computational complexity of lattice problems and cyclic … · · 2015-04-23computational...

Lattices Computational complexity Complexity of cyclic lattices Well-rounded cyclic lattices

Computational complexity of lattice problemsand cyclic lattices

Lenny FukshanskyClaremont McKenna College

Undergraduate Summer Research ProgramICERM - Brown University

July 28, 2014

Euclidean lattices

A lattice in Euclidean space Rn is a nonzero discrete subgroup. IfΛ ⊂ Rn is a lattice, then there exist R-linearly independent vectors

a1, . . . , ak ∈ Λ, 1 ≤ k ≤ n,

called a basis for Λ, such that

miai : mi ∈ Z

}= AZk ,

whereA = (a1 . . . ak)

is the corresponding n× k basis matrix. Then k is called the rankof Λ, and k = n if and only if the quotient group Rn/Λ is compact.

Examples of lattices in the plane

Square lattice Hexagonal lattice

(1 00 1

(1 1/2

Determinant of a lattice

Determinant or covolume of a lattice Λ = AZk ⊂ Rn is√det(AtA).

This is equal to the volume of the compact quotient V /Λ, where

V = spanR Λ

is a k-dimensional subspace of Rn.

Example of a fundamental domain

Hexagonal lattice fundamental domain

Example of a fundamental domain

Volume = det

(1 1/2

Successive minima

Let Bn be a unit ball centered at the origin in Rn. If Λ ⊂ Rn is alattice of rank k , then its successive minima

0 < λ1 ≤ λ2 ≤ · · · ≤ λkare real numbers such that

λiBn ∩ Λ

contains at least i linearly independent vectors for each 1 ≤ i ≤ k– we call these the vectors corresponding to successiveminima. They are not necessarily unique, but there are finitelymany of them.

Important remark

Vectors corresponding to successive minima do not necessarilyform a basis for the lattice. For instance, the 5-dimensional lattice

1 0 0 0 1/20 1 0 0 1/20 0 1 0 1/20 0 0 1 1/20 0 0 0 1/2

contains the standard basis vectors e1, . . . , e5, and hence

λ1 = · · · = λ5 = 1,

however these vectors do not span Λ over Z.

Lattice problems

This is a class of algorithmic optimization problems on lattices. Wewill consider two famous examples.

Definition 1 (Shortest Vector Problem – SVP)

Input: An n × n basis matrix A for a lattice Λ = AZn ⊂ Rn.Output: A shortest nonzero vector in Λ, i.e. x ∈ Λ such that

‖x‖ = min {‖y‖ : y ∈ Λ \ {0}} ,

where ‖ ‖ is Euclidean norm.

Remark 1

This is precisely a vector corresponding to λ1, the first successiveminimum.

Lattice problems

‖x‖ = min {‖y‖ : y ∈ Λ \ {0}} ,

Remark 1

Lattice problems

‖x‖ = min {‖y‖ : y ∈ Λ \ {0}} ,

Remark 1

Lattice problems

Definition 2 (Shortest Independent Vector Problem – SIVP)

Input: An n × n basis matrix A for a lattice Λ = AZn ⊂ Rn.Output: A collection of n shortest linearly independent vectors inΛ, i.e. linearly independent x1, . . . , xn ∈ Λ such that

‖xi‖ = λi .

Clearly SIVP should generally be harder than SVP.

Question 1

How much harder?

To answer this question, we need to explain how we measure“hardness”.

Lattice problems

‖xi‖ = λi .

Question 1

How much harder?

Lattice problems

‖xi‖ = λi .

Question 1

How much harder?

Lattice problems

‖xi‖ = λi .

Question 1

How much harder?

Turing machine

Device with a head and an infinite tape going through it:

Elementary operations: read 1 cell, write 1 cell, move tape left 1cell, move tape right 1 cell.

Example: a modern computer

Complexity classes: P and NP

Given an algorithmic problem, we can measure the size of its inputin number of bits of memory it takes to store it.

Definition 3

A problem is called polynomial if the number of elementaryoperations required to solve it on a Turing machine is polynomialin the size of the input. If this is the case, we say that the problemcan be solved in polynomial time. The class of all such problemsis denoted by P.

Definition 4

A problem is called non-deterministic polynomial if the numberof elementary operations required to verify a potential answer for iton a Turing machine is polynomial in the size of the input. If thisis the case, we say that the problem can be verified in polynomialtime. The class of all such problems is denoted by NP.

Definition 3

Definition 4

Definition 3

Definition 4

More complexity: NP-hard and NP-complete

It is clear that every problem which can be solved in polynomialtime, can be verified in polynomial time, and so

P ⊆ NP.

Definition 5

Informally speaking, a problem is called NP-hard if it is at least ashard as the hardest problem in NP. An NP-hard problem does notneed to be in NP.

Definition 6

A problem is called NP-complete if it is in NP and is NP-hard.

P ⊆ NP.

Definition 5

Definition 6

P ⊆ NP.

Definition 5

Definition 6

P vs NP: a million dollar problemOne of the seven Clay Millenium Prize Problems is the questionwhether

P = NP?

The problem was first posed in 1971 independently by StephenCook and Leonid Levin.

P vs NP: a million dollar problemOne of the seven Clay Millenium Prize Problems is the questionwhether

P = NP?

The problem was first posed in 1971 independently by StephenCook and Leonid Levin.

Complexity of lattice problems

SVP and SIVP are both known to be NP-hard. In fact, even theproblem of finding the first successive minimum λ1 (respectively,all successive minima λ1, . . . , λn) of a given lattice is NP-hard: itis as hard as SVP (respectively, SIVP).

Moreover –

Theorem 1 (SIVP to SVP reduction)

For lattices of rank n, there exists a polynomial time reductionalgorithm that, given an oracle for SVP, produces an approximatesolution to SIVP within an approximation factor of

√n – that is, a

collection of linearly independent vectors a1, a2, . . . , an ∈ Λ with

‖a1‖ ≤ ‖a2‖ ≤ · · · ≤ ‖an‖ ≤√

Complexity of lattice problems

SVP and SIVP are both known to be NP-hard. In fact, even theproblem of finding the first successive minimum λ1 (respectively,all successive minima λ1, . . . , λn) of a given lattice is NP-hard: itis as hard as SVP (respectively, SIVP). Moreover –

Theorem 1 (SIVP to SVP reduction)

For lattices of rank n, there exists a polynomial time reductionalgorithm that, given an oracle for SVP, produces an approximatesolution to SIVP within an approximation factor of

√n – that is, a

collection of linearly independent vectors a1, a2, . . . , an ∈ Λ with

‖a1‖ ≤ ‖a2‖ ≤ · · · ≤ ‖an‖ ≤√

Hard is good: cryptography connection

One of the main applications of lattice problems is cryptography.

Encryption algorithm is usually based on a very hard problem.

Some possible choices: SVP, SIVP.

Encryption challenge

A lattice-based cryptographic algorithm takes a basis matrix for alattice on the input.

If Λ ⊂ Rn has rank n, then the input sizeis n2. In order to make the message hard to decrypt for a hostileattacker, n should be large. But large size input slows down thealgorithm.

Question 2

Are there lattices which can be described by the input data of sizeless than n2?

A lattice-based cryptographic algorithm takes a basis matrix for alattice on the input. If Λ ⊂ Rn has rank n, then the input sizeis n2.

In order to make the message hard to decrypt for a hostileattacker, n should be large. But large size input slows down thealgorithm.

Question 2

A lattice-based cryptographic algorithm takes a basis matrix for alattice on the input. If Λ ⊂ Rn has rank n, then the input sizeis n2. In order to make the message hard to decrypt for a hostileattacker, n should be large.

But large size input slows down thealgorithm.

Question 2

A lattice-based cryptographic algorithm takes a basis matrix for alattice on the input. If Λ ⊂ Rn has rank n, then the input sizeis n2. In order to make the message hard to decrypt for a hostileattacker, n should be large. But large size input slows down thealgorithm.

Question 2

A lattice-based cryptographic algorithm takes a basis matrix for alattice on the input. If Λ ⊂ Rn has rank n, then the input sizeis n2. In order to make the message hard to decrypt for a hostileattacker, n should be large. But large size input slows down thealgorithm.

Question 2

Cyclic lattices: definition

Define the rotational shift operator on Rn, n ≥ 2, by

rot(x1, x2, . . . , xn−1, xn) = (xn, x1, x2, . . . , xn−1)

for every x = (x1, x2, . . . , xn−1, xn) ∈ Rn. We will write rotk foriterated application of rot k times for each k ∈ Z>0 (then rot0 isjust the identity map, and rotk = rotn+k). It is also easy to seethat rot (and hence each iteration rotk) is a linear operator. Asublattice Γ of Zn is called cyclic if rot(Γ) = Γ, i.e. if for everyx ∈ Γ, rot(x) ∈ Γ. Clearly, Zn itself is a cyclic lattice.

Cyclic lattices from ideals in Z[x ]/(xn − 1)Let

p(x) =n−1∑k=0

akxk ∈ Z[x ]/(xn − 1).

Define a map ρ : Z[x ]/(xn − 1)→ Zn by

ρ(p(x)) = (a0, . . . , an−1) ∈ Zn,

then for any ideal I ⊆ Z[x ]/(xn − 1), ρ(I ) is a sublattice of Zn offull rank. Notice that for every p(x) ∈ I ,

xp(x) = an−1 + a0x + a1x2 + · · ·+ an−2xn−1 ∈ I ,

and so

ρ(xp(x)) = (an−1, a0, a1, . . . , an−2) = rot(ρ(p(x))) ∈ ρ(I ).

In other words, Γ ⊆ Zn is a cyclic lattice if and only if Γ = ρ(I ) forsome ideal I ⊆ Z[x ]/(xn − 1).

Cyclic lattices in cryptosystems

Cyclic lattices were formally introduced for cryptographic use by D.Micciancio in 2002, but “in disguise” they were already usedearlier.

The NTRUEncrypt public key cryptosystem was introduced in1996 by J. Hoffstein, J. Pipher, and J. H. Silverman at BrownUniversity.

NTRUE is based on difficulty of factoring polynomials in the ringZ[x ]/(xn − 1), which is closely related to lattice reduction, i.e.,solving SVP, SIVP on cyclic lattices.

This motivates studying cyclic lattices more in depth.

Cyclic lattices: basic properties - 1

Definition 7

For a vector a ∈ Zn, define

Λ(a) = spanZ{

a, rot(a), . . . , rotn−1(a)}.

This is always a cyclic lattice.

Question 3

What is the rank of Λ(a)?

Lemma 2

Let a ∈ Zn and let pa(x) ∈ Z[x ]/(xn − 1) be a polynomial withcoefficient vector a. Then a, rot(a), . . . , rotn−1(a) are linearlydependent if and only if pa(x) is divisible by some cyclotomicpolynomial divisor of xn − 1.

Definition 7

Λ(a) = spanZ{

a, rot(a), . . . , rotn−1(a)}.

Question 3

Lemma 2

Definition 7

Λ(a) = spanZ{

a, rot(a), . . . , rotn−1(a)}.

Question 3

Lemma 2

LetCnR = {x ∈ Rn : |x| := max{|x1|, . . . , |xn|} ≤ R}

for every R ∈ R>0, i.e. CnR is a cube of side-length 2R centered at

the origin in Rn.

Lemma 3

Let R > n−12 , then

Prob∞,R (rk(Λ(a)) = n) ≥ 1− n

2R + 1,

where probability Prob∞,R(·) is with respect to the uniformdistribution among all points a in the set Cn

R ∩ Zn.

LetCnR = {x ∈ Rn : |x| := max{|x1|, . . . , |xn|} ≤ R}

for every R ∈ R>0, i.e. CnR is a cube of side-length 2R centered at

the origin in Rn.

Lemma 3

Let R > n−12 , then

Prob∞,R (rk(Λ(a)) = n) ≥ 1− n

2R + 1,

where probability Prob∞,R(·) is with respect to the uniformdistribution among all points a in the set Cn

R ∩ Zn.

Cyclic lattices: cryptographic use

Hence if we pick a ∈ Zn with large |a|, the probability that

rk(Λ(a)) = n

is high, and the size of the input data necessary to describe thislattice is only n. This observation makes cyclic lattices veryattractive for cryptographic purposes.

Question 4

But are cyclic lattices hard enough? In other words, are SVP, SIVPstill NP-hard on cyclic lattices?

This is an open question, but many people believe that the answeris yes, at least in the worst case.

rk(Λ(a)) = n

Question 4

rk(Λ(a)) = n

Question 4

SIVP to SVP on cyclic lattices

On the other hand, there is some indication that SIVP is at leasteasier on cyclic lattices than on generic lattices.

Theorem 4 (Peikert, Rosen (2005))

Let n be a prime and let Λ ⊂ Rn be a lattice of rank n. Thereexists a polynomial time algorithm that, given an oracle for SVP,produces an approximate solution to SIVP on Λ within anapproximation factor of 2. In other words, given a1 ∈ Λ with‖a1‖ = λ1 we can find a collection of linearly independent vectorsa1, a2, . . . , an ∈ Λ with

‖a1‖ ≤ ‖a2‖ ≤ · · · ≤ ‖an‖ ≤ 2λn

polynomial time. Moreover, only one call to the oracle is necessary.

SIVP to SVP on cyclic lattices

On the other hand, there is some indication that SIVP is at leasteasier on cyclic lattices than on generic lattices.

Theorem 4 (Peikert, Rosen (2005))

Let n be a prime and let Λ ⊂ Rn be a lattice of rank n. Thereexists a polynomial time algorithm that, given an oracle for SVP,produces an approximate solution to SIVP on Λ within anapproximation factor of 2. In other words, given a1 ∈ Λ with‖a1‖ = λ1 we can find a collection of linearly independent vectorsa1, a2, . . . , an ∈ Λ with

‖a1‖ ≤ ‖a2‖ ≤ · · · ≤ ‖an‖ ≤ 2λn

polynomial time. Moreover, only one call to the oracle is necessary.

Well-rounded lattices

More generally, we can show that for every n, SIVP is equivalentto SVP on a positive proportion of cyclic lattices. To explain whatthis means, we need more notation.

A lattice Γ ⊂ Rn of rank n is called well-rounded (abbreviatedWR) if

λ1(Γ) = · · · = λn(Γ).

Notice that for a WR lattice, finding λ1 is equivalent to finding allsuccessive minima.

λ1(Γ) = · · · = λn(Γ).

WR cyclic latticesLet Cn be the set of all full rank cyclic sublattices of Zn.

Question 5

Which lattices in Cn are WR?

Theorem 5 (F., Sun (2013))

For each dimension n ≥ 2, there exist real constants

0 < αn ≤ βn ≤ 1,

depending only on n, such that

αn ≤# {Γ ∈ Cn : λn(Γ) ≤ R, Γ is WR}

# {Γ ∈ Cn : λn(Γ) ≤ R}≤ βn as R →∞. (1)

For instance, one can take α2 = 0.261386... and β2 = 0.348652...,meaning that between 26% and 35% of full rank cyclic sublatticesof Z2 are WR.

Question 5

0 < αn ≤ βn ≤ 1,

# {Γ ∈ Cn : λn(Γ) ≤ R}≤ βn as R →∞. (1)

Question 5

0 < αn ≤ βn ≤ 1,

# {Γ ∈ Cn : λn(Γ) ≤ R}≤ βn as R →∞. (1)

SVP - SIVP equivalenceWe prove that SVP and SIVP are equivalent on a positiveproportion of WR cyclic lattices in every dimension, hence -

Corollary 6 (F., Sun (2013))

Let R ∈ R>0, then

# {Γ ∈ Cn : λn(Γ) ≤ R, SVP ≡ SIVP on Γ}# {Γ ∈ Cn : λn(Γ) ≤ R}

�n 1 as R →∞.

Let k1, . . . , kn−1 ∈ Z be nonzero integers, m = lcm(k1, . . . , kn−1),and

k1, . . . ,

kn−1

∈ Zn.

There exists an integer l , depending only on n, such that whenever|k1|, . . . , |kn−1| ≥ l , SVP ≡ SIVP on Λ(a).

Let R ∈ R>0, then

�n 1 as R →∞.

k1, . . . ,

kn−1

∈ Zn.

Let R ∈ R>0, then

�n 1 as R →∞.

k1, . . . ,

kn−1

∈ Zn.

Some of my work with students on WR latticesWR lattices are important in discrete optimization, algebraicnumber theory, coding theory, cohomology computations ofarithmetic groups, etc. Some of my additional recent work withgraduate and undergraduate students on WR lattices includes:

Claremont Colleges NSF REU - 2009

• L. F., D. Moore, R. A. Ohana, W. Zeldow. On well-roundedsublattices of the hexagonal lattice, Discrete Mathematics310 (2010), no. 23, 3287–3302.

Claremont Fletcher Jones Fellowship Program - 2011

• L. F., G. Henshaw, P. Liao, M. Prince, X. Sun, S. Whitehead.On integral well-rounded lattices in the plane, Discreteand Computational Geometry, vol. 48 no. 3 (2012), pg.735–748.

• L. F., G. Henshaw, P. Liao, M. Prince, X. Sun, S. Whitehead.On well-rounded ideal lattices - II, International Journal ofNumber Theory, vol. 9 no. 1 (2013) pg. 139–154.

Some of my work with students on WR latticesWR lattices are important in discrete optimization, algebraicnumber theory, coding theory, cohomology computations ofarithmetic groups, etc. Some of my additional recent work withgraduate and undergraduate students on WR lattices includes:Claremont Colleges NSF REU - 2009

Thank you!

computational complexity of lattice problems and cyclic … · · 2015-04-23computational...

Documents