The Mathematics of Lattices Daniele Micciancio January 2020 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 1 / 43 Outline 1 Point Lattices and Lattice Parameters 2 Computational Problems Coding Theory 3 The Dual Lattice 4 Q-ary Lattices and Cryptography Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 2 / 43 Point Lattices and Lattice Parameters 1 Point Lattices and Lattice Parameters 2 Computational Problems Coding Theory 3 The Dual Lattice 4 Q-ary Lattices and Cryptography Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 3 / 43 Key to many algorithmic applications Cryptanalysis (e.g., breaking low-exponent RSA) Coding Theory (e.g., wireless communications) Optimization (e.g., Integer Programming with fixed number of variables) Cryptography (e.g., Cryptographic functions from worst-case complexity assumptions, Fully Homomorphic Encryption) Point Lattices and Lattice Parameters (Point) Lattices Traditional area of mathematics ◦ ◦ ◦ Lagrange Gauss Minkowski Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 4 / 43 Point Lattices and Lattice Parameters (Point) Lattices Traditional area of mathematics ◦ ◦ ◦ Lagrange Gauss Minkowski Key to many algorithmic applications Cryptanalysis (e.g., breaking low-exponent RSA) Coding Theory (e.g., wireless communications) Optimization (e.g., Integer Programming with fixed number of variables) Cryptography (e.g., Cryptographic functions from worst-case complexity assumptions, Fully Homomorphic Encryption) Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 4 / 43 Point Lattices and Lattice Parameters Lattice Cryptography: a Timeline 1982: LLL basis reduction algorithm Traditional use of lattice algorithms as a cryptanalytic tool 1996: Ajtai's connection Relates average-case and worst-case complexity of lattice problems Application to one-way functions and collision resistant hashing 2002: Average-case/worst-case connection for structured lattices. Key to efficient lattice cryptography. 2005: (Quantum) Hardness of Learning With Errors (Regev) Similar to Ajtai's connection, but for injective functions Wide cryptographic applicability: PKE, IBE, ABE, FHE. Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 5 / 43 b1 b2 Other lattices are obtained by applying a linear transformation n d×n Λ = BZ (B 2 R ) Point Lattices and Lattice Parameters Lattices: Definition e1 e2 The simplest lattice in n-dimensional space is the integer lattice n Λ = Z Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43 Point Lattices and Lattice Parameters Lattices: Definition e1 b1 e2 b2 The simplest lattice in n-dimensional Other lattices are obtained by space is the integer lattice applying a linear transformation n n d×n Λ = Z Λ = BZ (B 2 R ) Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43 n = fBx: x 2 Z g The same lattice has many bases n X L = ci · Z i=1 Definition (Lattice) n A discrete additive subgroup of R Point Lattices and Lattice Parameters Lattices and Bases A lattice is the set of all integer linear combinations of (linearly n independent) basis vectors B = fb1;:::; bng ⊂ R : n X L = bi · Z i=1 b2 b1 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43 The same lattice has many bases n X L = ci · Z i=1 Definition (Lattice) n A discrete additive subgroup of R Point Lattices and Lattice Parameters Lattices and Bases A lattice is the set of all integer linear combinations of (linearly n independent) basis vectors B = fb1;:::; bng ⊂ R : n X n L = bi · Z = fBx: x 2 Z g i=1 b2 b1 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43 Definition (Lattice) n A discrete additive subgroup of R Point Lattices and Lattice Parameters Lattices and Bases A lattice is the set of all integer linear combinations of (linearly n independent) basis vectors B = fb1;:::; bng ⊂ R : n X n L = bi · Z = fBx: x 2 Z g i=1 The same lattice has many bases n X L = ci · Z c1 i=1 c2 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43 Point Lattices and Lattice Parameters Lattices and Bases A lattice is the set of all integer linear combinations of (linearly n independent) basis vectors B = fb1;:::; bng ⊂ R : n X n L = bi · Z = fBx: x 2 Z g i=1 The same lattice has many bases n X L = ci · Z i=1 Definition (Lattice) n A discrete additive subgroup of R Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43 Different bases define different fundamental regions All fundamental regions have the same volume The determinant of a lattice can be efficiently computed from any basis. Point Lattices and Lattice Parameters Determinant Definition (Determinant) P det(L) = volume of the fundamental region P = i bi · [0; 1) b2 P b1 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43 All fundamental regions have the same volume The determinant of a lattice can be efficiently computed from any basis. Point Lattices and Lattice Parameters Determinant Definition (Determinant) P det(L) = volume of the fundamental region P = i bi · [0; 1) Different bases define different fundamental regions b2 P b1 c1 c2 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43 The determinant of a lattice can be efficiently computed from any basis. Point Lattices and Lattice Parameters Determinant Definition (Determinant) P det(L) = volume of the fundamental region P = i bi · [0; 1) Different bases define different fundamental regions b2 All fundamental regions have the same P b1 volume c1 c2 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43 Point Lattices and Lattice Parameters Determinant Definition (Determinant) P det(L) = volume of the fundamental region P = i bi · [0; 1) Different bases define different fundamental regions b2 All fundamental regions have the same P b1 volume c1 The determinant of a lattice can be efficiently computed from any basis. c2 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43 Point Lattices and Lattice Parameters Density estimates Definition (Centered Fundamental Parallelepiped) P P = i bi · [−1=2; 1=2) vol(P(B)) = det(L) b2 n fx + P(B) j x 2 Lg partitions R b1 n For all sufficiently large S ⊆ R jS \ Lj ≈ vol(S)= det(L) Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 9 / 43 Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 λ1 Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 λ1 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 λ1 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 λ 2 λ1 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Point Lattices and Lattice Parameters Minimum Distance and Successive Minima Minimum distance λ1 = min kx − yk x;y2L;x6=y = min kxk x2L;x6=0 λ 2 λ1 Successive minima (i = 1;:::; n) λi = minfr : dim span(B(r) \L) ≥ ig Examples n Z : λ1 = λ2 = ::: = λn = 1 Always: λ1 ≤ λ2 ≤ ::: ≤ λn Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43 Covering radius µ(L) = max µ(t; L) t2span(L) Spheres of radius µ(L) centered around all lattice points cover the whole space Point Lattices and Lattice Parameters Distance Function and Covering Radius Distance function µ µ(t; L) = min kt − xk t x2L Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 11 / 43 Spheres of radius µ(L) centered around all lattice points cover the whole space Point Lattices and Lattice Parameters Distance Function and Covering Radius Distance function µ(t; L) = min kt − xk t x2L Covering radius µ(L) = max µ(t; L) µ t2span(L) Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 11 / 43 Point Lattices and Lattice Parameters Distance Function and Covering Radius Distance function µ(t; L) = min kt − xk x2L Covering radius µ(L) = max µ(t; L) t2span(L) Spheres of radius µ(L) centered around all lattice points cover the whole space Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 11 / 43 Point Lattices and Lattice Parameters Distance Function and Covering Radius Distance function µ(t; L) = min kt − xk x2L Covering radius µ(L) = max µ(t; L) t2span(L) Spheres of radius µ(L) centered around all lattice points cover the whole space Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 11 / 43 Point Lattices and Lattice Parameters Distance Function and Covering Radius Distance function µ(t; L) = min kt − xk x2L Covering radius µ(L) = max µ(t; L) t2span(L) Spheres of radius µ(L) centered around all lattice points cover the whole space Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 11 / 43 add noise to each lattice point .