions can try to learn
subspaces that must contain the closest vector.
2 lattice subspaces
𝑡
ℒ
Clustering approx. closest vectors
Lemma: Assume that 𝑥, 𝑦 ∈ ℒ, 𝑥 ≡ 𝑦 𝑚𝑜𝑑 2ℒ , are at
distance at most 𝑑 ℒ, 𝑡 2 + 𝑟 2 from 𝑡.
Then (𝑥 − 𝑦)/2 2 ≤ 𝑟 2 .
𝑥
𝑦
𝑥+𝑦
2
𝑡
𝑑(ℒ, 𝑡)
𝑟
ℒ
Clustering approx. closest vectors
Lemma: Assume that 𝑥, 𝑦 ∈ ℒ, 𝑥 ≡ 𝑦 𝑚𝑜𝑑 2ℒ , are at
distance at most 𝑑 ℒ, 𝑡 2 + 𝑟 2 from 𝑡.
Then (𝑥 − 𝑦)/2 2 ≤ 𝑟 2 .
Proof:
Since 𝑥 + 𝑦 2 ∈ ℒ, 𝑥 + 𝑦 2 − 𝑡 ≥ 𝑑 ℒ, 𝑡 .
(𝑥 − 𝑦)/2 2
= 𝑥 − 𝑡 2 /2 + 𝑦 − 𝑡 2 /2 − 𝑥 + 𝑦 2 − 𝑡 2
≤ 𝑑 ℒ, 𝑡 2 + 𝑟 2 /2 + 𝑑 ℒ, 𝑡 2 + 𝑟 2 /2 − 𝑑 ℒ, 𝑡
= 𝑟2
2
How many closest vectors?
Corollary: For 𝑛-dimension lattice ℒ and target 𝑡 ∈ ℝ𝑛
there are most 2𝑛 closest vectors to 𝑡.
(0,1)
Bound is trivially tight.
(1,1)
(1 2 , 1 2)
(0,0)
(1,0)
How many closest vectors?
Corollary: For 𝑛-dimension lattice ℒ and target 𝑡 ∈ ℝ𝑛
there are most 2𝑛 closest vectors to 𝑡.
Proof: By lemma, any two closest vectors in the same
coset of ℒ 2ℒ are equal (their distance is 0).
Furthermore, the number of distinct cosets is 2𝑛 .
Dimension Reduction via Clustering
Let 𝐵 = (𝑏1 , … , 𝑏𝑛 ) be an HKZ basis of ℒ.
Lemma: Assume that 𝑥, 𝑦 ∈ ℒ, 𝑥 ≡ 𝑦 𝑚𝑜𝑑 2ℒ , are at
distance at most 𝑑 ℒ, 𝑡 2 + 𝑟 2 from 𝑡.
Then if 𝑟 < 𝑏𝑛−𝑘+1 , 𝑥, 𝑦 have the same last 𝑘
coordinates w.r.t. 𝐵.
Proof: Suffices to show 𝜋𝑛−𝑘+1 (𝑥 − 𝑦)/2 = 0. If not,
then 𝜋𝑛−𝑘+1 (𝑥 − 𝑦)/2 ∈ 𝜋𝑛−𝑘+1 (ℒ) is non-zero and
𝑥−𝑦
𝜋𝑛−𝑘+1
2
≤
𝑥−𝑦
2
≤ 𝑟 < 𝑏𝑛−𝑘+1 .
Exact CVP
Main Idea: Given HKZ basis 𝑏1 , … , 𝑏𝑛 of ℒ will show that
for 𝑘 chosen carefully, the last 𝑘 coordinates of any
close enough vector to 𝑡 are determined by their parity.
For 𝑥 =
𝑖∈[𝑛] 𝑎𝑖 𝑏𝑖
∈ ℒ close enough to 𝑡, will show that
(𝑎𝑛−𝑘+1 , … , 𝑎𝑛 )
is essentially determined by
(𝑎𝑛−𝑘+1 (𝑚𝑜𝑑 2), … , 𝑎𝑛 (𝑚𝑜𝑑 2)).
Exact CVP
Can group approx. closest vectors by their coefficients
with respect to 𝑏𝑛−𝑘+1 , … , 𝑏𝑛 .
Indexes at most ≈ 2𝑘 shifts of 𝑛 − 𝑘 dimensional
sublattice ℒ(𝑏1 , … , 𝑏𝑛−𝑘 ), which we recurse on.
𝑏1
2 lattice subspaces
𝑎2 = 0
𝑡
𝑏2
𝑎2 = 1
ℒ
High Level Algorithm
Input: 𝑛-dimensional lattice ℒ and target 𝑡.
Output: Closest lattice vectors in ℒ to 𝑡.
1. Compute HKZ basis 𝐵 of ℒ, and number 𝑘 of “high
order coordinates”.
2. Sample many approx. closest vectors via DGS.
3. Group them according to last 𝑘 coordinates with
respect to 𝐵 = (𝑏1 , … , 𝑏𝑛 ) and recurse on
associated shifts of ℒ(𝑏1 , … , 𝑏𝑛−𝑘 ) .
Complexity Sketch
Initialization: (one shot 2𝑛+𝑜(𝑛) time)
Compute short basis 𝐵 of ℒ, and number 𝑘 of “high
order coordinates” (can compute for each rec. level).
Per level work: (2𝑛+𝑜(𝑛) time)
Sample many approx. closest vectors via DGS.
Recursion: (≈ 2𝑘 subproblems of dim. 𝑛 − 𝑘)
Group them according to last 𝑘 coordinates with
respect to 𝐵 and recurse.
Total runtime: 2𝑛+𝑜(𝑛)
Key Challenges
Runtime:
1. Getting many DGS samples at low parameters.
2. Show last 𝑘 coeffs ≈ determined by their parity.
3. Deal with ≈ 2𝑘 subproblems in recursion analysis.
Correctness:
Show that we hit last 𝑘 coeffs of an exact closest
vector with high probability.
(will show that we hit exact parity)
Conclusions
1.
Fastest algorithm for CVP: 2𝑛+𝑜(𝑛) time.
2. Explicitly / implicitly use ideas from all known
algorithm types: basis reduction, sieving, Voronoi.
3. The discrete Gaussian is a very powerful tool!
Many of its properties are still poorly understood...
Open Problems
1. Is 2𝑛 optimal under SETH? (matches # closest vectors)
2. Is there a deterministic / Las Vegas algorithm?
(2𝑛 time once the Voronoi cell is computed [BD 15])
𝑣1
𝑣2
𝑣3
𝑣6
0
𝑣4
𝑣5
3. Find a simpler & cleaner algorithm…
ℒ
THANK YOU!