explicit hard instances of the shortest vector problem
DESCRIPTION
Explicit hard instances of the shortest vector problem. Johannes Buchmann Richard Lindner Markus Rückert. Outline. Motivation Foundations Construction Experiments Participation. Motivation. Motivation. PQC schemes rely on lattice problems GGH `96, NTRU `96, Regev `05, GPV `08 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/1.jpg)
Explicit hard instances of the shortest vector problem
Johannes BuchmannRichard LindnerMarkus Rückert
![Page 2: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/2.jpg)
Outline
Motivation
Foundations Construction Experiments
Participation
![Page 3: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/3.jpg)
Motivation
![Page 4: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/4.jpg)
Motivation
PQC schemes rely on lattice problems GGH `96, NTRU `96, Regev `05, GPV `08
No unified comparison of lattice reduction
Other challenges based on secret GGH, NTRU
![Page 5: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/5.jpg)
Foundations
![Page 6: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/6.jpg)
Family of lattice classes
Definitions Lattice: ¤ discrete additive subgroup of Rm
![Page 7: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/7.jpg)
Family of lattice classes
Definitions Lattice: ¤ discrete additive subgroup of Rm
Class: m = b c1 n ln(n) c, q = b nc2 c,
For X = (x1,…,xm) 2 Zqn£n
L(c1, c2, n, X) = { (v1,…,vm) 2Zm | i vi xi ´ 0 (mod q) }
Class Family: L = { L(c1,c2,n,¢) | c1¸2, c2<c1ln(2), n 2 N}
![Page 8: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/8.jpg)
Existence of Short Vector
Consider v 2 {0,1}m , x1,…,xn 2 Zqn£n
The function vi vi xi (mod q)
Has collisions if 2m > qn
The lattice L(…,X) 2 L contains v 2 {-1,0,1}m, so kvk2 · m
![Page 9: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/9.jpg)
Hardness of Challenge
Asymptotically: Ajtai,Cai/Nerurkar,Micciancio/Regev,Gentry et al.Finding short vector ) Approx worst-case SVP
Practice: Gama and NguyenChallenges hard for m ' 500
intractible for m ' 850
![Page 10: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/10.jpg)
Construction
![Page 11: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/11.jpg)
Explicit Bases
Using randomness of ¼ digitsChoose X 2 Zq
n£n randomly
Set ¤ = L(…,X) 2 L
Construction via dual lattice basisB = ( XT | qIm ) spans q¤?
Turn B into basis Transform B/q into dual basis
![Page 12: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/12.jpg)
Experiments
![Page 13: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/13.jpg)
Implementations
LLL-type
LLL — Shoup
fpLLL — Cadé, Stehlé
sLLL — Filipović, Koy
Run on Opteron 2.6GHz
BKZ-type
BKZ — Shoup
PSR — Ludwig
PD — Filipović, Koy
![Page 14: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/14.jpg)
Performance of LLL-type Algorithms
![Page 15: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/15.jpg)
Performance of BKZ-type Algorithms
![Page 16: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/16.jpg)
Participation
![Page 17: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/17.jpg)
How to Participate
Go to www.LatticeChallenge.org
Download lattice basis Bm , norm bound º
Find v in ¤(Bm) such that kvk < º
Submit v
![Page 18: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/18.jpg)
www.LatticeChallenge.org
Nicolas Gama, Phong Q. Nguyen Moon Sung Lee Markus Rückert Panagiotis Voulgaris
Successful Participants (chronological order)
![Page 19: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/19.jpg)
Story
Praticipants found: solutions have many zeros Strategy to focus on sublattices
Same oberservation as May, Silverman in 2001 working on NTRU
Lead to Hybrid Lattice-Reduction proposed 2007 by Howgrave-Graham
![Page 20: Explicit hard instances of the shortest vector problem](https://reader034.vdocument.in/reader034/viewer/2022051317/568148bb550346895db5d75c/html5/thumbnails/20.jpg)
Thank You
Questions?