Complexity of Lattice Problems
Total Page:16
File Type:pdf, Size:1020Kb
COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE COMPLEXITY OF LATTICE PROBLEMS A Cryptographic Perspective Daniele Micciancio University of California, San Diego Sbafi Goldwasser The Massachusetts Institute ofTechnology, Cambridge SPRINGER SCIENCE+BUSINESS MEDIA, LLC ISBN 978-1-4613-5293-8 ISBN 978-1-4615-0897-7 (eBook) DOI 10.1007/978-1-4615-0897-7 Library of Congress Cataloging-in-Publication Data A c.I.P. Catalogue record for this book is available from the Library of Congress. Copyright © 2002 Springer Science+Business Media New York Originally published by Kluwer Academic Publishers in 2002 Softcover reprint of the hardcover 1st edition 2002 AII rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photo copying, recording, or otherwise, without the prior written permission of the publisher, Springer Science+Business Media, LLC. Printed an acid-free paper. Contents Preface ix 1. BASICS 1 1 Lattices 1 1.1 Determinant 6 1.2 Successive minima 7 1.3 Minkowski's theorems 11 2 Computational problems 14 2.1 Complexity Theory 15 2.2 Some lattice problems 17 2.3 Hardness of approximation 19 3 Notes 21 2. APPROXIMATION ALGORITHMS 23 1 Solving SVP in dimension 2 24 1.1 Reduced basis 24 1.2 Gauss' algorithm 27 1.3 Running time analysis 30 2 Approximating SVP in dimension n 32 2.1 Reduced basis 32 2.2 The LLL basis reduction algorithm 34 2.3 Running time analysis 36 3 Approximating CVP in dimension n 40 4 Notes 42 3. CLOSEST VECTOR PROBLEM 45 1 Decision versus Search 46 2 NP-completeness 48 VI COMPLEXITY OF LATTICE PROBLEMS 3 SVP is not harder than CVP 52 3.1 Deterministic reduction 53 3.2 Randomized Reduction 56 4 Inapproximability of CVP 58 4.1 Polylogarithmic factor 58 4.2 Larger factors 61 5 CVP with preprocessing 64 6 Notes 67 4. SHORTEST VECTOR PROBLEM 69 1 Kannan's homogenization technique 70 2 The Ajtai-Micciancio embedding 77 3 NP-hardness of SVP 83 3.1 Hardness under randomized reductions 83 3.2 Hardness under nonuniform reductions 85 3.3 Hardness under deterministic reductions 86 4 Notes 87 5. SPHERE PACKINGS 91 1 Packing Points in Small Spheres 94 2 The Exponential Sphere Packing 96 2.1 The Schnorr-Adleman prime number lattice 97 2.2 Finding clusters 99 2.3 Some additional properties 104 3 Integer Lattices 105 4 Deterministic construction 108 5 Notes 110 6. LOW-DEGREE HYPERGRAPHS 111 1 Sauer's Lemma 112 2 Weak probabilistic construction 114 2.1 The exponential bound 115 2.2 Well spread hypergraphs 118 2.3 Proof of the weak theorem 121 3 Strong probabilistic construction 122 4 Notes 124 7. BASIS REDUCTION PROBLEMS 125 1 Successive minima and Minkowski's reduction 125 Contents VB 2 Orthogonality defect and KZ reduction 131 3 Small rectangles and the covering radius 136 4 Notes 141 8. CRYPTOGRAPHIC FUNCTIONS 143 1 General techniques 146 1.1 Lattices, sublattices and groups 147 1.2 Discrepancy 153 1.3 Statistical distance 157 2 Collision resistant hash functions 161 2.1 The construction 162 2.2 Collision resistance 164 2.3 The iterative step 168 2.4 Almost perfect lattices 182 3 Encryption Functions 184 3.1 The GGH scheme 185 3.2 The HNF technique 187 3.3 The Ajtai-Dwork cryptosystem 189 3.4 NTRU 191 4 Notes 194 9. INTERACTIVE PROOF SYSTEMS 195 1 Closest vector problem 198 1.1 Proof of the soundness claim 201 1.2 Conclusion 204 2 Shortest vector problem 204 3 Treating other norms 206 4 What does it mean? 208 5 Notes 210 References 211 Index 219 Preface Lattices are geometric objects that can be pictorially described as the set of intersection points of an infinite, regular n-dimensional grid. De spite their apparent simplicity, lattices hide a rich combinatorial struc ture, which has attracted the attention of great mathematicians over the last two centuries. Not surprisingly, lattices have found numerous ap plications in mathematics and computer science, ranging from number theory and Diophantine approximation, to combinatorial optimization and cryptography. The study of lattices, specifically from a computational point of view, was marked by two major breakthroughs: the development of the LLL lattice reduction algorithm by Lenstra, Lenstra and Lovasz in the early 80's, and Ajtai's discovery of a connection between the worst-case and average-case hardness of certain lattice problems in the late 90's. The LLL algorithm, despite the relatively poor quality of the solution it gives in the worst case, allowed to devise polynomial time solutions to many classical problems in computer science. These include, solving integer programs in a fixed number of variables, factoring polynomials over the rationals, breaking knapsack based cryptosystems, and finding solutions to many other Diophantine and cryptanalysis problems. Ajtai's discovery suggested a completely different way to use lattices in cryptography. Instead of using algorithmic solutions to computationally tractable lattice approximation problems to break cryptosystems, Ajtai's work shows how to use the existence of computationally intractable-to approximate lattice problems to build cryptosystems which are impossi ble to break. Namely, design cryptographic functions that are provably as hard to break as it is to solve a computationally hard lattice problem. Whereas in complexity theory we say that a problem is hard if it is hard for the worst case instance, in cryptography a problem is deemed hard only if it is hard in the average case (i.e., for all but a negligible IX x COMPLEXITY OF LATTICE PROBLEMS fraction of the instances). The novelty in Ajtai's result, is that he shows how to build a cryptographic function which is as hard to break on the average (e.g., over the random choices of the function instance) as it is to solve the worst case instance of a certain lattice problem. This achievement is unique to lattice theory at this time, and points to lattices as an ideal source of hardness for cryptographic purposes. These new constructive applications of lattices, are deeply rooted in complexity theory, and were followed by a sharp increase in the study of lattices from a computational complexity point of view. This led to the resolution of several long standing open problems in the area. Most notably, the NP-hardness of the shortest vector problem in its exact and approximate versions. We present a self contained exposition of this latter result as well as other results on the computational complexity of lattice problems. We did not attempt to cover everything known about lattices, as this would have filled several volumes. Rather, we selected a few represen tative topics, based on our personal taste and research experience. Re grettably, a topic which we neglect is duality and transference theorems. With this notable exception, we believe that most of the current ideas relevant to lattice based cryptography appear within in some form or another. Many research questions regarding lattices and their cryptographic usage remain open. We hope that this book will help make lattice based cryptography more accessible to a wider audience, and ultimately yield further progress in this exciting research area. Acknowledgments. Part of the material presented in this book is based on joint work of the authors with Shai Halevi, Oded Goldreich, Muli Safra and Jean-Pierre Seifert. Many other people have indirectly contributed to this book, either through their work, or through many conversations with the authors. Among them, we would like to men tion Miklos Ajtai, Ravi Kannan, Amit Sahai, Claus Schnorr, Madhu Sudan and Salil Vadhan. We would like to thank all our coauthors and colleagues that have made this book possible. The first author would like to thank also the National Science Foun dation and Chris and Warren Hellman for partially supporting this work under NSF Career Award CCR-0093029 and a 2001-02 Hellman Fellow ship. DANIELE MICCIANCIO Chapter 1 BASICS This book is about algorithmic problems on point lattices, and their computational complexity. In this chapter we give some background about lattices and complexity theory. 1. Lattices Let IRm be the m-dimensional Euclidean space. A lattice in IRm is the set .c(bl' ... ' bn ) = {tXibi:Xi E Z} (1.1) t=1 of all integral combinations of n linearly independent vectors b 1, ... , b n in IRm (m 2: n). The integers nand m are called the rank and dimension of the lattice, respectively. The sequence of vectors b 1, ... , b n is called a lattice basis and it is conveniently represented as a matrix (1.2) having the basis vectors as columns. Using matrix notation, (1.1) can be rewritten in a more compact form as .c(B) = {Bx: x E zn} (1.3) where Bx is the usual matrix-vector multiplication. Graphically, a lattice can be described as the set of intersection points of an infinite, regular (but not necessarily orthogonal) n-dimensional grid. A 2-dimensional example is shown in Figure 1.1. There, the basis vectors are (1.4) 2 COMPLEXITY OF LATTICE PROBLEMS Figure 1.1. A lattice in R2 and they generate all the intersection points of the grid when combined with integer coefficients. The same lattice has many different bases. For example, vectors (1.5) are also a basis for lattice .L:(bI, b2). The grid generated by b~, b~ is shown in Figure 1.2. Notice that although the two grids are different, the set of intersection points is exactly the same, i.e., {bI, b2} and {b~, b~} are two different bases for the same lattice .L:(bI, b2) = .L:(b~, b~).