(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 5, 2021 Techniques for Solving Shortest Vector Problem
V. Dinesh Reddy1, P. Ravi2, Ashu Abdul3, Mahesh Kumar Morampudi4, Sriramulu Bojjagani5 School of Engineering and Sciences, Department of CSE SRM University, Amaravati, AP, India1,3,4,5 Assistant Professor, CSE, Anurag University, Hyderabad, Telangana, India2
Abstract—Lattice-based crypto systems are regarded as secure compares different algorithms solving SVP with respect to and believed to be secure even against quantum computers. their efficiency and optimal solution. lattice-based cryptography relies upon problems like the Shortest Vector Problem. Shortest Vector Problem is an instance of lattice problems that are used as a basis for secure cryptographic II.PRELIMINARIES schemes. For more than 30 years now, the Shortest Vector A. Definitions and Related Problems Problem has been at the heart of a thriving research field and n n finding a new efficient algorithm turned out to be out of reach. Let (b1, . . . , bn) be a basis in R and N a norm on R . This problem has a great many applications such as optimization, Ln Let L denote i=1 Zbi,L is called a lattice. Set communication theory, cryptography, etc. This paper introduces the Shortest Vector Problem and other related problems such as λ(L) = min N(v) the Closest Vector Problem. We present the average case and v∈L\{0} worst case hardness results for the Shortest Vector Problem. We are now able to define SVP. For L a lattice, the exact form Further this work explore efficient algorithms solving the Shortest Shortest Vector Problem, denoted by SVP (L) is as follows. Vector Problem and present their efficiency. More precisely, this paper presents four algorithms: the Lenstra-Lenstra-Lovasz SVP (L): Find v ∈ L such that N(v) = λ(L) (LLL) algorithm, the Block Korkine-Zolotarev (BKZ) algorithm, a Metropolis algorithm, and a convex relaxation of SVP. The As it is often the case, we will actually be interested in experimental results on various lattices show that the Metropolis algorithms solving an approximation of SVP. For γ > 1 the algorithm works better than other algorithms with varying sizes approximated form of SVP (L), denoted by SVPγ (L) is of lattices. SVP (L): Find v ∈ L\{0} such that N(v) γλ(L) Keywords—Lattice; SVP; CVP; post quantum cryptography γ 6 Now, a closely related problem is the Closest Vector Problem CVP (L, x), defined for a lattice L ⊂ Rn and x ∈ Rn as I.INTRODUCTION CVP (L): F ind v ∈ L such that N(v − x) = λ(L) A lattice an abstract structure defined as the set of all integer linear combinations of some independent vectors in In its exact form. As in the above we can define an Rn. Over the last two centuries, mathematicians have explored the fascinating combinatorial structure of lattices, and it has approximated problem CVPγ also been studied from an asymptotic algorithmic viewpoint CVP (L): F ind v ∈ L such that N(v − x) γλ(L) for at least three decades. Most fundamental problems are γ 6 not considered to be effectively solvable on lattices. In ad- In fact, CVPγ solves SVPγ . Indeed, for i = 1, . . . , n i dition, hardness results suggest that such problems can not be set L = Zb1 ⊕ ... ⊕ 2bi ⊕ ... ⊕ bn and xi a solution to i solved by polynomial-time algorithms unless the hierarchy of CVPγ L , bi , then one of the vectors in {xi − bi}i=1...n is polynomial-time collapses. Cryptographic constructions based a solution to SVPγ (L). For we have the following claim: on lattice hold a clear promise for cryptography with strong i security proof, as was demonstrated by Ajtai [1], who came Claim 1. Let xi be a solution to CVP L , bi then up with a construction of cryptographic primitives based on {xi − bi} contains a solution to SVP (L) i=1,...,n P worst-case hardness of certain lattice problems. Proof. Indeed, let x = nibi be any solution to SVP (L), as N x < N(x) we get that x ∈/ L and there is i ∈ {1, . . . , n} Two main important and very closely related hard com- 2 2 such that n is odd. Then, x + b ∈ Li Therefore, the set putational problems used by cryptographers are the Shortest i i {x − b } contains a element of norm less than or Vector Problem (SVP) and the Closest Vector Problem (CVP). i i i=1,...,n In the former, for a lattice specified by some basis we are equal to N(x). supposed to find nontrivial and small nonzero vector (length of When N is the l2 norm on Rn,CVP has another formula- vector) in the lattice. The problem CVP is an inhomogeneous tion that allows us to use convex optimization techniques. To variant of SVP, in which given a lattice (specified by some this end, let B be the matrix given by the basis (b1, . . . , bn) basis) and a vector v, one has to find the vector in L closest and c a vector in Rn. Then, CVP (L, c) is equivalent to to v. The hardness of these problems is partially due to the fact that multiple bases can generate the same lattice. minimize xT BT Bx − 2cT x This work presents the best hardness result known for SVP, subject to x ∈ Zn www.ijacsa.thesai.org 841 | P a g e (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 5, 2021
n×m This is readily seen by expanding out the quantity kBx − ck2. for any X ∈ (Z/qZ) , set Λ(X) as the lattice m Following (ref), we will apply a convex relaxation to this {y ∈ Z | Xy ≡ 0[q]} and Λn,m,q the space of such lattices. problem to get an efficient randomized algorithm solving We see Λn,m,q as a probability space by choosing X according CVPγ . to Ωn,m,q and computing Λ(X). For any X, Λ(X) is indeed a lattice, as q ( m) ⊂ Λ(X). Finally, a last related problem is the Hermite Shortest Z n×n Vector problem denoted by HSVP . Again, let B ∈ R Finally, for c > 1 a lattice L endowed with a norm N is be the matrix given by (b1, . . . , bn) , for γ > 1, HSVPγ (L) said to have a c-unique shortest vector v if the following holds is the following problem. {v ∈ L | N(v) 6 cλ(L)} = {v, −v} HSVPγ (L): Find v ∈ L such that N(v) 6 γ| det(B)| This result is called a worst-case to average case hardness According to a theorem of Minkowski’s, HSVP and SVP are because it links the lack of a polynomial ranodmized in fact closely related. The LLL algorithm described in Section algorithm over ‘all’ lattices to the lack of such algorithm for III-A actually solves HSVPγ . a small class of lattices, namely Λn,m,q. We also note that similar results exist for related problems such as CVP . In B. Hardness: Average and Worst Case the following, we list further hardness results. An interesting feature of lattice problem is there hardness. M.Ajtai in his seminal papers [1], [2] showed in particular Theorem 2 SVP is NP -hard under the l∞ -norm. that worst-case hardness is related to average-case hardness Moreover, CVP is NP-hard under the lp -norm for all p > 1 and that SVP is NP-hard for randomized reductions. This [8].. makes lattice problems particularly interesting as basis for crypto systems. Example of such systems are systems of Ajtai and Dwork [3], Goldreich, Goldwasser and Halevi [4], Theorem 3 For all γ, CVPγ is NP-hard under any lp the NTRU cryptosystem [5], and the first fully homomorphic -norm [9]. encryption scheme by Gentry [6]. In this section we state a number of hardness results without proofs. For a more Building on results by Ajtai [2], Micciancio proved the precise treatment see also [7]. The main result of worst-case following. to average case NP-hardness is as follows. √ Theorem 4 For all > 0,SVP 2− is NP -hard under randomized polynomial time reductions [10]. Theorem 1 Suppose there is a randomized polynomial time algorithm A such that for all n, A returns a vector of 1 Finally: Λ(X) of length 6 n with probability nO(1) for Λ(X) chosen β at random in Λn,m,q where m = αn log(n) and q = n for c > 0 Theorem 5 There is suchc that CVP is NP-hard appropriate α, β. Then, there exist a randomized polynomial to approximate within a factor n log(log(n)) , where n is the time algorithm B and constants c1, c2, c3 such that for all dimension of the lattice [11]. n n, (b1, . . . , bn) basis of R and L := ⊕Zbi, B performs the following with high probability [3]: 1) Finds a basis {β1, . . . , βn} for L such that Many other results related to hardness exist. We only decided to mention some of the most fundamental ones. c1 max kβik 6 n min max kcik ; (ci) basis of L III.SOLVING SVP 2) finds an estimate λ¯ of λ(L) such that, This section presents solving SVP and related results. λ1(L) ˜ Even though many hardness results have been found, we 6 λ 6 λ(L) nc2 can still solve approximate SVP within some reasonable 3) If moreover, L has a nc3 unique shortest vector, finds this constant depending on the input size. Usually, the ‘reasonable vector. constant’ is not known theoretically to be ‘reasonable’ but only empirically. For instance, the first algorithm on this list, LLL, We are now oing to explain the content of this theorem. is only known to solve SVP within a factor exponential in First of all, we must explain a number of concepts and notation. the input size. However, results with LLL are in practice much Here, k.k refers to the l2 -norm. better than the bound.
A randomized algorithm is an algorithm that uses a degree A. Lenstra-Lenstra-Lovaz´ Algorithm of randomness as part of its process. As such, it does not guarantee success, but the probability of success for a given This section presents the Lenstra-Lenstra-Lovasz´ reduction input size can be computed. A randomized algorithm is said basis algorithm, by Lenstra, Lenstra and Lovasz,´ see [12]. to perform an event with high probability if the probability of Originally, the purpose of this algorithm is to factor polyno- this event goes to 1 as the input size goes to +∞ mials, we will not consider this problem here. We turn now to the definition of Λ(X). Let n, m, q ∈ Moreover, it is important to note that the techniques used N, (Z/qZ)n×m the space of matrices with entries in (Z/qZ), were developed by Hermite, Minkowksy and others to study n×m and Ωn,m,q the uniform distribution on (Z/qZ) Now, Siegel sets and lattices in algebraic groups. This is why LLL www.ijacsa.thesai.org 842 | P a g e (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 5, 2021 is in fact an algorithm solving HSVP.HSVP and SVP are initialization; 1 related thanks to the following results due to Minkowski. Require: a basis (b1, . . . , bn) of L and δ ∈ 4 ; 1 Ensure: the output basis (b1, . . . , bn) of L satisfies Lovasz’´ condition Theorem 6 (Minkowski). Let n ∈ and L be any lattice N i ← 2 in Rn, then 1 while i 6 n do λ(L) γn(det(L)) n 6 P i ∗ bi ← bi − | µi,j b γ n. j