1 / 36

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio. Lattices. Lattice: A discrete additive subgroup of R n. Lattices. Basis: A set of linearly independent vectors that generate the lattice. Lattices.

axelle
Download Presentation

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio

  2. Lattices Lattice: A discrete additive subgroup of Rn

  3. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  4. Lattices Basis: A set of linearly independent vectors that generate the lattice.

  5. Why are Lattices Interesting?(In Cryptography)‏ • Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem • Possible to base cryptography on worst-case instances of lattice problems

  6. [Ajt '96,...] Minicrypt primitives SIVP

  7. Shortest Independent Vector Problem (SIVP)‏ Find n short linearly independent vectors

  8. Shortest Independent Vector Problem (SIVP)‏ Find n short linearly independent vectors

  9. Approximate Shortest Independent Vector Problem Find n pretty short linearly independent vectors

  10. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n GapSVP

  11. Minimum Distance Problem(GapSVP)‏ Find the minimum distance between the vectors in the lattice

  12. Minimum Distance Problem(GapSVP)‏ d Find the minimum distance between the vectors in the lattice

  13. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n GapSVP

  14. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n GapSVP Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  15. Unique Shortest Vector Problem(uSVP)‏ Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  16. Unique Shortest Vector Problem(uSVP)‏ Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector

  17. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n GapSVP ≈1 [Reg '03] Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  18. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n (quantum reduction)‏ GapSVP Cryptosystem Regev '05 ≈1 [Reg '03] Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  19. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n (quantum reduction)‏ GapSVP Cryptosystems Regev '05 Peikert '09 ≈1 [Reg '03] Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  20. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] ≈1 [Reg '03] Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  21. Bounded Distance Decoding(BDD)‏ Given a target vector that's close to the lattice, find the nearest lattice vector

  22. [Ajt '96,...] Minicrypt primitives SIVP [Ban '93] n n (quantum reduction)‏ [Reg '05] GapSVP BDD Cryptosystems Regev '05 Peikert '09 [GG '97,Pei '09] 1 1 2 Cryptosystems Ajtai-Dwork '97 Regev '03 uSVP

  23. Minicrypt primitives SIVP (quantum reduction)‏ GapSVP BDD uSVP Crypto- systems

  24. Cryptosystem Hardness Assumptions Implications of our results

  25. Public-Key Cryptosystems [AD '97] (uSVP)‏ [Reg '03] (uSVP)‏ [Reg '05] (SIVP and GapSVP under quantum reductions)‏ [Pei '09] (GapSVP)‏ Lattice-Based Primitives Minicrypt • One-way functions [Ajt '96] • Collision-resistant hash functions [Ajt '96,MR '07] • Identification schemes [MV '03,Lyu '08, KTX '08] • Signature schemes [LM '08, GPV '08] All Based on GapSVP and quantum SIVP All Based on GapSVP and SIVP Major Open Problem: Construct cryptosystems based on SIVP

  26. Reductions GapSVP BDD 1 1 2 uSVP

  27. Proof Sketch (BDD < uSVP)‏

  28. Proof Sketch (BDD < uSVP)‏

  29. Proof Sketch (BDD < uSVP)‏

  30. Proof Sketch (BDD < uSVP)‏

  31. Proof Sketch (BDD < uSVP)‏

  32. Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector

  33. Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector

  34. Proof Sketch (BDD < uSVP)‏ New basis vector used exactly once in constructing the unique shortest vector Subtracting unique shortest vector from new basis vector gives the closest point to the target.

  35. Open Problems • Can we construct cryptosystems based on SIVP • (SVP would be even better!)‏ • Can the reduction GapSVP < BDD be tightened? • Can the reduction BDD < uSVP be tightened?

  36. Thanks!

More Related