Download pdf - Improved Reduction from BDD to uSVP · Prior works on BDD to USVP BDD 1 2= USVP BDD 1 = [LM09] There is a factor 2 to be improved. [LM09]: V. Lyubashevsky and D. Micciancio. On bounded

Improved Reduction from BDD to USVP

Shi Bai, Damien Stehle, Weiqiang Wen

Ecole Normale Superieure de Lyon

ICALP, July 15, 2016, Rome, Italy

Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 1 / 28

Bounded Distance Decoding (BDD) and unique Shortest Vector Problem (USVP)

α · λ1

cλ 1 t

s

0

Bounded Distance Decoding for α ≥ 0 (BDDα)

Input: B ∈ Qn×n, a vector t ∈ Qn such that dist(t,L(B)) ≤ α · λ1(B).Output: a lattice vector c ∈ L(B) closest to t.


Bounded Distance Decoding (BDD) and unique Shortest Vector Problem (USVP)

λ 1λ2 =

γ · λ1s1

s2

0

Unique Shortest Vector Problem for γ ≥ 1 (USVPγ)

Input: B ∈ Qn×n such that λ2(L(B)) ≥ γ · λ1(L(B)).Output: a non-zero vector s1 ∈ L(B) of norm λ1(L(B)).


Main result

Improved reduction from BDD to USVP

For 1 ≤ γ ≤ poly(n), we have

BDD1/(√

2γ) ≤ USVPγ .

BDD 1√2γ

USVPγ

Our reduction


Road map

• Background

• The Lyubashevsky and Micciancio reduction and its limitation

• New reduction:• lattice sparsification.• reduction for γ = 1.• sphere packing.

• Open problems


Lattices

b1

b2b1

b2

p1

p2

0

A definition of latticeGiven B = {b1, · · · ,bn} ⊆ Qm a set of linear independent vectors, thelattice L spanned by the b′is is

L(B) ={∑

i∈[n] uibi : u ∈ Zn}.


Lattice Minima

0

Lattice minimumGiven a lattice L, the i-th minimum of L is defined as:

λi(L) = inf{r : dim(span(L ∩ B(0, r))) ≥ i}.


Lattice Minima – first minimum

λ 1

s1

0




Lattice Minima – second minimum

λ 1 λ2

s1

s2

0




Why is BDD interesting?

α · λ1

cλ 1 t

s

0

I In cryptography:I Learning With Error (LWE) problem serves as a security foundation.I LWE is an average-case variant of BDD.

I In communication theory – white Gaussian noise channel:I Wifi, mobile phone etc;I View message as a lattice point, Gaussian noise is added in channel

transmission, decoding is solving BDD.


Why is USVP interesting?

λ 1λ2 =

γ · λ1s1

s2

0

I Best known algorithm (especially in practice) for solving BDD is viasolving USVP:

I First, reduce BDD to USVP.I Second, solve USVP by lattice reduction, e.g., LLL and BKZ.

BDD 1poly(n)

and USVPpoly(n) are hard;

Best known algorithm takes exponential time in dimension n.


Why is USVP interesting?

λ 1λ2 =

γ · λ1s1

s2

0

I Best known algorithm (especially in practice) for solving BDD is viasolving USVP:

I First, reduce BDD to USVP.I Second, solve USVP by lattice reduction, e.g., LLL and BKZ.

BDD 1poly(n)

and USVPpoly(n) are hard;

Best known algorithm takes exponential time in dimension n.


Prior works on BDD to USVP

BDD 1α

α = 2γUSVPγ[LM09]

• Slightly improved for some α, Liu et al , 2014; Galbraith; Mic-ciancio, 2015.

[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem,CRYPTO, 2009.[LWXZ14]: M. Liu, X. Wang, G. Xu and X. Zheng. A note on BDD problems with λ2-gap. Inf. Process. Lett., 2014.[Ga15]: Private communication, 2015.[Mi15]: Private communication, 2015.


Prior works on BDD to USVP

BDD 1α

α = 2γUSVPγ

BDD 1α

α = γ

[LM09]

There is a factor 2 to be improved.

[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem,CRYPTO, 2009.[LWXZ14]: M. Liu, X. Wang, G. Xu and X. Zheng. A note on BDD problems with λ2-gap. Inf. Process. Lett., 2014.[Ga15]: Private communication, 2015.[Mi15]: Private communication, 2015.


Comparison with prior works

0.1

0.2

0.3

0.4

0.5

0.6

0.7

1 1.2 1.4 1.6 1.8 2 2.2 2.4

α

γ

Lyubashevsky and Micciancio, CRYPTO, 2009Liu et al , Inf. Process. Lett., 2014

Folklore (Galbraith; Micciancio)This work


The Lyubashevsky and Micciancio reduction

For any γ ≥ 1, we have

BDD1/(2γ) ≤ USVPγ .

BDD 12γ

USVPγ

[LM09]

[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distanceproblem, CRYPTO, 2009.


Lyubashevsky-Micciancio reduction for γ = 1

I BDD1/2 instance: (L(b1), t).

BDD 12γ

B,

t

(n = 1, γ = 1)

b1 2b1

t0 λ1

λ1

2



I Lift vector t into a higher dimension space by λ1(L(b1))/2.

BDD 12γ

B,

t

(n = 1, γ = 1)

b1 2b1

(t, λ1

2 )

t0 λ1

λ1

2

λ1 2



I Kannan embedding.

BDD 12γ

B,

t

(n = 1, γ = 1)

Kannan

embeddingB′

uSVPγ′

B t

0 λ1

2γ

(n′ = 2, γ′ = 1)

b1 2b1

(t, λ1

2 )

t0



I We are at the limit: λ′1 = λ′2.

BDD 12γ

B,

t

(n = 1, γ = 1)

Kannan

embeddingB′

uSVPγ′

B t

0 λ1

2γ

(n′ = 2, γ′ = 1)

b1 2b1

(t, λ1

2 )

t0 λ1

2

λ1

√2

s1λ1√ 2

s2


This is the best this reduction can achieve

BDD 12

USVP1

(SVP)

[LM09]


Can we improve it?

BDD 12

USVP1

(SVP)

[LM09]

USVP>1

?


An attempt to circumvent the limitation

I Limitation in the Lyubushevsky and Micciancio reduction.

b1 2b1

(t, λ1

2 )

t0 λ1

2

λ1

√2

s1λ1√ 2

s2



I A simple deterministic sparsification.

I Lattice L(B) with B = [b1].

0

remove keep

t

b1 2b1

I Lattice L(B) with B = [2b1].

0

remove keep

t

b1 2b1



I A simple deterministic sparsification.

I Lattice L(B) with B = [b1].

0

remove keep

t

b1 2b1

I Lattice L(B) with B = [2b1].

0

remove keep

t

b1 2b1



I Recall the limitation: λ′2 = λ′1

b1 2b1

(t, λ1

2 )

t0 λ1

2

λ1

√2

s1λ1√ 2

s2



I Limitation is circumvented (for this example): λ′2 > λ′1 now!

2b1

(t, λ1

2 )

t0

s1


Main idea

I But we want more...

• keep only 1 closest vector to target t.• remove all other somewhat close N vectors to t.


The main tool: sparsificationKhot’s Lattice Sparsification [K03] (Adapted by [S14])

Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):

Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},

where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn

p).

Orginal lattice in dimension 2

0

p = 5, z = (1,2), w = (1,0)

(2, 2)

0

[K03]: S. Khot. Hardness of approximating the shortest vector problem in high Lp norms. FOCS’03, 2003.[S14]: N. Stephens-Davidowitz. Discrete Gaussian sampling reduces to CVP and SVP. In Proc. of SODA, 2016.


The main tool: sparsificationKhot’s Lattice Sparsification




p).

0

I 1st sublattice:p = 5, z = (0, 0).






p).

0

I 2nd sublattice:p = 5, z = (0, 1).






p).

0

I 3rd sublattice:p = 5, z = (1, 0).






p).

0

I 4th sublattice:p = 5, z = (1, 1).






p).

0







p).

0







p).

0







p).

0


I 1th shift: w = (0, 0).






p).

0


I 2nd shift: w = (1, 0).






p).

0


I 3rd shift: w = (1, 1).






p).

0


I 4th shift: w = (2, 1).






p).

0


I 5th shift: w = (2, 2).






p).

0


I 6th shift: w = (3, 2).






p).

0


I 7th shift: w = (3, 3).






p).

0


I 8th shift: w = (4, 3).






p).

0


I 9th shift: w = (4, 4).






p).

0


I 10th shift: w = (5, 4).


Main result of the sparsification

A probabilistic argument on Khot’s sparsification [S14]

Given a basis B, vectors v1, · · · , vN , x ∈ L(B), and B−1x /∈ {B−1vi}i≤N ,for any prime p, we have

Prz←↩U(Zn

q)

[x ∈ Lp,z + w

∀i, vi 6∈ Lp,z + w

]≥ 1

p− N

p2 −N

pn−1 ,

where w = Bu for u←↩ U(Znp).

1p− N

p2

is the (approximate) probability toI keep 1 point;

I remove N points.[S14]: N. Stephens-Davidowitz. Discrete Gaussian sampling reduces to CVP and SVP. In Proc. of SODA, 2016.


New reduction for γ = 1

I BDD1/√

2 instance: (L(B), t).

λ1

√2

cp1(0)

p2 p3

t


New reduction for γ = 1

I Remove annoying points around the target t.

λ1

√2

remove keep

cp1(0)

p2 p3

t


How sparse?

Recall the probability to keep 1 point and remove N points:

1p− N

p2 .

I We want it to be at least 1poly(n) ;

I thus, p ≥ N and both should be ≤ poly(n).

We can sparsify the lattice by removing polynomially many points.


How sparse?


1p− N

p2 .





How sparse?


1p− N

p2 .




What is the worst-case list decoding radius?


Approaching the limit

Within λ1/√

2, adapted from [MG02, Th. 5.2]

For any n-dimensional lattice L and any vector t ∈ Span(L), we have#L ∩ B(t, λ1(L)/

√2) ≤ 2n.

cp1

p2 p3

tλ1(L)

√ 2

λ1(L)

λ1(L

)

Equator

North Pole

South Pole

[MG02]: D. Micciancio and S. Goldwasser. Complexity of lattice problem: A cryptography perspective. Kluwer, 2009.


λ1/√

2 is the limit

Within λ1/√

2, adapted from [MG02, Th. 5.2]

For any n-dimensional lattice L and any vector t ∈ Span(L), we have#L ∩ B(t, λ1(L)/

√2) ≤ 2n.

cp1

p2 p3

tλ1(L)

√ 2

λ1(L)

λ1(L

)

Equator

North Pole

South Pole

Extremely dense lattice, adapted from [MG02, Lem. 4.1]

For any α > 1/√

2, there exists ε > 0 such that for any sufficiently large n we canfind an n-dimensional lattice L and a vector t ∈ Span(L), such that#L ∩ B(t, α · λ1(L)) ≥ 2nε

.

[MG02]: D. Micciancio and S. Goldwasser. Complexity of lattice problem: A cryptography perspective. Kluwer, 2009.


Our result

BDD 1√2γ

γ = 1USVP>γ

This reduction algorithm also works for any γ with γ ≤ poly(n).

This algorithm actually works for any γ ≥ 1,thanks Stephens-Davidowitz for the observation.


Open problems

I The sparsification in our reduction heavily relies on randomness.

• Problem 1. Remove the sparsification randomness.

I In practice, randomly chosen lattice is sparse enough such that thereis almost no point within λ1/

√2-radius.

• Problem 2. Is sparsification just an artifact?


Open problems

I Conjecture: BDD and USVP are computationally identical.

BDD 1c·γ

= USVPγ

c ∈ [1,√

2]

• Problem 3. What is the constant c? Is c =√

2?
