1 / 19

On The Quantitative Hardness of the Closest Vector Problem

This talk explores the quantitative hardness of the Closest Vector Problem (CVP) in lattice-based cryptography. It discusses the fine-grained complexity of CVP and its importance in practical security and key size selection. The speaker presents a fine-grained reduction from -SAT to CVP and its implications in proving the absence of a -time algorithm for CVP assuming the Strong Exponential Time Hypothesis (SETH). The talk also addresses open questions regarding the quantitative hardness of CVP and the Shortest Vector Problem (SVP).

paulines
Download Presentation

On The Quantitative Hardness of the Closest Vector Problem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On The Quantitative Hardness of the Closest Vector Problem Huck BennetT (Northwestern University) 68th Midwest Theory Day (4/12/2018) Based on Joint Work with: Alexander Golovnev (Columbia University and Yahoo Research) Noah Stephens-Davidowitz (Princeton University)

  2. This talk Lattice-based cryptography Fine-grained complexity Quantitative hardness of CVP

  3. Lattices • A lattice is the set of all integer combinations of some linearly independent vectors. • is the lattice generated by basis .

  4. Lattices in Computer Science • Lattice-based cryptography: • Conjectured to be secure against quantum attacks. • Based on worst-case hardness of lattice problems. • Encryption/decryption use simple operations. • Allows for new applications. • E.g., Fully-homomorphic encryption. • Algorithmic applications of lattices: • Integer programming. • Cryptanalysis. • Coding theory. • Many more.

  5. The Closest Vector Problem (CVP) • The -norm of for : • . • An instance of the Closest Vector Problem with respect to the -norm (CVPP) is a triple (: • A basis matrix • A target vector • A distance threshold . • Goal: Decide whether there exists such that .

  6. The Closest Vector Problem (CVP) • The -norm of for : • . • An instance of the Closest Vector Problem with respect to the -norm (CVPP) is a triple (: • A basis matrix • A target vector • A distance threshold . • Goal: Decide whether there exists such that .

  7. The Complexity of CVP • A long line of work has studied the complexity of CVP. • Security of lattice-based cryptography is based on the hardness of related, easier problems. • Quantitative hardness of CVP is necessary for practical security. • Important for picking key size. • E.g., a -time algorithm for CVP would break some cryptosystems [ADPS16, BCD+16]. [Kan87] [MV13] [ADS15] Our work! [BGS17] [vEB81]

  8. A fine-grained reduction from -SAT to CVP • Strong Exponential Time Hypothesis (SETH): For every , there exists such that -SAT has no -time algorithm. • “Brute force -time is optimal for large .” • Goal: Reduce a -SAT instance on variables to a CVP instance of rank for every . • Would prove that there is no -time algorithm for CVP assuming SETH. • Reduction idea: A 0-1 combination of basis vectors will correspond to an assignment to . • Combinations corresponding to satisfying assignments will be closer to .

  9. columns indexed by variables, rows indexed by clauses, Two non-zero entries per row. A First Reduction: 2-SAT to CVP • Map a 2-SAT formula on variables to a CVP instance. • Output instance: , . • 2 (# of negative literals in ). Only need to consider 0-1 combinations of basis vectors.

  10. A First Reduction: 2-SAT to CVP ^ MAX- • Example with: • and . • Consider with: • . • Want to analyze the contribution of each clause to : • Each satisfied clause contributes . • Each unsatisfied clause contributes . • counts the number of clauses satisfied by ! 2 0 2 0 3 0 -2 0 1 2

  11. Extending to larger : Isolating Parallelepipeds • At most two numbers can be equidistant from a given number. • Idea: Many vectorscan be equidistant to a given vector. • A collection of vectors and shift form a -isolating parallelepiped if: • for all • .

  12. A Generalized Reduction: -SAT to CVP • Reduction from 2-SAT: • Map a 2-SAT formula on variables to a CVP instance. • Output instance: , . • 2 (# of negative literals in ). • Reduction from -SAT: • Assume a -isolating parallelepiped exists. • Formed by some . • Map a -SAT formula on variables to a CVP instance. • Output instance: , . • , summing over indices s of negative literals in . • Warning: Abuse of notation. Each is a vector. • Now each and denotes a block.

  13. Main Result • Theorem 1: If -isolating parallelepipeds exist for some and every , then we can reduce -SAT instances on variables to CVP instances of rank for every . • But when do isolating parallelepipeds even exist? • Theorem 2: For every odd integer and every there exists a computable -isolating parallelepiped. • Corollary: For every odd integer and for every constant , there is no -time algorithm for CVP instances on lattices of rank assuming SETH. • Our approach extends to almost every and to . • There is a -time algorithm for the important Euclidean case, CVP [ADS15]. • Our approach (provably) does not extend to even integers. • Unfortunately 2 is as an even integer.

  14. Conclusion and Open Questions • Our results: • Main result: There is no -time algorithm for CVPP assuming SETH for almost every . • Including odd integers, excluding even integers . • Hardness of approximation from (randomized) Gap-ETH for CVP for all . • Other quantitative hardness results for CVP, CVPP, and SVP. • Open questions: • SETH-hardness of CVP2. • Quantitative hardness of the Shortest Vector Problem (SVP). • Addressed in recent work of Aggarwal and Stephens-Davidowitz (STOC 2018). • Improved quantitative hardness of approximation.

  15. Thank you!

  16. Constructing isolating parallelepipeds • A sketch of the idea for constructing -isolating parallelepipeds: • Let have a row for each element in . • Set all entries of to . • Scale rows of of Hamming weight by . • Also scale corresponding entries of . • , .

  17. Constructing isolating parallelepipeds • A sketch of -isolating parallelepipeds construction: • Let have a row for each element in . • Set all entries of to . • Scale rows of of Hamming weight by . • Also scale corresponding entries of . • Then only depends on the Hamming weight of . • Use ideas from combinatorics and analysis to show that and exist so that satisfy -isolating parallelepiped conditions. • , .

  18. The Closest Vector Problem (CVP) • The -norm of for : • . • An instance of the Closest Vector Problem with respect to the -norm (CVPP) is a triple (: • A basis matrix • A target vector • A distance threshold . • Goal: Decide whether there exists such that .

  19. The Closest Vector Problem (CVP) • The -norm of for : • . • An instance of the Closest Vector Problem with respect to the -norm (CVPP) is a triple (: • A basis matrix • A target vector • A distance threshold . • Goal: Decide whether there exists such that .

More Related