Improved (Provable) Algorithms for the Shortest Vector Problem via Bounded Distance Decoding

The most important computational problem on lattices is the Shortest Vector Problem (SVP). In this paper, we present new algorithms that improve the state-of-the-art for provable classical/quantum algorithms for SVP. We present the following results. $\bullet$ A new algorithm for SVP that provides a smooth tradeoff between time complexity and memory requirement. For any positive integer $4\leq q\leq \sqrt{n}$, our algorithm takes $q^{11n+o(n)}$ time and requires $poly(n)\cdot q^{16n/q^2}$ memory. This tradeoff which ranges from enumeration ($q=\sqrt{n}$) to sieving ($q$ constant), is a consequence of a new time-memory tradeoff for Discrete Gaussian sampling above the smoothing parameter. $\bullet$ A quantum algorithm that runs in time $2^{0.9532n+o(n)}$ and requires $2^{0.5n+o(n)}$ classical memory and $poly(n)$ qubits. This improves over the previously fastest classical (which is also the fastest quantum) algorithm due to [ADRS15] that has a time and space complexity $2^{n+o(n)}$. $\bullet$ A classical algorithm for SVP that runs in time $2^{1.73n+o(n)}$ time and $2^{0.5n+o(n)}$ space. This improves over an algorithm of [CCL18] that has the same space complexity.

[1]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[2]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[3]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[4]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[5]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[6]  Jianqing Fan,et al.  Distributions of angles in random packing on spheres , 2013, J. Mach. Learn. Res..

[7]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[8]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[9]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[10]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[11]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[12]  Isaac L. Chuang,et al.  Quantum Computation and Quantum Information (10th Anniversary edition) , 2011 .

[13]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[14]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[15]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[16]  Pierre-Alain Fouque,et al.  Time-Memory Trade-Off for Lattice Enumeration in a Ball , 2016, IACR Cryptol. ePrint Arch..

[17]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[18]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[19]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[20]  Martin R. Albrecht,et al.  The General Sieve Kernel and New Records in Lattice Reduction , 2019, IACR Cryptol. ePrint Arch..

[21]  Noah Stephens-Davidowitz,et al.  Discrete Gaussian Sampling Reduces to CVP and SVP , 2015, SODA.

[22]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[23]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[24]  Christoph Dürr,et al.  A Quantum Algorithm for Finding the Minimum , 1996, ArXiv.

[25]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[26]  C. Shannon Probability of error for optimal codes in a Gaussian channel , 1959 .

[27]  Yoshinori Aono,et al.  Quantum Lattice Enumeration and Tweaking Discrete Pruning , 2018, IACR Cryptol. ePrint Arch..

[28]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[29]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[30]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[31]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[32]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[33]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[34]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[35]  Jeffrey C. Lagarias,et al.  Solving low density subset sum problems , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[36]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[37]  Bettina Helfrich,et al.  Algorithms to Construct Minkowski Reduced an Hermite Reduced Lattice Bases , 1985, Theor. Comput. Sci..

[38]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[39]  Divesh Aggarwal,et al.  (Gap/S)ETH hardness of SVP , 2017, STOC.

[40]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[41]  Daniel Dadush,et al.  On the Closest Vector Problem with a Distance Guarantee , 2014, 2014 IEEE 29th Conference on Computational Complexity (CCC).

[42]  Rudi de Buda,et al.  Some optimal codes have structure , 1989, IEEE J. Sel. Areas Commun..

[43]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[44]  Elena Kirshanova,et al.  Quantum Algorithms for the Approximate k-List Problem and their Application to Lattice Sieving , 2019, IACR Cryptol. ePrint Arch..

[45]  Oded Goldreich,et al.  Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity , 1988, SIAM J. Comput..

[46]  Gottfried Herold,et al.  Improved Algorithms for the Approximate k-List Problem in Euclidean Norm , 2017, Public Key Cryptography.

[47]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[48]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[49]  Ernest F. Brickell,et al.  Breaking Iterated Knapsacks , 1985, CRYPTO.

[50]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[51]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[52]  Kai-Min Chung,et al.  SPACE-EFFICIENT CLASSICAL AND QUANTUM ALGORITHMS FOR THE SHORTEST , 2018 .

[53]  Divesh Aggarwal,et al.  Just Take the Average! An Embarrassingly Simple $2^n$-Time Algorithm for SVP (and CVP) , 2017, SOSA.

[54]  Ravi Kumar,et al.  Sampling short lattice vectors and the closest lattice vector problem , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[55]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[56]  András Frank,et al.  An application of simultaneous diophantine approximation in combinatorial optimization , 1987, Comb..

[57]  Divesh Aggarwal,et al.  Slide Reduction, Revisited - Filling the Gaps in SVP Approximation , 2019, CRYPTO.

[58]  Yoshinori Aono,et al.  Random Sampling Revisited: Lattice Enumeration with Discrete Pruning , 2017, IACR Cryptol. ePrint Arch..

[59]  Damien Stehlé,et al.  Tuple lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[60]  Johannes A. Buchmann,et al.  Practical Lattice Basis Sampling Reduction , 2006, ANTS.

[61]  Léo Ducas,et al.  Shortest Vector from Lattice Sieving: a Few Dimensions for Free , 2018, IACR Cryptol. ePrint Arch..

[62]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).