We give a randomized 2 n+o(n) -time and space algorithm for solving the Shortest Vector Problem (SVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algorithm: the deterministic O(4 n )-time and O(2 n )-space algorithm of Micciancio and Voulgaris (STOC 2010, SIAM J. Comp. 2013.In fact, we give a conceptually simple algorithm that solves the (in our opinion, even more interesting) problem of discrete Gaussian sampling (DGS). More specifically, we show how to sample 2 n/2 vectors from the discrete Gaussian distribution at any parameter in 2 n+o(n) time and space. (Prior work only solved DGS for very large parameters.) Our SVP result then follows from a natural reduction from SVP to DGS.In addition, we give a more refined algorithm for DGS above the so-called smoothing parameter of the lattice, which can generate 2 n/2 discrete Gaussian samples in just 2 n/2+o(n) time and space. Among other things, this implies a 2 n/2+o(n) -time and space algorithm for 1.93-approximate decision SVP.
We prove the following quantitative hardness results for the Shortest Vector Problem in the p norm (SVP p ), where n is the rank of the input lattice.
We give a 2 n+o(n) -time and space randomized algorithm for solving the exact Closest Vector Problem (CVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algorithm, the deterministic O(4 n )-time and O(2 n )-space algorithm of Micciancio and Voulgaris [1]. We achieve our main result in three steps. First, we show how to modify the sampling algorithm from [2] to solve the problem of discrete Gaussian sampling over lattice shifts, L − t, with very low parameters. While the actual algorithm is a natural generalization of [2], the analysis uses substantial new ideas. This yields a 2 n+o(n) -time algorithm for approximate CVP with the very good approximation factor γ = 1 + 2 −o(n/ log n) . Second, we show that the approximate closest vectors to a target vector t can be grouped into "lowerdimensional clusters," and we use this to obtain a recursive reduction from exact CVP to a variant of approximate CVP that "behaves well with these clusters." Third, we show that our discrete Gaussian sampling algorithm can be used to solve this variant of approximate CVP.The analysis depends crucially on some new properties of the discrete Gaussian distribution and approximate closest vectors, which might be of independent interest.
We give a polynomial-time quantum reduction from worst-case (ideal) lattice problems directly to decision (Ring-)LWE. This extends to decision all the worst-case hardness results that were previously known for the search version, for the same or even better parameters and with no algebraic restrictions on the modulus or number eld. Indeed, our reduction is the rst that works for decision Ring-LWE with any number eld and any modulus. CCS CONCEPTS • Security and privacy → Mathematical foundations of cryptography; • Theory of computation → Computational complexity and cryptography;
For odd integers p ≥ 1 (and p = ∞), we show that the Closest Vector Problem in the p norm (CVP p ) over rank n lattices cannot be solved in 2 (1−ε)n time for any constant ε > 0 unless the Strong Exponential Time Hypothesis (SETH) fails. We then extend this result to "almost all" values of p ≥ 1, not including the even integers. This comes tantalizingly close to settling the quantitative time complexity of the important special case of CVP 2 (i.e., CVP in the Euclidean norm), for which a 2 n+o(n) -time algorithm is known. In particular, our result applies for any p = p(n) = 2 that approaches 2 as n → ∞.We also show a similar SETH-hardness result for SVP ∞ ; hardness of approximating CVP p to within some constant factor under the so-called Gap-ETH assumption; and other quantitative hardness results for CVP p 1 WLTB11, Laa15, BDGL16], and there is some reason to believe that the provably correct [ADRS15] algorithm can be improved. In particular, there is a provably correct 2 n/2+o(n) -time algorithm that approximates SVP 2 up to a small constant approximation factor [ADRS15].A different line of work extended the randomized sieving approach of [AKS01] to obtain 2 O(n)time algorithms for SVP in additional norms. In particular, Blömer and Naewe extended it to all p norms [BN09]. Subsequent work extended this further, first to arbitrary symmetric norms [AJ08] and then to the "near-symmetric norms" that arise in integer programming [Dad12].Finally, a third line of work extended the [AKS01] approach to approximate CVP. Ajtai, Kumar, and Sivakumar themselves showed a 2 O(n) -time algorithm for approximating CVP 2 to within any constant approximation factor strictly greater than one [AKS02]. Blömer and Naewe obtained the same result for all p norms [BN09], and Dadush extended it further to arbitrary symmetric norms and again to "near-symmetric norms" [Dad12]. We stress, however, that none of these results apply to exact CVP, and indeed, there are some barriers to extending these algorithms to exact CVP. (See, e.g., [ADS15].) Exact algorithms for CVP.Exact CVP appears to be a much more subtle problem than exact SVP. 2 Indeed, progress on exact CVP has been much slower than the progress on exact SVP. Over a decade after [AKS01], Micciancio and Voulgaris presented the first 2 O(n) -time algorithm for exact CVP 2 [MV13], using elegant new techniques built upon the approach of Sommer, Feder, and Shalvi [SFS09]. Specifically, they achieved a running time of 4 n+o(n) , and subsequent work even showed a running time of 2 n+o(n) for CVP 2 with Preprocessing (in which the algorithm is allowed access to arbitrary advice that depends on the lattice but not the target vector; see Section 2.1) [BD15]. Later, [ADS15] showed a 2 n+o(n) -time algorithm for CVP 2 , so that the current best known asymptotic running time is actually the same for SVP 2 and CVP 2 .However, for p = 2, progress for exact CVP p has been minimal. Indeed, the fastest known algorithms for exact CVP p with p = 2 are still the n O(n) -time enumeration algorithms first d...
Abstract. Recent revelations by Edward Snowden [PLS13,BBG13,Gre14] show that a user's own hardware and software can be used against her in various ways (e.g., to leak her private information). And, a series of recent announcements has shown that widespread implementations of cryptographic software often contain serious bugs that cripple security (e.g., [LHA + 12,CVE14b, CVE14a,CVE14c]). This motivates us to consider the following (seemingly absurd) question: How can we guarantee a user's security when she may be using a malfunctioning or arbitrarily compromised machine? To that end, we introduce the notion of a cryptographic reverse firewall (RF). Such a machine sits between the user's computer and the outside world, potentially modifying the messages that she sends and receives as she engages in a cryptographic protocol.A good reverse firewall accomplishes three things: (1) it maintains functionality, so that if the user's computer is working correctly, the RF will not break the functionality of the underlying protocol; (2) it preserves security, so that regardless of how the user's machine behaves, the presence of the RF will provide the same security guarantees as the properly implemented protocol; and (3) it resists exfiltration, so that regardless of how the user's machine behaves, the presence of the RF will prevent the machine from leaking any information to the outside world. Importantly, we do not model the firewall as a trusted party. It does not share any secrets with the user, and the protocol should be both secure and functional without the firewall (when it is implemented correctly).Our security definition for reverse firewalls depends on the security notion(s) of the underlying protocol. As such, our model generalizes much prior work (e.g., [OO90, YY96, BBS98, BPR14a]) and provides a general framework for building cryptographic schemes that remain secure when run on compromised machine. It is also a modern take on a line of work that received considerable attention in the 80s and 90s (e.g., [Sim84, Sim85, BD91, Des90, Des94, BDI + 96, BBS98]).We show that our definition is achievable by constructing a private function evaluation protocol with a secure reverse firewall for each party. Along the way, we design an oblivious transfer protocol that also has a secure RF for each party, and a rerandomizable garbled circuit that is both more efficient and more secure than previous constructions. Finally, we show how to convert any protocol into a protocol with an exfiltrationresistant reverse firewall for all parties. (In other words, we provide a generic way to prevent a tampered machine from leaking information to an eavesdropper via any protocol.)
We present a substantially more efficient variant, both in terms of running time and size of preprocessing advice, of the algorithm by Liu, Lyubashevsky, and Micciancio [LLM06] for solving CVPP (the preprocessing version of the Closest Vector Problem, CVP) with a distance guarantee. For instance, for any α < 1/2, our algorithm finds the (unique) closest lattice point for any target point whose distance from the lattice is at most α times the length of the shortest nonzero lattice vector, requires as preprocessing advice only N ≈ O(n exp(α 2 n/(1 − 2α) 2 )) vectors, and runs in time O(nN).As our second main contribution, we present reductions showing that it suffices to solve CVP, both in its plain and preprocessing versions, when the input target point is within some bounded distance of the lattice. The reductions are based on ideas due to Kannan [Kan87] and a recent sparsification technique [DK13]. Combining our reductions with the LLM algorithm gives an approximation factor of O(n/ log n) for search CVPP, improving on the previous best of O(n 1.5 ) due to Lagarias, Lenstra, and Schnorr [LLS90]. When combined with our improved algorithm we obtain, somewhat surprisingly, that only O(n) vectors of preprocessing advice are sufficient to solve CVPP with (the only slightly worse) approximation factor of O(n).
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.