Fast Fourier Orthogonalization

The classical fast Fourier transform (FFT) allows to compute in quasi-linear time the product of two polynomials, in the circular convolution ring R[x]/(xd -1) --- a task that naively requires quadratic time. Equivalently, it allows to accelerate matrix-vector products when the matrix is circulant. In this work, we discover that the ideas of the FFT can be applied to speed up the orthogonalization process of matrices with circulant blocks of size d x d. We show that, when d is composite, it is possible to proceed to the orthogonalization in an inductive way ---up to an appropriate re-indexation of rows and columns. This leads to a structured Gram-Schmidt decomposition. In turn, this structured Gram-Schmidt decomposition accelerates a cornerstone lattice algorithm: the nearest plane algorithm. The complexity of both algorithms may be brought down to Θ(d log d). Our results easily extend to cyclotomic rings, and can be adapted to Gaussian samplers. This finds applications in lattice-based cryptography, improving the performances of trapdoor functions.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[3]  Peter J. Weinberger,et al.  Factoring Polynomials Over Algebraic Number Fields , 1976, TOMS.

[4]  N. Levinson The Wiener (Root Mean Square) Error Criterion in Filter Design and Prediction , 1946 .

[5]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[6]  H. Nussbaumer Fast Fourier transform and convolution algorithms , 1981 .

[7]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[8]  Georg Heinig,et al.  A superfast method for solving Toeplitz linear least squares problems , 2003 .

[9]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[10]  D. Sweet Fast Toeplitz orthogonalization , 1984 .

[11]  Léo Ducas,et al.  Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic , 2012, ASIACRYPT.

[12]  Beatrice Meini,et al.  Solving certain matrix equations by means of Toeplitz computations: algorithms and applications , 2001 .

[13]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[14]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.

[15]  Charles F. F. Karney Sampling Exactly from the Normal Distribution , 2013, ACM Trans. Math. Softw..

[16]  Don H. Johnson,et al.  Gauss and the history of the fast Fourier transform , 1984, IEEE ASSP Magazine.

[17]  Ming-Deh A. Huang,et al.  Proof of proposition 2 , 1992 .

[18]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[19]  James C. Schatzman,et al.  Accuracy of the Discrete Fourier Transform and the Fast Fourier Transform , 1996, SIAM J. Sci. Comput..

[20]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[21]  Frederik Vercauteren,et al.  High Precision Discrete Gaussian Sampling on FPGAs , 2013, Selected Areas in Cryptography.

[22]  Roman Vershynin,et al.  Introduction to the non-asymptotic analysis of random matrices , 2010, Compressed Sensing.

[23]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[24]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[25]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[26]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[27]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[28]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[29]  Léo Ducas,et al.  A Hybrid Gaussian Sampler for Lattices over Rings , 2015, IACR Cryptol. ePrint Arch..

[30]  W. Gragg Positive definite Toeplitz matrices, the Arnoldi process for isometric operators, and Gaussian quadrature on the unit circle , 1993 .

[31]  Z. Bai,et al.  Limit of the smallest eigenvalue of a large dimensional sample covariance matrix , 1993 .

[32]  Xavier Boyen,et al.  Attribute-Based Functional Encryption on Lattices , 2013, TCC.

[33]  James Durbin,et al.  The fitting of time series models , 1960 .

[34]  Léo Ducas,et al.  Efficient Identity-Based Encryption over NTRU Lattices , 2014, ASIACRYPT.

[35]  William Whyte,et al.  NTRUSIGN: Digital Signatures Using the NTRU Lattice , 2003, CT-RSA.

[36]  J. Neukirch Algebraic Number Theory , 1999 .

[37]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[38]  W. M. Gentleman,et al.  Fast Fourier Transforms: for fun and profit , 1966, AFIPS '66 (Fall).

[39]  N. Wiener The Wiener RMS (Root Mean Square) Error Criterion in Filter Design and Prediction , 1949 .

[40]  Vadim Olshevsky,et al.  Fast algorithms for structured matrices : theory and applications : AMS-IMS-SIAM Joint Summer Research Conference on Fast Algorithms in Mathematics, Computer Science and Engineering, August 5-9, 2001, Mount Holyoke College, South Hadley, Massachusetts , 2003 .

[41]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[42]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[43]  Vadim Lyubashevsky,et al.  Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices , 2015, EUROCRYPT.

[44]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[45]  Victor Y. Pan,et al.  A unified superfast algorithm for boundary rational tangential interpolation problems and for inversion and factorization of dense structured matrices , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[46]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.