On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
description
Transcript of On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
![Page 1: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/1.jpg)
On Bounded Distance Decoding,Unique Shortest Vectors,
and the Minimum Distance Problem
Vadim Lyubashevsky Daniele Micciancio
![Page 2: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/2.jpg)
Lattices
Lattice: A discrete additive subgroup of Rn
![Page 3: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/3.jpg)
Lattices
Basis: A set of linearly independent vectors that generate the lattice.
![Page 4: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/4.jpg)
Lattices
Basis: A set of linearly independent vectors that generate the lattice.
![Page 5: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/5.jpg)
Why are Lattices Interesting?(In Cryptography)
Ajtai ('96) showed that solving “average” instances of some lattice problem implies solving all instances of a lattice problem
Possible to base cryptography on worst-case instances of lattice problems
![Page 6: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/6.jpg)
SIVPMinicryptprimitives
[Ajt '96,...]
![Page 7: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/7.jpg)
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
![Page 8: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/8.jpg)
Shortest Independent Vector Problem (SIVP)
Find n short linearly independent vectors
![Page 9: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/9.jpg)
Approximate Shortest Independent Vector Problem
Find n pretty short linearly independent vectors
![Page 10: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/10.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
![Page 11: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/11.jpg)
Minimum Distance Problem(GapSVP)
Find the minimum distance between the vectors in the lattice
![Page 12: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/12.jpg)
Minimum Distance Problem(GapSVP)
Find the minimum distance between the vectors in the lattice
d
![Page 13: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/13.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
![Page 14: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/14.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
uSVPCryptosystemsAjtai-Dwork '97
Regev '03
![Page 15: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/15.jpg)
Unique Shortest Vector Problem(uSVP)
Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector
![Page 16: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/16.jpg)
Unique Shortest Vector Problem(uSVP)
Find the shortest vector in a lattice in which the shortest vector is much smaller than the next non-parallel vector
![Page 17: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/17.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
uSVPCryptosystemsAjtai-Dwork '97
Regev '03
≈1
[Reg '03]
![Page 18: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/18.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
uSVPCryptosystemsAjtai-Dwork '97
Regev '03
≈1
[Reg '03]
CryptosystemRegev '05
(quantum reduction)
![Page 19: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/19.jpg)
SIVP
n
[Ban '93]
GapSVP
Minicryptprimitives
[Ajt '96,...]
uSVPCryptosystemsAjtai-Dwork '97
Regev '03
≈1
[Reg '03]
CryptosystemsRegev '05Peikert '09
(quantum reduction)
![Page 20: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/20.jpg)
GapSVP BDD
uSVP
SIVP
nn (quantum reduction)
CryptosystemsAjtai-Dwork '97
Regev '03
[Ban '93]
[Reg '05]
[GG '97,Pei '09]
Minicryptprimitives
[Ajt '96,...]
CryptosystemsRegev '05Peikert '09
≈1
[Reg '03]
![Page 21: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/21.jpg)
Bounded Distance Decoding(BDD)
Given a target vector that's close to the lattice, find the nearest lattice vector
![Page 22: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/22.jpg)
GapSVP BDD
uSVP
12
1
SIVP
nn (quantum reduction)
CryptosystemsAjtai-Dwork '97
Regev '03
[Ban '93]
[Reg '05]
[GG '97,Pei '09]
Minicryptprimitives
[Ajt '96,...]
CryptosystemsRegev '05Peikert '09
![Page 23: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/23.jpg)
GapSVPBDDuSVP
SIVP
(quantum reduction)
Minicryptprimitives
Crypto-systems
![Page 24: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/24.jpg)
Cryptosystem Hardness Assumptions
uSVP BDD GapSVP SIVP (quantum)Ajtai-Dwork ' 97Regev ' 03Regev ' 05 - - -Peikert ' 09
O(n2) O(n2) O(n2.5) O(n3)O(n1.5) O(n1.5) O(n2) O(n2.5)
O(n1.5)O(n1.5) O(n1.5) O(n2) O(n2.5)
Implications of our results
![Page 25: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/25.jpg)
Lattice-Based Primitives
Minicrypt One-way functions [Ajt '96]
Collision-resistant hash functions [Ajt '96,MR '07]
Identification schemes [MV '03,Lyu '08, KTX '08]
Signature schemes [LM '08, GPV '08]
Public-Key Cryptosystems [AD '97] (uSVP)
[Reg '03] (uSVP)
[Reg '05] (SIVP and GapSVP under quantum reductions)
[Pei '09] (GapSVP)
All Based on GapSVP and SIVP
All Based on GapSVP and
quantum SIVP
Major Open Problem: Construct cryptosystems based on SIVP
![Page 26: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/26.jpg)
Reductions
GapSVP BDD
uSVP
1
21
![Page 27: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/27.jpg)
Proof Sketch (BDD < uSVP)
![Page 28: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/28.jpg)
Proof Sketch (BDD < uSVP)
![Page 29: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/29.jpg)
Proof Sketch (BDD < uSVP)
![Page 30: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/30.jpg)
Proof Sketch (BDD < uSVP)
![Page 31: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/31.jpg)
Proof Sketch (BDD < uSVP)
![Page 32: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/32.jpg)
Proof Sketch (BDD < uSVP)New basis vector used exactly once in constructing the unique shortest vector
![Page 33: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/33.jpg)
Proof Sketch (BDD < uSVP)New basis vector used exactly once in constructing the unique shortest vector
![Page 34: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/34.jpg)
Proof Sketch (BDD < uSVP)New basis vector used exactly once in constructing the unique shortest vector
Subtracting unique shortest vector from new basis vector gives the closest point to the target.
![Page 35: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/35.jpg)
Open Problems
Can we construct cryptosystems based on SIVP (SVP would be even better!)
Can the reduction GapSVP < BDD be tightened? Can the reduction BDD < uSVP be tightened?
![Page 36: On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem](https://reader033.fdocuments.in/reader033/viewer/2022051419/56815aa2550346895dc82958/html5/thumbnails/36.jpg)
Thanks!