Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers ›...
Transcript of Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers ›...
![Page 1: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/1.jpg)
Solving All Lattice Problems in DeterministicSingle Exponential Time
Daniele Micciancio (UCSD)(Joint work with P. Voulgaris, STOC 2010)
Barriers II Workshop, Princeton
August 27, 2010
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 2: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/2.jpg)
Lattices
Traditional area of mathematics
Bridge between number theory and geometryStudied by Lagrange, Gauss, ..., Minkowski, ...
Key to many algorithmic applications
Cryptanalysis, Coding Theory, Integer Programming
Foundation of Lattice based Cryptography
Exponentially hard to break, even by quantum adversaryAsymptotically fast and easily parallelizable cryptographicfunctionsSecure based on conjectured hardness of worst-case problemsExtremely versatile: CPA/CCA encryption, digital signature,. . . ring signatures, threshold encryption, IBE, . . . , HIBE, . . . ,fully homomorphic encryption
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 3: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/3.jpg)
Complexity of Lattice problems
Finding exact solutions
Best known algorithms run in exponential time
NP-hard: no subexponential time solution is expected
Finding good (nO(1)) approximations
Foundation of lattice based cryptography
Not known how to solve substantially faster than exact version
Finding exponential (2O(n)) approximations
Extensively used in cryptanalysis
Polynomial time algorithms, based on exact solution of smalldimensional subproblems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 4: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/4.jpg)
Complexity of Lattice problems
Finding exact solutions
Best known algorithms run in exponential time
NP-hard: no subexponential time solution is expected
Finding good (nO(1)) approximations
Foundation of lattice based cryptography
Not known how to solve substantially faster than exact version
Finding exponential (2O(n)) approximations
Extensively used in cryptanalysis
Polynomial time algorithms, based on exact solution of smalldimensional subproblems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 5: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/5.jpg)
Outline
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 6: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/6.jpg)
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 7: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/7.jpg)
Point Lattices
00 ~b1
~b2
A lattice is the set of all integerlinear combinations of (linearlyindependent) basis vectorsB = ~b1, . . . ,~bn ⊂ Rn:
Λ =n∑
i=1
~bi · Z
= B~x : ~x ∈ Zn
The same lattice has many bases
Λ =n∑
i=1
~ci · Z
Definition (Lattice)
Discrete additive subgroup of Rn
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 8: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/8.jpg)
Point Lattices
00 ~b1
~b2
A lattice is the set of all integerlinear combinations of (linearlyindependent) basis vectorsB = ~b1, . . . ,~bn ⊂ Rn:
Λ =n∑
i=1
~bi · Z = B~x : ~x ∈ Zn
The same lattice has many bases
Λ =n∑
i=1
~ci · Z
Definition (Lattice)
Discrete additive subgroup of Rn
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 9: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/9.jpg)
Point Lattices
00 ~b1
~b2~c1
~c2
A lattice is the set of all integerlinear combinations of (linearlyindependent) basis vectorsB = ~b1, . . . ,~bn ⊂ Rn:
Λ =n∑
i=1
~bi · Z = B~x : ~x ∈ Zn
The same lattice has many bases
Λ =n∑
i=1
~ci · Z
Definition (Lattice)
Discrete additive subgroup of Rn
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 10: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/10.jpg)
Point Lattices
00
A lattice is the set of all integerlinear combinations of (linearlyindependent) basis vectorsB = ~b1, . . . ,~bn ⊂ Rn:
Λ =n∑
i=1
~bi · Z = B~x : ~x ∈ Zn
The same lattice has many bases
Λ =n∑
i=1
~ci · Z
Definition (Lattice)
Discrete additive subgroup of Rn
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 11: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/11.jpg)
Shortest Vector Problem (SVP)
0 ~b1
~b2
Definition (SVP)
Given a lattice L(B), find a(nonzero) lattice vector B~x (with~x ∈ Zk) of minimal length ‖B~x‖
Input: A lattice basis B
Output: A shortest nonzerovector ~s ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Shortest vector can be muchshorter than basis vectors
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 12: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/12.jpg)
Shortest Vector Problem (SVP)
0 ~b1
~b2
Definition (SVP)
Given a lattice L(B), find a(nonzero) lattice vector B~x (with~x ∈ Zk) of minimal length ‖B~x‖
Input: A lattice basis B
Output: A shortest nonzerovector ~s ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Shortest vector can be muchshorter than basis vectors
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 13: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/13.jpg)
Shortest Vector Problem (SVP)
0
~b1
~b2
Definition (SVP)
Given a lattice L(B), find a(nonzero) lattice vector B~x (with~x ∈ Zk) of minimal length ‖B~x‖
Input: A lattice basis B
Output: A shortest nonzerovector ~s ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Shortest vector can be muchshorter than basis vectors
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 14: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/14.jpg)
Shortest Vector Problem (SVP)
0
~b1
~b2
Definition (SVP)
Given a lattice L(B), find a(nonzero) lattice vector B~x (with~x ∈ Zk) of minimal length ‖B~x‖
Input: A lattice basis B
Output: A shortest nonzerovector ~s ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Shortest vector can be muchshorter than basis vectors
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 15: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/15.jpg)
Shortest Independent Vectors Problem (SIVP)
0 ~b1
~b2
Definition (SIVP)
Given a lattice L(B), find nlinearly independent latticevectors ~s1, . . . , ~sn of minimallength maxi ‖~si‖
Input: A lattice basis B
Output: n shortest linearlyindependent lattice vectors~s1, . . . ,~sn ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 16: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/16.jpg)
Shortest Independent Vectors Problem (SIVP)
0 ~b1
~b2
Definition (SIVP)
Given a lattice L(B), find nlinearly independent latticevectors ~s1, . . . , ~sn of minimallength maxi ‖~si‖
Input: A lattice basis B
Output: n shortest linearlyindependent lattice vectors~s1, . . . ,~sn ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 17: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/17.jpg)
Shortest Independent Vectors Problem (SIVP)
0
~b1
~b2
Definition (SIVP)
Given a lattice L(B), find nlinearly independent latticevectors ~s1, . . . , ~sn of minimallength maxi ‖~si‖
Input: A lattice basis B
Output: n shortest linearlyindependent lattice vectors~s1, . . . ,~sn ∈ Λ
The problem is hard whendimension n is high andbasis is skewed
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 18: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/18.jpg)
Closest Vector Point (CVP)
0
~t
Inhomogeneous version of SVP
Definition (CVP)
Given a lattice L(B) and a targetpoint ~t, find a lattice vector B~xwhich minimizes the distance‖B~x −~t‖
Input: A lattice Λ(B),and a target vector ~t
Output: A closest latticepoint ~c ∈ Λ
NP-hard [vEB’81], even forfixed lattice [M’01]
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 19: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/19.jpg)
Closest Vector Point (CVP)
0
~t~c
Inhomogeneous version of SVP
Definition (CVP)
Given a lattice L(B) and a targetpoint ~t, find a lattice vector B~xwhich minimizes the distance‖B~x −~t‖
Input: A lattice Λ(B),and a target vector ~t
Output: A closest latticepoint ~c ∈ Λ
NP-hard [vEB’81], even forfixed lattice [M’01]
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 20: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/20.jpg)
Closest Vector Point (CVP)
0
~t~c
Inhomogeneous version of SVP
Definition (CVP)
Given a lattice L(B) and a targetpoint ~t, find a lattice vector B~xwhich minimizes the distance‖B~x −~t‖
Input: A lattice Λ(B),and a target vector ~t
Output: A closest latticepoint ~c ∈ Λ
NP-hard [vEB’81], even forfixed lattice [M’01]
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 21: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/21.jpg)
Complexity of SVP, SIVP, CVP
Efficient (dimension preserving) reductions
SVP, SIVP ≤ CVP [GMSS’99, M’08]
Fastest previous algorithm
SVP,SIVP,CVP : [Kannan’87] runs in nO(n) timeSVP: [AKS’01] runs in randomized 2O(n) time and spaceAlgorithms work in any `p norm [BN’07]
Barriers
Can CVP, SIVP also be solved in 2c·n time?
Yes! (for `2)
What is the smallest constant c? [NV’09,MP’10,PS’10]:c < 2.5 for SVP in `2.
c ≤ 2 for SVP,SIVP,CVP!
Is randomization and exponential space useful/necessary?
Randomization is not!What about other norms and Integer Programming (IP)?
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 22: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/22.jpg)
Complexity of SVP, SIVP, CVP
Efficient (dimension preserving) reductions
SVP, SIVP ≤ CVP [GMSS’99, M’08]
Fastest previous algorithm
SVP,SIVP,CVP : [Kannan’87] runs in nO(n) timeSVP: [AKS’01] runs in randomized 2O(n) time and spaceAlgorithms work in any `p norm [BN’07]
Barriers
Can CVP, SIVP also be solved in 2c·n time?
Yes! (for `2)
What is the smallest constant c? [NV’09,MP’10,PS’10]:c < 2.5 for SVP in `2.
c ≤ 2 for SVP,SIVP,CVP!
Is randomization and exponential space useful/necessary?
Randomization is not!What about other norms and Integer Programming (IP)?
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 23: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/23.jpg)
Complexity of SVP, SIVP, CVP
Efficient (dimension preserving) reductions
SVP, SIVP ≤ CVP [GMSS’99, M’08]
Fastest previous algorithm
SVP,SIVP,CVP : [Kannan’87] runs in nO(n) timeSVP: [AKS’01] runs in randomized 2O(n) time and spaceAlgorithms work in any `p norm [BN’07]
Barriers
Can CVP, SIVP also be solved in 2c·n time? Yes! (for `2)What is the smallest constant c? [NV’09,MP’10,PS’10]:c < 2.5 for SVP in `2. c ≤ 2 for SVP,SIVP,CVP!Is randomization and exponential space useful/necessary?Randomization is not!
What about other norms and Integer Programming (IP)?
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 24: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/24.jpg)
Complexity of SVP, SIVP, CVP
Efficient (dimension preserving) reductions
SVP, SIVP ≤ CVP [GMSS’99, M’08]
Fastest previous algorithm
SVP,SIVP,CVP ,IP: [Kannan’87] runs in nO(n) timeSVP: [AKS’01] runs in randomized 2O(n) time and spaceAlgorithms work in any `p norm [BN’07]
Barriers
Can CVP, SIVP also be solved in 2c·n time? Yes! (for `2)What is the smallest constant c? [NV’09,MP’10,PS’10]:c < 2.5 for SVP in `2. c ≤ 2 for SVP,SIVP,CVP!Is randomization and exponential space useful/necessary?Randomization is not!What about other norms and Integer Programming (IP)?
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 25: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/25.jpg)
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 26: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/26.jpg)
Size Reduction
0~b
~c
~b: (short) lattice vector
~c : arbitrary point
Can make ~c shorter bysubtracting ~b from it
Repeat until ~c closer to ~0than to ~b
Remarks
~c − ~c ′ ∈ ΛKey step in [LLL’82] basisreduction algorithmTechnique is used in mostother lattice algorithms
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 27: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/27.jpg)
Size Reduction
0~b
~c
~b: (short) lattice vector
~c : arbitrary point
Can make ~c shorter bysubtracting ~b from it
Repeat until ~c closer to ~0than to ~b
Remarks
~c − ~c ′ ∈ ΛKey step in [LLL’82] basisreduction algorithmTechnique is used in mostother lattice algorithms
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 28: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/28.jpg)
Size Reduction
0~b
~c~c ′
~b: (short) lattice vector
~c : arbitrary point
Can make ~c shorter bysubtracting ~b from it
Repeat until ~c closer to ~0than to ~b
Remarks
~c − ~c ′ ∈ ΛKey step in [LLL’82] basisreduction algorithmTechnique is used in mostother lattice algorithms
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 29: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/29.jpg)
Size Reduction
0~b
~c~c ′
~b: (short) lattice vector
~c : arbitrary point
Can make ~c shorter bysubtracting ~b from it
Repeat until ~c closer to ~0than to ~b or −~bRemarks
~c − ~c ′ ∈ ΛKey step in [LLL’82] basisreduction algorithmTechnique is used in mostother lattice algorithms
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 30: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/30.jpg)
Rank reduction
0
~t
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 31: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/31.jpg)
Rank reduction
0 ~b1
~b2
~t
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 32: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/32.jpg)
Rank reduction
0
~t
~t1~v1
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 33: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/33.jpg)
Rank reduction
0
~t
~t2
~v1
~v2
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 34: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/34.jpg)
Rank reduction
0
~t
~t3
~v1
~v2
~v3
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 35: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/35.jpg)
Rank reduction
0
~t
~t4
~v1
~v2
~v3
~v4
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 36: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/36.jpg)
Rank reduction
0
~t~v1
~v2
~v3
~v4
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 37: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/37.jpg)
Rank reduction
0
~t~v1
~v2
~v3
~v4
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 38: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/38.jpg)
Rank reduction: CVP(Λn) ≤ 2n · CVP(Λn−1)
0
~t~v1
~v2
~v3
~v4
Λ1
Goal: Solve CVP(Λn,~t)
Partition Λn into layers ofthe form: Λn−1 + c~bn,c = 2, 1, 3, 0, . . .
Find lattice point ~vi in eachlayer closest to (theprojection of) ~t
Only need to considernearby layers
Dual LLL: 2n layersDual SVP: n layers
Select the best solution ~v1
Notice: All layers containsame lattice Λn−1
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 39: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/39.jpg)
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 40: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/40.jpg)
Solving CVP by rank reduction
Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)
LLL: k = 2n,SVP: k = n,
Iterate: CVP(Λn) ≤ k · CVP(Λn−1) ≤ · · · ≤ knCVP(Λ1) = kn
Our approach
Exploit the fact that recursive calls use the same lowerdimensional sublatticesPreprocess the lattice to speed up the solution of many CVPinstances
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 41: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/41.jpg)
Solving CVP by rank reduction
Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)
LLL: k = 2n, T = 2n2
SVP: k = n, T = nn
Iterate: CVP(Λn) ≤ k · CVP(Λn−1) ≤ · · · ≤ knCVP(Λ1) = kn
Our approach
Exploit the fact that recursive calls use the same lowerdimensional sublatticesPreprocess the lattice to speed up the solution of many CVPinstances
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 42: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/42.jpg)
Solving CVP by rank reduction
Rank reduction CVP(Λn) ≤ k · CVP(Λn−1)
LLL: k = 2n, T = 2n2
SVP: k = n, T = nn
Iterate: CVP(Λn) ≤ k · CVP(Λn−1) ≤ · · · ≤ knCVP(Λ1) = kn
Our approach
Exploit the fact that recursive calls use the same lowerdimensional sublatticesPreprocess the lattice to speed up the solution of many CVPinstances
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 43: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/43.jpg)
CVP with Preprocessing (CVPP)
Problem (CVPP)
Find a function π and an efficient algorithm CVPP such thatCVPP(π(Λ),~t) = CVP(Λ,~t)
Only the running time of CVPP counts. The function π isarbitrary.
Complexity
Still NP-hard [M’01]![LLS’93,AR’04] approximates within nO(1) in polynomial timePolynomial time solutions require |π(Λ)| ≤ nO(1)
Our work:
CVPP(π(Λ),~t) runs in 2O(n) time
π(Λ) has size 2O(n)
π(Λ) can also be computed in time 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 44: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/44.jpg)
CVP with Preprocessing (CVPP)
Problem (CVPP)
Find a function π and an efficient algorithm CVPP such thatCVPP(π(Λ),~t) = CVP(Λ,~t)
Only the running time of CVPP counts. The function π isarbitrary.
Complexity
Still NP-hard [M’01]![LLS’93,AR’04] approximates within nO(1) in polynomial timePolynomial time solutions require |π(Λ)| ≤ nO(1)
Our work:
CVPP(π(Λ),~t) runs in 2O(n) time
π(Λ) has size 2O(n)
π(Λ) can also be computed in time 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 45: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/45.jpg)
CVP with Preprocessing (CVPP)
Problem (CVPP)
Find a function π and an efficient algorithm CVPP such thatCVPP(π(Λ),~t) = CVP(Λ,~t)
Only the running time of CVPP counts. The function π isarbitrary.
Complexity
Still NP-hard [M’01]![LLS’93,AR’04] approximates within nO(1) in polynomial timePolynomial time solutions require |π(Λ)| ≤ nO(1)
Our work:
CVPP(π(Λ),~t) runs in 2O(n) time
π(Λ) has size 2O(n)
π(Λ) can also be computed in time 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 46: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/46.jpg)
CVP with Preprocessing (CVPP)
Problem (CVPP)
Find a function π and an efficient algorithm CVPP such thatCVPP(π(Λ),~t) = CVP(Λ,~t)
Only the running time of CVPP counts. The function π isarbitrary.
Complexity
Still NP-hard [M’01]![LLS’93,AR’04] approximates within nO(1) in polynomial timePolynomial time solutions require |π(Λ)| ≤ nO(1)
Our work:
CVPP(π(Λ),~t) runs in 2O(n) timeπ(Λ) has size 2O(n)
π(Λ) can also be computed in time 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 47: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/47.jpg)
CVP with Preprocessing (CVPP)
Problem (CVPP)
Find a function π and an efficient algorithm CVPP such thatCVPP(π(Λ),~t) = CVP(Λ,~t)
Only the running time of CVPP counts. The function π isarbitrary.
Complexity
Still NP-hard [M’01]![LLS’93,AR’04] approximates within nO(1) in polynomial timePolynomial time solutions require |π(Λ)| ≤ nO(1)
Our work:
CVPP(π(Λ),~t) runs in 2O(n) timeπ(Λ) has size 2O(n)
π(Λ) can also be computed in time 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 48: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/48.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 49: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/49.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 50: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/50.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 51: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/51.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 52: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/52.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 53: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/53.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 54: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/54.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn)
≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 55: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/55.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 56: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/56.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 57: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/57.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 58: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/58.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 59: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/59.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 60: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/60.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 61: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/61.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 62: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/62.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 63: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/63.jpg)
Overview of CVP algorithm
Building blocks:
π(Λ) = V(Λ): Voronoi cell of the lattice
Our approach: CVP(Λn) ≤ CVPP(V(Λn)) + V(Λn)
CVPP(V(Λn)) algorithm with running time 2n
Voronoi cell computation V(Λn) ≤ 2nCVP(Λn)
Dimension reduction CVP(Λn) ≤ 2n · CVP(Λn−1)
Computing the Voronoi cell of a lattice:
V(Λn) ≤ 2O(n)CVP(Λn)
≤ 2O(n) · 2O(n) · CVP(Λn−1)
≤ 2O(n) · 2O(n) · CVPP(V(Λn−1)) + V(Λn−1)
≤ 2O(n)2O(n)2O(n) + V(Λn−1)
= 2O(n) + V(Λn−1)
≤ 2O(n) + 2O(n) + V(Λn−2) ≤ . . . ≤ 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 64: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/64.jpg)
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 65: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/65.jpg)
Voronoi Cell
0
Definition (Voronoit Cell)
Set of points in Rn closer to 0than to any other lattice point
V(Λ) = ~x : ∀~v ∈ Λ, ‖~x‖ ≤ ‖~x−~v‖
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 66: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/66.jpg)
Representing the Voronoi cell
0
~v1
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 67: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/67.jpg)
Representing the Voronoi cell
0
~v1
~v2
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈Λ
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 68: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/68.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈Λ
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 69: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/69.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
~v4
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈Λ
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 70: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/70.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
~v4
~v5
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈Λ
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 71: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/71.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
~v4
~v5
~v6
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈Λ
H~v
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 72: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/72.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
~v4
~v5
~v6
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈R
H~v ,R ⊂ Λ
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 73: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/73.jpg)
Representing the Voronoi cell
0
~v1
~v2
~v3
~v4
~v5
~v6
Each ~v ∈ Λ defines
H~v = ~x : ‖~x‖ ≤ ‖~x − ~v‖
V is the intersection
V =⋂~v∈R
H~v ,R ⊂ Λ
Not all ~v ∈ Λ are needed
Theorem (Voronoi)
The numer of relevant points isat most |R| ≤ 2 · (2n − 1)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 74: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/74.jpg)
Computing V(Λn)
0
~v1
−~v1
~v2
−~v2 ~v3
−~v3
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 75: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/75.jpg)
Computing V(Λn)
0
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 76: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/76.jpg)
Computing V(Λn)
0
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 77: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/77.jpg)
Computing V(Λn)
0
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 78: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/78.jpg)
Computing V(Λn)
0
~v1
−~v1
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 79: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/79.jpg)
Computing V(Λn)
0
~v1
−~v1
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 80: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/80.jpg)
Computing V(Λn)
0
~v1
−~v1
~v2
−~v2
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 81: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/81.jpg)
Computing V(Λn)
0
~v1
−~v1
~v2
−~v2
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 82: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/82.jpg)
Computing V(Λn)
0
~v1
−~v1
~v2
−~v2 ~v3
−~v3
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 83: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/83.jpg)
Computing V(Λn) ≤ 2nCVP(Λn)
0
~v1
−~v1
~v2
−~v2 ~v3
−~v3
Why is |R| ≤ 2 · (2n − 1)?
Partition Λ into cosetsmodulo 2Λ
There are 2n − 1 nonzerocosets
From each coset, select thepair ~v ,−~v closest to ~0
R is the set of all such pairs
Each pair is found by a CVPcomputation in lattice 2Λ
CVP(2Λ) is equivalent toCVP(Λ)
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 84: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/84.jpg)
1 Introduction LatticesLattice ProblemsAlgorithmic Techniques
2 New AlgorithmOverviewVoronoi CellCVPP Algorithm
3 Final Remarks and Open Problems
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 85: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/85.jpg)
CVP and Voronoi cell
0
~t~v
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ VCVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 86: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/86.jpg)
CVP and Voronoi cell
0
~t~v
~t’
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ V
CVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 87: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/87.jpg)
CVP and Voronoi cell
0
~t~v
~t’
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ VCVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 88: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/88.jpg)
CVP and Voronoi cell
0
~t~v
~t’
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ VCVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 89: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/89.jpg)
CVP and Voronoi cell
0
~t~v
~t’
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ VCVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
[SFS’09] only proves termination
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 90: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/90.jpg)
CVP and Voronoi cell
0
~t~v
~t’
Definition (CVP)
Given Λ and ~t, find ~v ∈ Λ suchthat ~t ∈ ~v + V
~t ∈ ~v + V ≡ ~t − ~v ∈ VCVP goal: bring ~t inside Vby shifting it by ~v ∈ Λ
Algorithm [SFS’09]:
While ~t /∈ V:Select ~v ∈ R . ~t /∈ H~v
size reduce ~t using ~v
[SFS’09] only proves terminationQuestion: What is a goodselection strategy for ~v ∈ R?
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 91: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/91.jpg)
Our selection strategy
0
~t
Assume ~t∈ 2V
Goal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 92: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/92.jpg)
Our selection strategy
0
~t
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 93: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/93.jpg)
Our selection strategy
0
~t
~u1
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kV
Subtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 94: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/94.jpg)
Our selection strategy
0
~t
~u1
~t ′
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 95: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/95.jpg)
Our selection strategy
0
~t
~u1
~t ′
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 96: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/96.jpg)
Our selection strategy
0
~t
~u1
~t ′
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~t
still ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 97: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/97.jpg)
Our selection strategy
0
~t
~u1
~t ′
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V
|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 98: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/98.jpg)
Our selection strategy
0
~t
~u1
~t ′
Assume ~t∈ 2VGoal: find ~t ′ ∈ ~t − Λ ∩ V:
Strategy:
Compute smallest k ∈ Rsuch that ~t ∈ kVSubtract the relevantvector associated tocorresponding facet
Why does it work?
The new vector ~t ′ isshorter than ~tstill ~t ′ ∈ 2V|(~t − Λ) ∩ 2V| ≤ 2n
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 99: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/99.jpg)
Doubling the Voronoi Cell
~t
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 100: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/100.jpg)
Doubling the Voronoi Cell
~t
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 101: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/101.jpg)
Doubling the Voronoi Cell
~t
~t1
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 102: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/102.jpg)
Doubling the Voronoi Cell
~t
~t1
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 103: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/103.jpg)
Doubling the Voronoi Cell
~t
~t1
~t2
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 104: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/104.jpg)
Doubling the Voronoi Cell
~t
~t1
~t2
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 105: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/105.jpg)
Doubling the Voronoi Cell
~t
~t1
~t2~t3
Solve CVP for any ~t:
Find ~k ∈ Z such that~t ∈ 2kVUse CVP2V to go from 2kVto 2k−1V
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 106: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/106.jpg)
Summary
CVP can be solved deterministically in time 2c·n
Algorithms for SVP, SIVP and many other problems follow byreduction
Question: what is the best possible c?
Under ETH, c = Ω(1)In this talk, we didn’t optimize cWith some more work, we can reduce c = 2
SVP: improves previous c < 2.5, deterministically!
CVP: First 2O(n) time algorithm, and first asymptoticimprovement since [K’87]
Daniele Micciancio CVP in deterministic 2O(n) time
![Page 107: Solving All Lattice Problems in Deterministic Single ... › ~daniele › papers › Voronoi-slides.pdf · Key to many algorithmic applications Cryptanalysis, Coding Theory, Integer](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e77187e708231d43f60df/html5/thumbnails/107.jpg)
Open Problems
Practical barrier in lattice cryptography:
Evaluate appropriate key size to achieve securityCurrent state of the art lattice reduction algorithms are poorlyunderstoodProblem: find better, practical lattice algorithms that allow toextrapolate running time/complexity of approximation to veryhigh dimension
Reduce space complexity to polynomial
Design polynomial time CVPP approximation algorithmsbased on approximate Voronoi cell
Extend to `∞Most relevant norm for cryptanalysisApplication to Integer Proramming
Question
Is the number of `∞-relevant points still bounded by 2O(n)
Daniele Micciancio CVP in deterministic 2O(n) time