improved reduction from bdd to usvp · prior works on bdd to usvp bdd 1 2= usvp bdd 1 = [lm09]...
TRANSCRIPT
Improved Reduction from BDD to USVP
Shi Bai, Damien Stehle, Weiqiang Wen
Ecole Normale Superieure de Lyon
ICALP, July 15, 2016, Rome, Italy
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 1 / 28
Bounded Distance Decoding (BDD) and unique Shortest Vector Problem (USVP)
α · λ1
cλ 1 t
s
0
Bounded Distance Decoding for α ≥ 0 (BDDα)
Input: B ∈ Qn×n, a vector t ∈ Qn such that dist(t,L(B)) ≤ α · λ1(B).Output: a lattice vector c ∈ L(B) closest to t.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 2 / 28
Bounded Distance Decoding (BDD) and unique Shortest Vector Problem (USVP)
λ 1λ2 =
γ · λ1s1
s2
0
Unique Shortest Vector Problem for γ ≥ 1 (USVPγ)
Input: B ∈ Qn×n such that λ2(L(B)) ≥ γ · λ1(L(B)).Output: a non-zero vector s1 ∈ L(B) of norm λ1(L(B)).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 2 / 28
Main result
Improved reduction from BDD to USVP
For 1 ≤ γ ≤ poly(n), we have
BDD1/(√
2γ) ≤ USVPγ .
BDD 1√2γ
USVPγ
Our reduction
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 3 / 28
Road map
• Background
• The Lyubashevsky and Micciancio reduction and its limitation
• New reduction:• lattice sparsification.• reduction for γ = 1.• sphere packing.
• Open problems
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 4 / 28
Lattices
b1
b2b1
b2
p1
p2
0
A definition of latticeGiven B = {b1, · · · ,bn} ⊆ Qm a set of linear independent vectors, thelattice L spanned by the b′is is
L(B) ={∑
i∈[n] uibi : u ∈ Zn}.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 5 / 28
Lattice Minima
0
Lattice minimumGiven a lattice L, the i-th minimum of L is defined as:
λi(L) = inf{r : dim(span(L ∩ B(0, r))) ≥ i}.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 6 / 28
Lattice Minima – first minimum
λ 1
s1
0
Lattice minimumGiven a lattice L, the i-th minimum of L is defined as:
λi(L) = inf{r : dim(span(L ∩ B(0, r))) ≥ i}.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 6 / 28
Lattice Minima – second minimum
λ 1 λ2
s1
s2
0
Lattice minimumGiven a lattice L, the i-th minimum of L is defined as:
λi(L) = inf{r : dim(span(L ∩ B(0, r))) ≥ i}.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 6 / 28
Why is BDD interesting?
α · λ1
cλ 1 t
s
0
I In cryptography:I Learning With Error (LWE) problem serves as a security foundation.I LWE is an average-case variant of BDD.
I In communication theory – white Gaussian noise channel:I Wifi, mobile phone etc;I View message as a lattice point, Gaussian noise is added in channel
transmission, decoding is solving BDD.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 7 / 28
Why is USVP interesting?
λ 1λ2 =
γ · λ1s1
s2
0
I Best known algorithm (especially in practice) for solving BDD is viasolving USVP:
I First, reduce BDD to USVP.I Second, solve USVP by lattice reduction, e.g., LLL and BKZ.
BDD 1poly(n)
and USVPpoly(n) are hard;
Best known algorithm takes exponential time in dimension n.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 8 / 28
Why is USVP interesting?
λ 1λ2 =
γ · λ1s1
s2
0
I Best known algorithm (especially in practice) for solving BDD is viasolving USVP:
I First, reduce BDD to USVP.I Second, solve USVP by lattice reduction, e.g., LLL and BKZ.
BDD 1poly(n)
and USVPpoly(n) are hard;
Best known algorithm takes exponential time in dimension n.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 8 / 28
Prior works on BDD to USVP
BDD 1α
α = 2γUSVPγ[LM09]
• Slightly improved for some α, Liu et al , 2014; Galbraith; Mic-ciancio, 2015.
[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem,CRYPTO, 2009.[LWXZ14]: M. Liu, X. Wang, G. Xu and X. Zheng. A note on BDD problems with λ2-gap. Inf. Process. Lett., 2014.[Ga15]: Private communication, 2015.[Mi15]: Private communication, 2015.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 9 / 28
Prior works on BDD to USVP
BDD 1α
α = 2γUSVPγ
BDD 1α
α = γ
[LM09]
There is a factor 2 to be improved.
[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem,CRYPTO, 2009.[LWXZ14]: M. Liu, X. Wang, G. Xu and X. Zheng. A note on BDD problems with λ2-gap. Inf. Process. Lett., 2014.[Ga15]: Private communication, 2015.[Mi15]: Private communication, 2015.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 9 / 28
Comparison with prior works
0.1
0.2
0.3
0.4
0.5
0.6
0.7
1 1.2 1.4 1.6 1.8 2 2.2 2.4
α
γ
Lyubashevsky and Micciancio, CRYPTO, 2009Liu et al , Inf. Process. Lett., 2014
Folklore (Galbraith; Micciancio)This work
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 10 / 28
The Lyubashevsky and Micciancio reduction
For any γ ≥ 1, we have
BDD1/(2γ) ≤ USVPγ .
BDD 12γ
USVPγ
[LM09]
[LM09]: V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distanceproblem, CRYPTO, 2009.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 11 / 28
Lyubashevsky-Micciancio reduction for γ = 1
I BDD1/2 instance: (L(b1), t).
BDD 12γ
B,
t
(n = 1, γ = 1)
b1 2b1
t0 λ1
λ1
2
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 12 / 28
Lyubashevsky-Micciancio reduction for γ = 1
I Lift vector t into a higher dimension space by λ1(L(b1))/2.
BDD 12γ
B,
t
(n = 1, γ = 1)
b1 2b1
(t, λ1
2 )
t0 λ1
λ1
2
λ1 2
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 12 / 28
Lyubashevsky-Micciancio reduction for γ = 1
I Kannan embedding.
BDD 12γ
B,
t
(n = 1, γ = 1)
Kannan
embeddingB′
uSVPγ′
B t
0 λ1
2γ
(n′ = 2, γ′ = 1)
b1 2b1
(t, λ1
2 )
t0
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 12 / 28
Lyubashevsky-Micciancio reduction for γ = 1
I We are at the limit: λ′1 = λ′2.
BDD 12γ
B,
t
(n = 1, γ = 1)
Kannan
embeddingB′
uSVPγ′
B t
0 λ1
2γ
(n′ = 2, γ′ = 1)
b1 2b1
(t, λ1
2 )
t0 λ1
2
λ1
√2
s1λ1√ 2
s2
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 12 / 28
This is the best this reduction can achieve
BDD 12
USVP1
(SVP)
[LM09]
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 13 / 28
Can we improve it?
BDD 12
USVP1
(SVP)
[LM09]
USVP>1
?
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 14 / 28
An attempt to circumvent the limitation
I Limitation in the Lyubushevsky and Micciancio reduction.
b1 2b1
(t, λ1
2 )
t0 λ1
2
λ1
√2
s1λ1√ 2
s2
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 15 / 28
An attempt to circumvent the limitation
I A simple deterministic sparsification.
I Lattice L(B) with B = [b1].
0
remove keep
t
b1 2b1
I Lattice L(B) with B = [2b1].
0
remove keep
t
b1 2b1
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 16 / 28
An attempt to circumvent the limitation
I A simple deterministic sparsification.
I Lattice L(B) with B = [b1].
0
remove keep
t
b1 2b1
I Lattice L(B) with B = [2b1].
0
remove keep
t
b1 2b1
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 16 / 28
An attempt to circumvent the limitation
I Recall the limitation: λ′2 = λ′1
b1 2b1
(t, λ1
2 )
t0 λ1
2
λ1
√2
s1λ1√ 2
s2
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 17 / 28
An attempt to circumvent the limitation
I Limitation is circumvented (for this example): λ′2 > λ′1 now!
2b1
(t, λ1
2 )
t0
s1
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 17 / 28
Main idea
I But we want more...
• keep only 1 closest vector to target t.• remove all other somewhat close N vectors to t.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 18 / 28
The main tool: sparsificationKhot’s Lattice Sparsification [K03] (Adapted by [S14])
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
Orginal lattice in dimension 2
0
p = 5, z = (1,2), w = (1,0)
(2, 2)
0
[K03]: S. Khot. Hardness of approximating the shortest vector problem in high Lp norms. FOCS’03, 2003.[S14]: N. Stephens-Davidowitz. Discrete Gaussian sampling reduces to CVP and SVP. In Proc. of SODA, 2016.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 19 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 1st sublattice:p = 5, z = (0, 0).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 2nd sublattice:p = 5, z = (0, 1).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 3rd sublattice:p = 5, z = (1, 0).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 4th sublattice:p = 5, z = (1, 1).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 5th sublattice:p = 5, z = (4, 1).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 6th sublattice:p = 5, z = (1, 2).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 1th shift: w = (0, 0).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 2nd shift: w = (1, 0).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 3rd shift: w = (1, 1).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 4th shift: w = (2, 1).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 5th shift: w = (2, 2).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 6th shift: w = (3, 2).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 7th shift: w = (3, 3).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 8th shift: w = (4, 3).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 9th shift: w = (4, 4).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
The main tool: sparsificationKhot’s Lattice Sparsification
Input: B ∈ Qn×n.Output: a *shifted* *sparsified* sub-lattice of L(B):
Lp,z + w = {x ∈ L(B) | 〈z,B−1(x− w)〉 = 0 mod p},
where p is a prime integer, z ∈ Znp and w = Bu for u← U(Zn
p).
0
I 7th sublattice:p = 5, z = (1, 3).
I 10th shift: w = (5, 4).
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 20 / 28
Main result of the sparsification
A probabilistic argument on Khot’s sparsification [S14]
Given a basis B, vectors v1, · · · , vN , x ∈ L(B), and B−1x /∈ {B−1vi}i≤N ,for any prime p, we have
Prz←↩U(Zn
q)
[x ∈ Lp,z + w
∀i, vi 6∈ Lp,z + w
]≥ 1
p− N
p2 −N
pn−1 ,
where w = Bu for u←↩ U(Znp).
1p− N
p2
is the (approximate) probability toI keep 1 point;
I remove N points.[S14]: N. Stephens-Davidowitz. Discrete Gaussian sampling reduces to CVP and SVP. In Proc. of SODA, 2016.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 21 / 28
New reduction for γ = 1
I BDD1/√
2 instance: (L(B), t).
λ1
√2
cp1(0)
p2 p3
t
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 22 / 28
New reduction for γ = 1
I Remove annoying points around the target t.
λ1
√2
remove keep
cp1(0)
p2 p3
t
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 22 / 28
How sparse?
Recall the probability to keep 1 point and remove N points:
1p− N
p2 .
I We want it to be at least 1poly(n) ;
I thus, p ≥ N and both should be ≤ poly(n).
We can sparsify the lattice by removing polynomially many points.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 23 / 28
How sparse?
Recall the probability to keep 1 point and remove N points:
1p− N
p2 .
I We want it to be at least 1poly(n) ;
I thus, p ≥ N and both should be ≤ poly(n).
We can sparsify the lattice by removing polynomially many points.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 23 / 28
How sparse?
Recall the probability to keep 1 point and remove N points:
1p− N
p2 .
I We want it to be at least 1poly(n) ;
I thus, p ≥ N and both should be ≤ poly(n).
We can sparsify the lattice by removing polynomially many points.
What is the worst-case list decoding radius?
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 24 / 28
Approaching the limit
Within λ1/√
2, adapted from [MG02, Th. 5.2]
For any n-dimensional lattice L and any vector t ∈ Span(L), we have#L ∩ B(t, λ1(L)/
√2) ≤ 2n.
cp1
p2 p3
tλ1(L)
√ 2
λ1(L)
λ1(L
)
Equator
North Pole
South Pole
[MG02]: D. Micciancio and S. Goldwasser. Complexity of lattice problem: A cryptography perspective. Kluwer, 2009.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 25 / 28
λ1/√
2 is the limit
Within λ1/√
2, adapted from [MG02, Th. 5.2]
For any n-dimensional lattice L and any vector t ∈ Span(L), we have#L ∩ B(t, λ1(L)/
√2) ≤ 2n.
cp1
p2 p3
tλ1(L)
√ 2
λ1(L)
λ1(L
)
Equator
North Pole
South Pole
Extremely dense lattice, adapted from [MG02, Lem. 4.1]
For any α > 1/√
2, there exists ε > 0 such that for any sufficiently large n we canfind an n-dimensional lattice L and a vector t ∈ Span(L), such that#L ∩ B(t, α · λ1(L)) ≥ 2nε
.
[MG02]: D. Micciancio and S. Goldwasser. Complexity of lattice problem: A cryptography perspective. Kluwer, 2009.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 25 / 28
Our result
BDD 1√2γ
γ = 1USVP>γ
This reduction algorithm also works for any γ with γ ≤ poly(n).
This algorithm actually works for any γ ≥ 1,thanks Stephens-Davidowitz for the observation.
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 26 / 28
Open problems
I The sparsification in our reduction heavily relies on randomness.
• Problem 1. Remove the sparsification randomness.
I In practice, randomly chosen lattice is sparse enough such that thereis almost no point within λ1/
√2-radius.
• Problem 2. Is sparsification just an artifact?
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 27 / 28
Open problems
I Conjecture: BDD and USVP are computationally identical.
BDD 1c·γ
= USVPγ
c ∈ [1,√
2]
• Problem 3. What is the constant c? Is c =√
2?
Bai, Stehle, Wen (ENS Lyon) Improved Reduction from BDD to USVP ICALP’16, Rome, Italy 28 / 28