Lattice Based Cryptography

Part I Basics, CHAP 01 Geometric and Computational Backgrounds

Wenling Liu, Shanghai Jiao Tong University.

Wenling Liu @ SJTU Table of Contents

Introduction to Lattice

Computational Problems on Lattice

Introduction to Hardness of Lattice Problems

Wenling Liu @ SJTU Section 1

Introduction to Lattice

Wenling Liu @ SJTU Lattice A Lattice is a set of points in n-dimensional space with a periodic structure, like:

n Or we say, a lattice is an infinite additive subgroup of R . n Lattice can be generated by vectors. Let b1, b2, ··· , bm ∈ R and be linear independent. Let B = [b1 b2 ··· bm], then we write

X Λ = L(B) = { xi bi |xi ∈ Z} i∈[m]

We call B a basis of lattice Λ. Wenling Liu @ SJTU Lattice n Furthermore if m = n, we call Λ a full-rank lattice in R . A lattice can have different basis:

Figure: Different Basis of same Lattice

From now on, unless otherwise specified, we always talk about full-rank lattice by default.

Wenling Liu @ SJTU Fundamental Parallelepiped Define the fundamental parallelepiped of a basis B as

n n P(B) = {y ∈ R |y = Bx for some x ∈ [0, 1) }

Figure: Fundamental Parallelepiped of different Basis

Fact The fundamental parallelepiped contains no lattice point except 0.

Wenling Liu @ SJTU Fundamental Parallelepiped The volume of the fundamental parallelepiped can be computed by

Vol(B) = det B

Here we abuse the notion to simplify Vol(P(B)) to V(B). Fact Different basis of the same lattice have equal volume.

We can now use det(Λ) instead of volume to study lattice, we define det(Λ) = | det B|, where B is any basis of Λ.

Wenling Liu @ SJTU Gram-Schmidt Orthogonalization Gram-Schmidt orthogonalization are used to transfer a basis to a orthogonal basis. Let n B = [b1, ··· , bn] be a basis of R , the Gram-Schmidt orthogonal basis of B can be compute by

b˜1 = b1 b˜ = b − proj (b ) 2 2 b˜1 2 b˜ = b − proj (b ) − proj (b ) 3 3 b˜1 3 b˜2 3 . . n−1 b˜ = b − X proj (b ) n n b˜i n j=1

Wenling Liu @ SJTU Gram-Schmidt Orthogonalization

And Let B˜ = [b˜1, ··· , b˜n]. Fact For any B, we have max kbi k ≥ max kb˜i k i∈[b] i∈[n]

Note Usually, B˜ is not a basis of L(B).

Gram-Schmidt Orthogonalization of a lattice basis will be used in 1. Bound the smoothing parameter of a lattice; 2. Sampling from discrete Galussians on a given lattice;

Wenling Liu @ SJTU Successive Minima Define λ1(Λ) = min kxk x∈Λ,x6=0

Let v1 be lattice vector that being linear independent to v1, ··· , vi−1 and kvi k = λi (Λ), then for i ≤ n − 1 we can define

λi+1(Λ) = min kxk x∈Λ,x∈/span(v1,··· ,vi )

Also, we can abuse the notion to allow the parameter to be basis of lattice, like λi (B). Fact

λ1(Λ) ≤ λ2(Λ) ≤ · · · ≤ λn(Λ)

Wenling Liu @ SJTU Minkowski Theorem

Minkowski’s First Theorem (Convex Body Theorem) For any lattice Λ and any convex set S ⊂ span(Λ) symmetric about the origin, if vol(S) > 2n det Λ, then S contains a nonzero lattice point v ∈ S ∩ Λ \{0}.

Minkowski’s Second Theorem

For any lattice Λ = L(B), the successive minima (in the `2 norm) λ1, ··· , λn satisfy

n !1/n Y √ 1/n λi < n det(B) i=1

Wenling Liu @ SJTU Dual Lattice Let Λ be a lattice, the dual lattice of Λ can be defined as

∗ n Λ = {x ∈ R |∀y ∈ Λ: hx, yi ∈ Z}

Fact Let B be arbitrary basis of Λ, then Λ0 is the dual lattice of λ iff 0 ∀i ∈ [n], x ∈ Λ : hx, bi i ∈ Z.

n Since {x ∈ R |hx, bi i} construct a set of equidistant paralleled n − 1-dimensional hyperplanes which are perpendicular to bi , dual lattice can be regarded as points of intersections of n sets of hyperplanes.

Wenling Liu @ SJTU Dual Lattice: Example and Intuition

Fact n ∗ n 1. (Z ) = Z . n ∗ 1 n ∗ 2. (qZ ) = ( q Z ) .

”The parse the lattice, the dense the dual lattice.” Different basis of lattice with their perpendicular hyperplane sets construct the same dual lattice.

Wenling Liu @ SJTU Dual Lattice: Other Facts

Fact 1 For any lattce Λ, we have det(Λ) = 1/ det(Λ∗)

Wenling Liu @ SJTU Section 2

Computational Problems on Lattice

Wenling Liu @ SJTU Shortest Vector Problem Algebraic problems on lattices are easier due to the simple algebraic structure of lattices. We mainly talk about geometric problems on lattices. Geometric problems on lattices are discrete geometry problems. Like other combinatorial problems, these problems are hard.

We mainly talk about three categories of problems, they are: • Search Prolem: Asks to find the (usually unique) solution to the given problem. • Optimization Problem: Asks to find a solution of the given problem with approximate factor. • Promise Problem: Asks to whether decide the given statement is true. Usually the input is promised to the in some range.

Wenling Liu @ SJTU Shortest Vector Problem

Shortest Vector Problem (SVP) m×n Given a lattice basis B ∈ Z , find a nonzero lattice vector x ∈ (B) such that kxk ≤ kyk for any other y ∈ L(B).

γ-Approximate Shortest Vector Problem (SVPγ) m×n Given a lattice basis B ∈ Z , find a nonzero lattice vector x ∈ (B) such that kxk ≤ γ(n) · λ1(B) for any other y ∈ L(B).

γ-Gap Shortest Vector Problem (GapSVPγ)

Given a lattice basis B and a constant d. In YES instances input λ1(B) ≤ d and in No instances input λ1(B) > γ(n) · d.

Wenling Liu @ SJTU Closest Vector Problem

Closest Vector Problem (CVP) m×n Given a lattice basis B ∈ Z and a target point t, find a lattice point x ∈ L(B) such that kx − tk ≤ dist(t, L(B)).

γ-ApproximateClosest Vector Problem (CVPγ) m×n Given a lattice basis B ∈ Z and a target point t, find a lattice point x ∈ L(B) such that kx − tk ≤ γ(n) · dist(t, L(B)).

γ-Gap Closest Vector Problem (GapCVPγ) Given a lattice basis B, a target point t and a constant d. In YES instances input dist(t, L(B)) ≤ d and in No instances dist(t, L(B)) > γ(n) · d.

Wenling Liu @ SJTU Shortest Independent Vectors Problem

Bounded Distance Decoding (BDDγ) Problem m×n Given a lattice basis B ∈ Z and a target point t, find a lattice point x ∈ L(B) such that kx − tk ≤ γ(n) · λ1(B).

BDD problem is an optimization problem.

γ-Shortest Independent Vectors Problem (SIVPγ) Given a lattice basis B. The goal is to output a set of n linearly independent lattice vectors S ⊂ L(B) such that kSk ≤ γ(n) · λ1(B).

Wenling Liu @ SJTU Generalized Problems SIVP and BDD problem have their corresponding generalized version.

φ Guaranteed Distance Decoding (GDDγ ) m×n Given a lattice basis B ∈ Z and a target point t ∈ L(B), find a lattice point x ∈ L(B) such that kx − tk ≤ γ(n) · φ(B).

φ Generalized Independent Vectors Problem (GIVPγ ) Given a lattice basis B. The goal is to output a set of n linearly independent lattice vectors S ⊂ L(B) such that kSk ≤ γ(n) · φ(B).

In the reduction procedure, we usually let φ(B) to be the smoothing parameter η(B), which is a parameter related to lattice and will be introduced later.

Wenling Liu @ SJTU Section 3

Introduction to Hardness of Lattice Problems

Wenling Liu @ SJTU Hardness of Lattice Problems

Figure: Known Hardness of Lattice Problems

”Hard” means NP-hard, which means every NP problem can be reduced to it by Karp Reduction (in deterministic polynomial time). Here, we are talking about worst-case hardness. • There might be only 1 instance of such problems that is hard to solve, which means they are not hard enough for cryptography usages.

Wenling Liu @ SJTU Quantum Hardness? Quantum is powerful but not all-powerful! It is assumed that lattice problems are hard enough for quantum computers! This is due to there are still no quantum algorithms that could solve lattice problems efficiently. • ”Efficiently” means solved in polynomial-time with overwhelming correctness. • For probabilistic/quantum computing, a problem is worst-case hard means no such machine could solve every instances efficiently.

Wenling Liu @ SJTU Towards Average-Case Hardness Known results: 1. Under classical computing model, assume the worst-case hardness of some lattice problems, there’s some variant of SVP that is average-case hard. 2. Under quantum computing model, assume the worst-case hardness of some lattice problems, there’s some variant of BDD that is average-case hard. They are: 1. Short Integer Solution (SIS) Problem 2. Learning with Error (LWE) Problem Both will be introduced later.

Wenling Liu @ SJTU