The uniqueSVP World Shai Halevi IBM July 2009
The unique-SVP World Shai Halevi, IBM, July 2009 1. Ø 2. Ø Ajtai-Dwork’ 97/07, Regev’ 03 PKE from worst-case u. SVP Lyubashvsky-Micciancio’ 09 Relations between worst-case u. SVP, BDD, Gap. SVP Many slides stolen from Oded Regev, denoted by 1
f(n)-unique-SVP Ø Promise: the shortest vector u is shorter by a factor of f(n) Ø Algorithm for 2 n-unique SVP [LLL 82, Schnorr 87] Ø Believed to be hard for any polynomial nc 1 nc believed hard 1 f(n ) 2 n easy 2
Ajtai-Dwork & Regev’ 03 PKEs Worst-case Search u-SVP Nearly-trivial worst-case/average-case reductions AD 97: Geometric Regev 03: “Hensel lifting” “Worst-case Distinguisher” Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition Leftover hash lemma Projecting to a line Regev 03 PKE bit-by-bit 1 -dimensional AD 97 PKE bit-by-bit n-dimensional Amortizing by adding dimensions AD 07 PKE O(n)-bits n-dimensional 3
n-dimensional distributions Ø Distinguish between the distributions: ? Wavy Uniform (In a random direction) 4
Dual Lattice Ø Given a lattice L, the dual lattice is L* = { x | for all y L, <x, y> Z } 1/5 L L* 5 0 0 5
L* - the dual of L L* n L 1/n 0 0 n n Case 1 Case 2 0 6
Reduction Ø Input: a basis B* for L* Ø Produce a distribution that is: l l Wavy if L has unique shortest vector (|u| 1/n) Uniform (on P(B*)) if l 1(L) > n Ø Choose a point from a Gaussian of radius n, and reduce mod P(B*) l Conceptually, a “random L* point” with a Gaussian( n) perturbation 7
Creating the Distribution L* Case 1 L*+ perturb 0 n Case 2 8
Analyzing the Distribution Ø Theorem: (using [Banaszczyk’ 93]) The distribution obtained above depends only on the points in L of distance n from the origin (up to an exponentially small error) Ø Therefore, Case 1: Determined by multiples of u wavy on hyperplanes orthogonal to u Case 2: Determined by the origin uniform 9
Proof of Theorem Ø For a set A in Rn, define: Ø Poisson Summation Formula implies: Ø Banaszczyk’s theorem: For any lattice L, 10
Proof of Theorem (cont. ) Ø In Case 2, the distribution obtained is very close to uniform: Ø Because: 11
Ajtai-Dwork & Regev’ 03 PKEs Worst-case Search u-SVP next AD 97: Geometric Regev 03: “Hensel lifting” “Worst-case Distinguisher” Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition 12
Distinguish Search, AD 97 Ø Reminder: L* lives in hyperplanes u H 1 H 0 H-1 Ø We want to identify u l Using an oracle that distinguishes wavy distributions from uniform in P(B*) 13
The plan Use the oracle to distinguish points close to H 0 from points close to H 1 2. Then grow very long vectors that are rather close to H 0 3. This gives a very good approximation for u, then we use it to find u exactly 1. 14
Distinguishing H 0 from H 1 Input: basis B* for L*, ~length of u, point x l And access to wavy/uniform distinguisher Decision: Is x 1/poly(n) close to H 0 or to H 1? Ø Choose y from a wavy distribution near L* l y = Gaussian(s)* with s < 1/2|u| Ø Pick a R[0, 1], set z = ax + y mod P(B*) Ø Ask oracle if z is drawn from wavy or uniform distribution * Gaussian(s): variance s 2 in each coordinate 15
Distinguishing H 0 from H 1 (cont. ) Case 1: x close to H 0 Ø ax also close to H 0 Ø ax + y mod P(B*) close to L*, wavy x H 0 16
Distinguishing H 0 from H 1 (cont. ) Case 2: x close to H 1 Ø ax “in the middle” between H 0 and H 1 l Nearly uniform component in the u direction Ø ax + y mod P(B*) nearly uniform in P(B*) x H 1 H 0 17
Distinguishing H 0 from H 1 (cont. ) Ø Repeat poly(n) times, take majority l Boost the advantage to near-certainty Ø Below we assume a “perfect distinguisher” l l l Close to H 0 always says NO Close to H 1 always says YES Otherwise, there are no guarantees • Except halting in polynomial time 18
Growing Large Vectors Ø Start from some x 0 l between H-1 and H+1 e. g. a random vector of length 1/|u| Ø In each step, choose xi l l s. t. |xi| ~ 2|xi-1| xi is somewhere between H-1 and H+1 we’ll see how in a minute Ø Keep going for poly(n) steps Ø Result is x* between H 1 l Very large N, e. g. , with |x*|=N/|u| 2 n N=2 19
From xi-1 to xi Try poly(n) many candidates: Ø Candidate w = 2 xi-1 + Gaussian(1/|u|) w=w Ø For j = 1, …, m=poly(n) m l l wj = j/m · w Check if wj is near H 0 or near H 1 w 2 w 1 Ø If none of the wj’s is near H 1 then accept w and set xi = w Ø Else try another candidate 20
From xi-1 to xi: Analysis Ø xi-1 l between H 1 w is between H n Except with exponentially small probability Ø w is NOT between H 1 l some wj near So w will be rejected Ø So if we make progress, we know that we are on the right track 21
From xi-1 to xi: Analysis (cont. ) Ø With probability 1/poly(n), w is close to H 0 l The component in the u direction is Gaussian with mean < 2/|u| and variance 1/|u|2 noise 2 xi-1 H 0 22
From xi-1 to xi: Analysis (cont. ) Ø With probability 1/poly, w is close to H 0 l The component in the u direction is Gaussian with mean < 2/|u| and standard deviation 1/|u| Ø w is close to H 0, all wj’s are close to H 0 l So w will be accepted Ø After polynomially many candidates, we will make progress whp 23
Finding u Ø Find n-1 x*’s l l x*t+1 is chosen orthogonal to x*1, …, x*t By choosing the Gaussians in that subspace Ø Compute u’ l {x*1, …, x*n-1}, with |u’|=1 u’ is exponentially close to u/|u| • u/|u| = (u’+e), |e|=1/N 2 • Can make N 2 n (e. g. , N=2 n ) Ø Diophantine approximation to solve for u (slide 71) 24
Ajtai-Dwork & Regev’ 03 PKEs Worst-case Search u-SVP AD 97: Geometric (slide 47) Regev 03: “Hensel lifting” “Worst-case Distinguisher” Wavy-vs-Uniform next Worst-case Decision u-SVP Basic Intuition Worst-case/average-case +leftover hash lemma AD 97 PKE bit-by-bit n-dimensional 25
Average-case Distinguisher Intuition: lattice only matters via the direction of u Ø Security parameter n, another parameter N Ø A random u in n-dim. unit sphere defines Du(N) Ø l c = disceret-Gaussian(N) in one dimension • Defines a vector x=c·u/<u, u>, namely x u and <x, u>=c l l l Ø y = Gaussian(N) in the other n-1 dimensions e = Gaussian(n-4) in all n dimensions Output x+y+e The average-case problem l Distinguish Du(N) from G(N)=Gaussian(N)+Gaussian(n-3) l For a noticeable fraction of u’s 26
Worst-case/average-case (cont. ) Thm: Distinguishing Du(N) from Uniform Distinguishing Wavy. B* from Uniform. B* for all B* l l When you know l 1(L(B)) upto (1+1/poly(n))-factor For parameter N = 2 W(N) Pf: Given B*, scale it s. t. l 1(L(B)) [1, 1+1/poly) Ø Also apply random rotation Ø Given samples x (from Uniform. B* / Wavy. B*) l Sample y=discrete-Gaussian. B*(N) • Can do this for large enough N l Ø Output z=x+y “Clearly” z is close to G(N) /Du(N) respectively 27
The AD 97 Cryptosystem Ø Secret key: a random u unit sphere Ø Public key: n+m+1 vectors (m=8 n log n) l b 1, …bn Du(2 n), v 0, v 1, …, vm Du(n 2 n) • So <bi, u>, <vi, u> ~ integer • We insist on <v 0, u> ~ odd integer Ø Will use P(b 1, …bn) for encryption l Need P(b 1, …bn) with “width” > 2 n/n 28
The AD 97 Cryptosystem (cont. ) Encryption(s): Ø c’ random-subset-sum(v 1, …vm) + sv 0/2 Ø output c = (c’+Gaussian(n-4)) mod P(B) Decryption(c): Ø If <u, c> is closer than ¼ to integer say 0, else say 1 Correctness due to <bi, u>, <vj, u>~integer l and width of P(B) 29
AD 97 Security Ø The bi’s, vi’s chosen from Du(something) Ø By hardness assumption, can’t distinguish from Gu(something) Ø Claim: if they were from Gu(something), c would have no information on the bit s l Proven by leftover hash lemma + smoothing Ø Note: vi’s has variance n 2 larger than bi’s In the Gu case vi mod P(B) is nearly uniform 30
AD 97 Security (cont. ) Ø Partition P(B) to qn cells, q~n 7 Ø For each point vi, consider the cell where it lies l ri is the corner of that cell Ø SSvi l q mod P(B) = SSri mod P(B) + n-5 “error” S is our random subset Ø S S ri l q mod P(B) is a nearly-random cell We’ll show this using leftover hash Ø The Gaussian(n-4) in c drowns the error term 31
Leftover Hashing Ø Consider hash function HR: {0, 1}m l l [q]n The key is R=[r 1, …, rm] [q]n m The input is a bit vector b=[s 1, …, sm]T {0, 1}m Ø HR(b) = Rb mod q Ø H is “pairwise independent” (well, almost. . ) l Yay, let’s use the leftover hash lemma Ø <R, HR(b)>, <R, U> statistically close l l For random R [q]n m, b {0, 1}m, U [q]n Assuming m n log q 32
AD 97 Security (cont. ) Ø We proved SSri mod P(B) is nearly-random Ø Recall: l c 0 = SSri + error(n-5) + Gaussian(n-4) mod P(B) Ø For any x and error e, |e|~n-5, the distr. x+e+Gaussian(n-5), x+Gaussian(n-4) are statistically close Ø So c 0 ~ SSri + Gaussian(n-3) mod P(B) l l Which is close to uniform in P(B) Also c 1 = c 0 + v 0/2 mod P(B) close to uniform 33
Ajtai-Dwork & Regev’ 03 PKEs Worst-case Search u-SVP AD 97: Geometric Regev 03: “Hensel lifting” Average-case Decision Wavy-vs-Uniform Worst-case Decision u-SVP Basic Intuition Leftover hash lemma (slide 60) Not today Projecting to a line Regev 03 PKE bit-by-bit 1 -dimensional AD 97 PKE bit-by-bit n-dimensional Amortizing by adding dimensions AD 07 PKE O(n)-bits n-dimensional 34
u-SVP vs. BDD vs. GAP-SVP Ø Lyubashevsky-Micciancio, CRYPTO 2009 Worst-case Search u-SVP Gap. SVPg u. SVPg BDD 1/g u. SVPg/2 u. SVPg BDD 1/g Worst-case Decision GAP-SVP Worst-case Search BDD 1/g Gap. SVPg n log n Ø Good old-fashion worst-case reductions l Mostly Cook reductions (one Karp reduction) 35
Reminder: u. SVP and BDD u. SVPg: g-unique shortest vector problem Ø Input: a basis B = (b 1, …, bn) Ø Promise: l 1(L(B)) < g l 2(L(B)) Ø Task: find shortest nonzero vector in L(B) BDD 1/g: 1/g 1/ -bounded distance decoding Ø Input: a basis B = (b 1, …, bn), a point t Ø Promise: dist(t, L(B)) < l 1(L(B)) / g Ø Task: find closest vector to t in L(B) 36
BDD 1/g u. SVPg/2 Ø Input: a basis B = (b 1, …, bn), a point t l Assume that we know m = dist(t, L(B)) Ø Let B’ l l l = b 1 … bn t 0 0 m Can get by with a good approximation for m Let v L(B) be the closest to t, |t-v|=m Will show that the vector [(t-v) m]T is the g/2 -unique shortest vector in L(B’) So u. SVPg/2(B’) will return it Ø The size of v’=[(t-v) m]T is (m 2+m 2)1/2 = 2 m 37
BDD 1/g u. SVPg/2 (cont. ) Ø Every w’ L(B’) looks like w’=[bt-w bm]T For some integer b and some w L(B) l Write bt-w = (bv-w)-b(v-t) ’ isn’t a multiple of v’ l bv-w L(B), nonzero if w l So |bv-w| l 1, also recall |v-t|=m ( l 1/g) |bt-w| |bv-w| - b|v-t| l 1 -bm |w’|2 (l 1 -bm)2 + (bm)2 infb R[(l 1 -bm)2+(bm)2] = (l 1)2/2 (gm)2/2 l Ø So for any w’ L(B’), not a multiple of v’, we have |w’| mg/ 2 = |v’| g/2 38
u. SVPg BDD 1/g Ø Input: a basis B = (b 1, b 2, …, bn) l Let r be a prime, r g Ø For i=1, 2, …, n, l l j=1, 2, …, p-1 Bi = (b 1, b 2, …, r bi, …, bn), tij = j bi Let vij = BDD 1/g(Bi, Tij), wij = vij – tij Ø Output the smallest nonzero wij in L(B) 39
u. SVPg BDD 1/g (cont. ) Ø Let u be shortest nonzero vector in L(B) l l u = S xibi , at least one xi isn’t divisible by r (otherwise u/r would also be in L(B)) Let j = -xi mod r, j {1, 2, …, r-1} Ø We will prove that for these l l i, j l 1(L(Bi)) > gl 1(L(B)) dist(tij, L(Bi)) l 1(L(B)) 40
Ø The smallest multiple of u in L(Bi) is ru l l |ru| = r l 1(L(B)) g l 1(L(B)) Any other vector in L(Bi) L(B) is longer than g l 1(L(B)) (since L(B) is g-unique) l 1(L(Bi)) g l 1(L(B)) divisible by p Ø tij+u = jbi+S xmbm= (j+xi)bi+Sm i xmbm L(Bi) dist(tij, L(Bi)) l 1(L(Bi)) (Bi, tij) satisfies the promise of BDD 1/g vij=BDD 1/g(Bi, tij) is closest to tij in L(Bi) l wij = vij–tij L(B), since tij L(B) and vij L(Bi) L(B) l |wij|=l 1(L(B)) 41
Reminder: Gap. SVP Ø Gap. SVPg: decision version of approxg-SVP l l l Input: Basis B, number d Promise: either l 1(L(B)) d or l 1(L(B))>gd Task: decide which is the case Gap. SVPg is the same as Regev’s Decision-to-Search u. SVP reduction Ø The reduction u. SVPg (slide 47) 42
Gap. SVPg n log n BDD 1/g Ø Inputs: Basis B=(b 1, …, bn), number d Ø Repeat poly(n) times l l Choose a random si of length d n log n Set ti = si mod B, run vi=BDD 1/g(B, ti) Ø Answer YES if i s. t. v ti-si, else NO Need will show: Ø l 1(L(B))>gd n log n v=ti-si always Ø l 1(L(B)) d v ti-si with probability ~1/2 43
Case 1: l 1(L(B))>g n log n ·d Ø Recall: |si| d n log n, ti=si mod B ti is d n log n away from vi = ti-si L(B) (B, ti) satisfies the promise of BDD 1/g(B, ti) will return some vector in L(B) Ø Any other L(B) point has distance from ti at least l 1(L(B))-d n log n > (g-1)d n log n vi is only answer that BDD 1/g(B, ti) can return 44
Case 2: l 1(L(B)) d Ø Let u be shortest nonzero in L(B), |u|=l 1 Ø si is random in Ball(d n log n) Ø With high probability si u also in ball l l ti=si mod B could just as well be chosen as ti=(si+u) mod B Whatever BDD 1/g(B, t) returns it differs from ti-si w. p. 1/2 s radius d n log n u 45
Backup Slides Regev’s Decision-to-Search u. SVP 2. Regev’s dimension reduction 3. Diophantine Approximation 1. 46
u. SVP Decision Search-u. SVP Decision mod-p problem Decision-u. SVP 47
Reduction from: Decision mod-p Ø Given a basis (v 1…vn) for n 1. 5 -unique lattice, and a prime p>n 1. 5 Ø Assume the shortest vector is: u = a 1 v 1+a 2 v 2+…+anvn Ø Decide whether a 1 is divisible by p 48
Reduction to: Decision u. SVP Ø Given a lattice, distinguish between: Case 1. Shortest vector is of length 1/n and all non -parallel vectors are of length more than n Case 2. Shortest vector is of length more than n 49
The reduction Ø Input: a basis (v 1, …, vn) of a n 1. 5 unique lattice Ø Scale the lattice so that the shortest vector is of length 1/n Ø Replace v 1 by pv 1. Let M be the resulting lattice Ø If p | a 1 then M has shortest vector 1/n and all non-parallel vectors more than n Ø If p | a 1 then M has shortest vector more than n 50
The input lattice L L n 1/n -u 0 u 2 u 51
The lattice M Ø The lattice M is spanned by pv 1, v 2, …, vn: Ø If p|a 1, then u = (a 1/p) • pv 1 + a 2 v 2 +…+ anvn M : n M 0 u 1/n 52
The lattice M Ø The lattice M is spanned by pv 1, v 2, …, vn: Ø If p | a 1, then u M: n M -pu 0 pu 53
u. SVP Decision Search-u. SVP Decision mod-p problem Decision-u. SVP 54
Reduction from: Decision mod-p Ø Given a basis (v 1…vn) for n 1. 5 -unique lattice, and a prime p>n 1. 5 Ø Assume the shortest vector is: u = a 1 v 1+a 2 v 2+…+anvn Ø Decide whether a 1 is divisible by p 55
The Reduction Ø Idea: decrease the coefficients of the shortest vector Ø If we find out that p|a 1 then we can replace the basis with pv 1, v 2, …, vn. Ø u is still in the new lattice: u = (a 1/p) • pv 1 + a 2 v 2 + … + anvn Ø The i same can be done whenever p|ai for some 56
The Reduction Ø But what if p | ai for all i ? Ø Consider the basis v 1, v 2 -v 1, v 3, …, vn Ø The shortest vector is u = (a 1+a 2)v 1 + a 2(v 2 -v 1) + a 3 v 3 + … + anvn Ø The first coefficient is a 1+a 2 Ø Similarly, we can set it to a 1 -bp/2 ca 2 , …, a 1 -a 2 , a 1+a 2 , … , a 1+bp/2 ca 2 Ø One of them is divisible by p, so we choose it and continue 57
The Reduction Ø Repeating this process decreases the coefficients of u are by a factor of p at a time l l The basis that we started from had coefficients 22 n The coefficients are integers After 2 n 2 steps, all the coefficient but one must be zero Ø The last vector standing must be u 58
Regev’s dimension reduction 59
Reducing from n to 1 -dimension Ø Distinguish between the 1 -dimensional distributions: Uniform: 0 R-1 Wavy: 0 60 R-1
Reducing from n to 1 -dimension Ø First attempt: sample and project to a line 61
Reducing from n to 1 -dimension Ø But then we lose the wavy structure! Ø We should project only from points very close to the line 62
The solution Ø Use the periodicity of the distribution Ø Project on a ‘dense line’ : 63
The solution 64
The solution Ø We choose the line that connects the origin to e 1+Ke 2+K 2 e 3…+Kn-1 en where K is large enough Ø The distance between hyperplanes is n Ø The sides are of length 2 n Ø Therefore, we choose K=2 O(n) Ø Hence, d<O(Kn)=2^(O(n 2)) 65
Worst-case vs. Average-case Ø So far: a problem that is hard in the worstcase: distinguish between uniform and d, γwavy distributions for all integers d<2^(n 2) Ø For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d, γ -wavy distributions for a non-negligible fraction of d in [2^(n 2), 2 • 2^(n 2)] 66
Compressing Ø The following procedure transforms d, γ-wavy into 2 d, γ-wavy for all integer d: l l Sample a from the distribution Return either a/2 or (a+R)/2 with probability ½ Ø In general, for any real a 1, we can compress d, γ-wavy into ad, γ-wavy Ø Notice that compressing preserves the uniform distribution Ø We show a reduction from worst-case to average-case 67
Reduction Assume there exists a distinguisher between uniform and d, γ-wavy distribution for some nonnegligible fraction of d in [2^(n 2), 2 • 2^(n 2)] Ø Given either a uniform or a d, γ-wavy distribution for some integer d<2^(n 2) repeat the following: Ø l l l Ø Choose a in {1, …, 2 2^(n 2)} according to a certain distribution Compress the distribution by a Check the distinguisher’s acceptance probability If for some a the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’ 68
Ø Distribution l l l 1 is uniform: After compression it is still uniform Hence, the distinguisher’s acceptance probability equals that of uniform sequences for all a Ø Distribution l Reduction is d, γ-wavy: After compression it is in the good range with some probability Hence, for some a, the distinguisher’s acceptance probability differs from that of uniform sequences … d 2^(n 2) … 2 2^(n 2) 69
Diophantine Approximation 70
Solving for u (from slide 24) Ø Recall: We have B=(b 1, …bn) and u’ l Shortest vector u L(B) is u = Smibi, |mi| < 2 n • Because the basis B is LLL reduced l u’ is very close to u/|u| • u/|u| = (u’+e), |e|=1/N, N 2 n (e. g. , 2 n N=2 ) = S xibi (xi‘s are reals) Ø Set ni = xi/xn for i=1, …, n-1 Ø Express u’ l ni very close to mi/mn ( ni·mn = mi+O(2 n/N) ) 71
Diophantine Approximation Ø Look for mn<2 n s. t. for all i, ni·mn is 2 n/N away from an integer (for N = 2 n ) Ø z is the unique 2 – n 1 – n 2 1 shortest in L(M) by a factor~N/2 n Ø Use LLL to find it 1 … 1 –nn-1 1/N basis M Ø Compute the mi’s and u m 1 m 2 … = mn integer vector O(2 n/N). . . O(2 n/N) short lattice point z 72
Why is z unique-shortest? Ø Assume we have another short vector l y L(M) mn not much larger than 2 n, also the other mi’s q~2 n/N Ø Every small y L(M) corresponds to v L(B) So also v/|v| very close to u/|u| (~2 n/N) 2 n l Smallish coefficient v not too long (~2 ) v very close to its projection on u (~23 n/N) c s. t. (v–cu) L(B) is short l |v|~2 2 n such that v/|v| very close to u’ v • Of length 23 n/N + l 1/2 < l 1 v must be a multiple of u ~23 n/N 73 u
- Slides: 73