Daniel Dadush Centrum Wiskunde amp Informatica CWI Joint work with KM Chung FH Liu and C Peikert Outline Lattice Parameters Hard Lattice Problems Worst Case to Average Case Reductions ID: 328848
Download Presentation The PPT/PDF document "On the Smoothing Parameter of a Lattice" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
On the Smoothing Parameter of a Lattice
Daniel
Dadush
Centrum
Wiskunde
&
Informatica
(CWI)
Joint work with K.M. Chung, F.H. Liu and C.
PeikertSlide2
Outline
Lattice Parameters / Hard Lattice Problems.
Worst Case to Average Case Reductions.
The Smoothing Parameter.
Results: Complexity upper bounds.
Geometric
chacterizations
of the Smoothing Parameter.
A new analysis of the
Goldreich-Goldwasser
Protocol.Slide3
A lattice
is all integral combinations
of a
basis
. Note: a lattice has many equivalent bases.
Lattices
Slide4
A lattice
is all integral combinations
of a
basis
. The determinant of is
.
LatticesSlide5
length of shortest non-zero vector of
.
=
length of shortest set of
linearly independent vectors in . (for
,
is the length)
Lattice Parameters
Slide6
-
GapSVP
(Shortest Vector Problem)
Lattice , number Yes instance:
No instance:
-SIVP (Shortest Independent Vectors Problem)Lattice Output linearly independent vectors in of length less than
.NP-hard for
[Mic. 98, B.S. 99, Khot 04]NP coNP for [A.R. 04, Mic. 08]P for
[Sch. 87, A.K.S 01, M.V. 10]
Lattice ProblemsSlide7
-
GapSVP
(Shortest Vector Problem)
Lattice , number Yes instance:
No instance:
-SIVP (Shortest Independent Vectors Problem)Lattice Output linearly independent vectors in of length less than
.
NP-Hard NP
coNP P[Mic98, B.S99, Khot04] [A.R 04, Mic 08] [Sch. 87, A.K.S 01, M.V. 10]
Lattice ProblemsSlide8
Cryptography
Alice wants to communicate securely with Bob.
Doesn’t want Eve to learn anything.
AliceBobEveSlide9
Cryptography
Alice
Bob
EveSecurity of the encryption scheme must rely on average case hardness of some computational problem.Slide10
Hard Problems based on Lattices
Short Integer Solution (SIS):
[
Ajtai `96] Minicrypt: One Way Functions, PRFs, Signature Schemes, …Learning with Errors (LWE): [Regev `05]Cryptomania: Public Key, Identity Based Encryption, Encryption, Fully Homomorphic Encryption, …Slide11
Hard Problems based on Lattices
Short Integer Solution (SIS):
[
Ajtai `96] uniform.Find , s.t.
with non-negligible probability.
Learning with Errors (LWE): [Regev `05] uniform.Given independent samples of the form:
recover
with high probability.
Slide12
Worst / Average Case reductions
Short Integer Solution (SIS):
[
Micciancio-Regev `04, Gentry-Peikert-Vaikuntanathan `08] There is a classical PPT reduction from -GapSVP/SIVP to SIS ().Learning with Errors (LWE): [Regev `05]There is a quantum PPT reduction from
-GapSVP/SIVP to LWE (
. Slide13
Worst / Average Case reductions
SIVP:
Lattice
Goal:
Want to find many “short” vectors in .SIVP to SIS reduction idea: [Ajtai `96]Randomly generate short vectors for which there exists small integer combination
(“modular” constraint)
Use SIS solver to find combination. Slide14
Worst / Average Case reductions
How to sample
[
Micciancio-Regev
04]
Sample
appropriately scaled spherical Gaussians.
Partition using
Slide15
Worst / Average Case reductions
How to sample
Round each to bottom left grid corner to get
’s.
Partition using
Slide16
Worst / Average Case reductions
How to sample
Round each to bottom left grid corner to get
’s.
Partition using
Slide17
Worst / Average Case reductions
How to sample
Condition
is modular system in
.
Partition using
Slide18
Worst / Average Case reductions
How to sample
Use
SIS
solver to find short combination in
.
Partition using
Slide19
Worst / Average Case reductions
How to sample
Use
SIS
solver to find short combination in .Question: Why can we guarantee that generate a nearly uniform modular system?Need to control probability of landing in each residue class. Slide20
Worst / Average Case reductions
For
scaled spherical Gaussian, we need
,
, , ,
,
, to be close to uniform. Slide21
The Smoothing Parameter
[M.R. 04]
For a lattice
, basis
, and let denote smallest such that for
, we have
,(density is pointwise within of uniform)By definition,
for
.
Slide22
The Smoothing Parameter
[M.R. 04]
-
-
-
What is distribution of
?
Slide23
The Smoothing Parameter
[M.R. 04]
-
-
-
What is distribution of
?
-periodic function on
Slide24
The Smoothing Parameter
[M.R. 04]
-
-
-
What is distribution of
?
v
v
Slide25
The Smoothing Parameter
[M.R. 04]
-
-
-
v
v
uniform distribution
Slide26
The Smoothing Parameter
[M.R. 04]
-
-
-
v
v
ratio should be bounded by
Slide27
The Smoothing Parameter
[M.R. 04]
Must increase standard deviation to be smooth.
-
-
-
Slide28
The Smoothing Parameter
[M.R. 04]
Must increase standard deviation to be smooth.
-
- -
Sum is very close to uniform.Slide29
The Smoothing Parameter
[M.R. 04]
SIVP
to
SIS reduction: As long we sample from for , , SIS solver will solve generated instances with noticeable probability.Final Guarantee: Reduction will be able to generate linearly independent lattice vectors of length .
Slide30
The Smoothing Parameter
[M.R. 04]
Modern
worst case to average case reductions
generally take the following form:Compute lattice quantity (short vectors, discretegaussian samples, …) whose quality is bounded as a function of the Smoothing Parameter.Deduce bounds on desired lattice parameter by relating it to the Smoothing Parameter.Reductions “factor” through Smoothing Parameter.Slide31
The Smoothing Parameter
[M.R. 04]
Main Questions:
What is the complexity of approximating
the Smoothing Parameter? Are there useful alternative characterizations of the Smoothing Parameter? What is the role of the smoothing error ?Can we get tighter worst case to average case reductions? Slide32
Dual Lattices
A lattice
is all integral combinations
of a
basis.
The dual lattice is
is a basis matrix for
.
Slide33
Dual Lattices
A lattice
is all integral combinations
of a
basis.
The dual lattice is
is a basis matrix for
.
Slide34
Equivalent Definition:
Lattice
,
minimum
such that
Equivalence by Poisson Summation Formula:
The Smoothing Parameter
[M.R. 04]Slide35
, for
[
Banaszczyk
93, M.R. 04]
Remark:
for
.
In general, only get
approximations.
Known BoundsSlide36
Plan
Define Smoothing Parameter Problem /
Provide Complexity Results.
Develop new geometric
chacterizations of the Smoothing Parameter.Analyze Interactive Protocol for Approximating the Smoothing Parameter.Slide37
Smoothing Parameter
Problem
-
: Lattice
, number YES instance: NO instance: Will discuss complexity for
and .
Slide38
Arthur Merlin Protocols
A language
if
2 round interactive protocol having
Completeness: prover s.t. Soundess: provers P,
MerlinArthurUnboundedProverPPTVerifier
Arthur Accepts / RejectsSlide39
Complexity of SVP
Complexity Upper Bounds:
-
[Goldreich-Goldwasser 98]- [Micciancio-Vadhan 03] -
[Ahoronov-Regev 04]
[Micciancio-Voulgaris 10]Lower Bounds:- NP-Hard [Ajtai 98, Mic. 98,
Khot 03,…] Slide40
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-+
- (stat. zero knowledge)
- [implicit M.R.04]For
+-
Slide41
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-+
- (stat. zero knowledge)
- [implicit M.R.04]GapSPP is perhaps only “natural” problem in not known to be in NP or coNP. Question: Is GapSPP SZK-Hard?
Slide42
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-
+-
(stat. zero knowledge) -
[implicit M.R.04]Use variants of Goldreich-Goldwasser protocol for GapSVP.
Slide43
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-
+-
(stat. zero knowledge) -
[implicit M.R.04]Use prover to lower bound
. (use set size lower bound [Goldwasser-Sipser 86]).Can implement prover in
time. Slide44
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-
+
- (stat. zero knowledge) -
[implicit M.R.04]Instance dependent commitment scheme:Commit to , send
, . Similar to [Micciancio-Vadhan 03]. Slide45
Complexity of
GapSPP
Theorem:
[Chung-D.-Liu-
Peikert 13]For +-+-
+
- (stat. zero knowledge) -
[implicit M.R.04]NP: Proof is short basis of .coNP: Proof is
short vector in . Slide46
Comparison to SVP
Relation to
GapSPP
:
For any , and , -
-
-
-Furthermore,
)- -
Slide47
Worst / Average Case Reductions
Theorem:
[Chung-D.-Liu-
Peikert
13] There is quantum PPT reduction from- ( = ) to LWE (.Main Idea: Prover for our AM protocol can be efficiently implemented using an LWE oracle.(use LWE to implement BDD oracle
[Regev 05]) Slide48
Worst / Average Case Reductions
Theorem:
[Chung-D.-Liu-
Peikert
13] There is quantum PPT reduction from- ( = ) to LWE (.Theorem: [Implicit M.R. 04] There is classical PPT reduction from
-
( = ) to SIS (. Slide49
Worst / Average Case Reductions
Theorem:
[Chung-D.-Liu-
Peikert
13] There is quantum PPT reduction from- ( = ) to LWE (.Conjecture:There is classical PPT reduction from
-
( = ) to SIS (.Reduces to a conjectured alternate characterization of Smoothing Parameter.
Slide50
Worst / Average Case Reductions
Theorem:
[Chung-D.-Liu-
Peikert
13] There is quantum PPT reduction from- ( = ) to LWE (.Conjecture:There is classical PPT reduction from
-
( = ) to SIS (.Main Issue: How do you detect whether below smoothing parameter if SIS oracle always answers?
Slide51
Lattice
.
Goal:
Prove that Shortest Vector in is large. (corresponds to
being small)YES instance:
NO instance:
Goldreich-Goldwasser ProtocolSlide52
,
Definition:
)
Computes unique lattice shift of
.
Goldreich-Goldwasser
Protocol
Slide53
,
Definition:
)
Consequence:
Goldreich-Goldwasser
Protocol
Slide54
. Let
.
Protocol:
Arthur generates
Uniform(
.
Sends
to Merlin.
Goldreich-Goldwasser
Protocol
Slide55
. Let
.
Protocol:
Merlin tries to reconstruct
from
.
Sends his guess
to Arthur.
Goldreich-Goldwasser
Protocol
Slide56
. Let
.
Protocol:
Arthur accepts if
and rejects o/w
.
Goldreich-Goldwasser
Protocol
Accept!Slide57
Analysis
Sketch:
,
.
YES
instance:
If map injective on Merlin can always guess correctly.
Goldreich-Goldwasser
Protocol
Slide58
Analysis Sketch:
,
.
YES
instance: Satisfied iff
.Holds here since (triangle inequality)
Goldreich-Goldwasser Protocol
Slide59
Analysis Sketch:
,
.
NO
instance:
Let be a shortest vector.
Goldreich-Goldwasser Protocol
uncertainty
regionSlide60
Analysis Sketch:
,
.
NO
instance:
For any in intersection,
.
Goldreich-Goldwasser Protocol
uncertainty
regionSlide61
Analysis Sketch:
,
.
NO
instance:
As , Merlin can’t distinguish them.
Goldreich-Goldwasser Protocol
uncertainty
regionSlide62
Analysis Sketch:
,
.
NO
instance:
If lands in
,
Goldreich-Goldwasser Protocol
uncertainty
regionSlide63
Analysis Sketch:
,
.
Geometric Fact:
Goldreich-Goldwasser
Protocol
Slide64
Analysis Sketch:
,
.
NO
instance:
Merlin succeeds with probability at most .
Goldreich-Goldwasser Protocol
uncertainty
regionSlide65
Inefficiency of GG applied to
GapSVP
:
Using only shortest vector information, cannot distinguish lattices with
Unique shortest vector.Exponentially many shortest vectors.Can only use pessimistic bounds on size of “uncertainty region”.Goldreich-Goldwasser ProtocolSlide66
Goldreich-Goldwasser Protocol
Main Idea for
GapSPP
:
Apply variant of GG protocol. Use information
To get better control on size of uncertainty region for
.
Slide67
For
, and
define
where
is the Euclidean ball.
Geometric Characterizations
Overlap fractionSlide68
Geometric Characterizations
Ball Overlap Char.:
[Chung-D.-Liu-
Peikert
13]
Let
,
then
Slide69
define the
Voronoi
cell
of as
(points closer to
than any other lattice point)
Geometric Characterizations
Slide70
Voronoi Cell Char.:
[Chung-D.-Liu-
Peikert
13] Let
, , and
.
.
.
Geometric Characterizations
Slide71
Geometric Characterizations
Voronoi Cell Char.
Ball
Overlap Char
. Voronoi Cell Characterization:Allows for a Gaussian version of the Goldreich-Goldwasser protocol for -GapSPP.Ball Overlap Characterization:
Enables direct application of Goldreich-Goldwasser to -GapSPP. Needed for SZK protocol.
Slide72
Smoothing Parameter
Problem
Hence can reduce to working with non-equal
in exchange for slight loss in approx. factor.
Lemma: For , there is a trivial reduction from -
to -
for
.
-: Lattice , number
YES instance:
NO instance: Here
.
Slide73
Goldreich-Goldwasser
for
GapSPP
,
YES instance:
NO
instance: Protocol: Run Goldreich-Goldwasser on
with radius
. Completeness: Merlin can guess correctly with probability .
Slide74
Goldreich-Goldwasser
for
GapSPP
,
YES instance:
NO
instance: Protocol: Run Goldreich-Goldwasser on
with radius
. Soundness: Merlin can guess correctly with probability at most .
Slide75
Goldreich-Goldwasser
for
GapSPP
,
YES instance:
NO
instance: Protocol: Run Goldreich-Goldwasser on
with radius
. Completeness / Soundness gap is Slide76
.
Protocol:
Arthur generates
.
Sends
to Merlin.
Gaussian
Goldreich-Goldwasser
Slide77
.
Protocol:
Merlin tries to reconstruct
from
.
Sends his guess
to Arthur.
Gaussian
Goldreich-Goldwasser
Slide78
.
Protocol:
Arthur accepts if
and rejects o/w
.
Gaussian
Goldreich-Goldwasser
Accept!Slide79
.
Analysis:
What is Merlin’s optimal strategy?
Gaussian
Goldreich-Goldwasser
Slide80
.
Analysis:
Wants to find
such that
is maximized.
Gaussian
Goldreich-Goldwasser
Slide81
.
Analysis:
Since
is Gaussian this reduces to finding
Gaussian
Goldreich-Goldwasser
Slide82
.
Analysis:
By definition for optimal
,
.
Gaussian
Goldreich-Goldwasser
Slide83
.
Analysis:
Optimal
prover
succeeds
iff
lands in
.
Gaussian
Goldreich-Goldwasser
Slide84
.
Analysis:
Merlin’s success probability
.
Gaussian
Goldreich-Goldwasser
Slide85
.
Voronoi
Cell Characterization:
Gaussian
Goldreich-Goldwasser
Slide86
Part 1:
Geometric Characterizations
Slide87
Equivalent to
Geometric Characterizations
Slide88
Geometric Characterizations
Slide89
Part 2:
Geometric Characterizations
Slide90
Equivalent to
Geometric Characterizations
Slide91
Lemma:
For any symmetric set
,
Geometric Characterizations
Slide92
Geometric Characterizations
Slide93
Initiated study of complexity of Smoothing Parameter Problem. Exhibited its unique complexity theoretic properties.
Gave two new geometric characterizations of the Smoothing Parameter.
Presented tighter Worst Case to Average Case reduction from
GapSPP to LWE.Slide94
Better reduction from
GapSPP
to SIS.
Is - ( coNP-Hard for some
?For which is -
(in NP ? in coNP?Relation to “statistical distance” smoothing parameter? (relax pointwise requirement).What changes for ?
Slide95
Slide96
Smoothing Parameter
Problem
Hence can reduce to working with non-equal
in exchange for slight loss in approx. factor.
Lemma: For , there is a trivial reduction from -
to -
for
.
Lemma: If
,
- trivially reduces to -
Slide97
Smoothing Parameter
Problem
Lemma:
For any
, - -
-
- )-
-Proof Sketch of 1: Send instance to
. Use
to check that mapping preserves YES/NO instances.
Slide98
The Smoothing Parameter
[M.R. 04]
-
-
-
-
-
-
-
Slide99
The Smoothing Parameter
[M.R. 04]
-
-
-
-
-
-
-