Improved (Provable) Algorithms for the Shortest Vector Problem via Bounded Distance Decoding

The most important computational problem on lattices is the Shortest Vector Problem (SVP). In this paper, we present new algorithms that improve the state-of-the-art for provable classical/quantum algorithms for SVP. We present the following results. $\bullet$ A new algorithm for SVP that provides a smooth tradeoff between time complexity and memory requirement. For any positive integer $4\leq q\leq \sqrt{n}$, our algorithm takes $q^{11n+o(n)}$ time and requires $poly(n)\cdot q^{16n/q^2}$ memory. This tradeoff which ranges from enumeration ($q=\sqrt{n}$) to sieving ($q$ constant), is a consequence of a new time-memory tradeoff for Discrete Gaussian sampling above the smoothing parameter. $\bullet$ A quantum algorithm that runs in time $2^{0.9532n+o(n)}$ and requires $2^{0.5n+o(n)}$ classical memory and $poly(n)$ qubits. This improves over the previously fastest classical (which is also the fastest quantum) algorithm due to [ADRS15] that has a time and space complexity $2^{n+o(n)}$. $\bullet$ A classical algorithm for SVP that runs in time $2^{1.73n+o(n)}$ time and $2^{0.5n+o(n)}$ space. This improves over an algorithm of [CCL18] that has the same space complexity.

[1]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[2]  Ernest F. Brickell,et al.  Breaking Iterated Knapsacks , 1985, CRYPTO.

[3]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[4]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[5]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[6]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[7]  Johannes A. Buchmann,et al.  Practical Lattice Basis Sampling Reduction , 2006, ANTS.

[8]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[9]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[10]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[11]  Yoshinori Aono,et al.  Quantum Lattice Enumeration and Tweaking Discrete Pruning , 2018, IACR Cryptol. ePrint Arch..

[12]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[13]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[14]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[15]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[16]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[17]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[18]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[19]  Jianqing Fan,et al.  Distributions of angles in random packing on spheres , 2013, J. Mach. Learn. Res..

[20]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[21]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[22]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[23]  Bettina Helfrich,et al.  Algorithms to Construct Minkowski Reduced an Hermite Reduced Lattice Bases , 1985, Theor. Comput. Sci..

[24]  Damien Stehlé,et al.  Tuple lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[25]  Noah Stephens-Davidowitz,et al.  Discrete Gaussian Sampling Reduces to CVP and SVP , 2015, SODA.

[26]  Yoshinori Aono,et al.  Random Sampling Revisited: Lattice Enumeration with Discrete Pruning , 2017, IACR Cryptol. ePrint Arch..

[27]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[28]  Christoph Dürr,et al.  A Quantum Algorithm for Finding the Minimum , 1996, ArXiv.

[29]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[30]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[31]  Rudi de Buda,et al.  Some optimal codes have structure , 1989, IEEE J. Sel. Areas Commun..

[32]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[33]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[34]  Divesh Aggarwal,et al.  (Gap/S)ETH hardness of SVP , 2017, STOC.

[35]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[36]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[37]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[38]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[39]  Divesh Aggarwal,et al.  Slide Reduction, Revisited - Filling the Gaps in SVP Approximation , 2019, CRYPTO.

[40]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[41]  Martin R. Albrecht,et al.  The General Sieve Kernel and New Records in Lattice Reduction , 2019, IACR Cryptol. ePrint Arch..

[42]  Pierre-Alain Fouque,et al.  Time-Memory Trade-Off for Lattice Enumeration in a Ball , 2016, IACR Cryptol. ePrint Arch..

[43]  Kai-Min Chung,et al.  SPACE-EFFICIENT CLASSICAL AND QUANTUM ALGORITHMS FOR THE SHORTEST , 2018 .

[44]  Elena Kirshanova,et al.  Quantum Algorithms for the Approximate k-List Problem and their Application to Lattice Sieving , 2019, IACR Cryptol. ePrint Arch..

[45]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[46]  Oded Goldreich,et al.  Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity , 1988, SIAM J. Comput..

[47]  Divesh Aggarwal,et al.  Just Take the Average! An Embarrassingly Simple $2^n$-Time Algorithm for SVP (and CVP) , 2017, SOSA.

[48]  Ravi Kumar,et al.  Sampling short lattice vectors and the closest lattice vector problem , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[49]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[50]  Daniel Dadush,et al.  On the Closest Vector Problem with a Distance Guarantee , 2014, 2014 IEEE 29th Conference on Computational Complexity (CCC).

[51]  András Frank,et al.  An application of simultaneous diophantine approximation in combinatorial optimization , 1987, Comb..

[52]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[53]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[54]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[55]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[56]  C. Shannon Probability of error for optimal codes in a Gaussian channel , 1959 .

[57]  Isaac L. Chuang,et al.  Quantum Computation and Quantum Information (10th Anniversary edition) , 2011 .

[58]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[59]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.