Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again!

We give a 2n+o(n)-time and space randomized algorithm for solving the exact Closest Vector Problem (CVP) on n-dimensional Euclidean lattices. This improves on the previous fastest algorithm, the deterministic Õ(4n)-time and Õ(2n)-space algorithm of Micciancio and Voulgaris [1]. We achieve our main result in three steps. First, we show how to modify the sampling algorithm from [2] to solve the problem of discrete Gaussian sampling over lattice shifts, L - t, with very low parameters. While the actual algorithm is a natural generalization of [2], the analysis uses substantial new ideas. This yields a 2n+o(n)-time algorithm for approximate CVP with the very good approximation factor γ = 1 + 2-o(n/ log n). Second, we show that the approximate closest vectors to a target vector t can be grouped into “lower-dimensional clusters,” and we use this to obtain a recursive reduction from exact CVP to a variant of approximate CVP that “behaves well with these clusters.” Third, we show that our discrete Gaussian sampling algorithm can be used to solve this variant of approximate CVP. The analysis depends crucially on some new properties of the discrete Gaussian distribution and approximate closest vectors, which might be of independent interest.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  Daniele Micciancio,et al.  Faster exponential time algorithms for the shortest vector problem , 2010, SODA '10.

[3]  Jeffrey C. Lagarias,et al.  Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice , 1990, Comb..

[4]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[5]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[6]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[7]  Daniele Micciancio The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant , 2000, SIAM J. Comput..

[8]  M. Ajtai The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[9]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[10]  Hendrik W. Lenstra,et al.  Integer Programming with a Fixed Number of Variables , 1983, Math. Oper. Res..

[11]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[12]  Damien Stehlé,et al.  Solving the Shortest Lattice Vector Problem in Time 22.465n , 2009, IACR Cryptol. ePrint Arch..

[13]  Bettina Helfrich,et al.  Algorithms to Construct Minkowski Reduced an Hermite Reduced Lattice Bases , 1985, Theor. Comput. Sci..

[14]  Gary L. Miller,et al.  Proceedings of the twenty-eighth annual ACM symposium on Theory of computing , 1996, STOC 1996.

[15]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[16]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[17]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[18]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[19]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[20]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[21]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[22]  Antoine Joux,et al.  Lattice Reduction: A Toolbox for the Cryptanalyst , 1998, Journal of Cryptology.

[23]  Damien Stehlé,et al.  Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices , 2000, ICALP.

[24]  Vikraman Arvind,et al.  Some Sieving Algorithms for Lattice Problems , 2008, FSTTCS.

[25]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[26]  Daniel Dadush,et al.  On the Closest Vector Problem with a Distance Guarantee , 2014, 2014 IEEE 29th Conference on Computational Complexity (CCC).

[27]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[28]  A. J. Menezes,et al.  Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings , 2007, CRYPTO.

[29]  Nancy A. Lynch,et al.  Proceedings of the fifteenth annual ACM symposium on Theory of computing , 1983, STOC 1983.

[30]  Ravi Kumar,et al.  Sampling short lattice vectors and the closest lattice vector problem , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[31]  Johannes Blömer,et al.  Sampling methods for shortest vectors, closest vectors and successive minima , 2007, Theor. Comput. Sci..

[32]  Jeffrey Scott Vitter,et al.  Proceedings of the thirtieth annual ACM symposium on Theory of computing , 1998, STOC 1998.

[33]  Daniel Dadush,et al.  Lattice Sparsification and the Approximate Closest Vector Problem , 2013, SODA.

[34]  Gary L. Miller,et al.  Solvability by radicals is in polynomial time , 1983, STOC.

[35]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[36]  Santosh S. Vempala,et al.  Enumerative Lattice Algorithms in any Norm Via M-ellipsoid Coverings , 2010, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[37]  Oded Regev,et al.  An Inequality for Gaussians on Lattices , 2015, SIAM J. Discret. Math..

[38]  Jin-Yi Cai,et al.  Approximating the SVP to within a factor (1-1/dim/sup /spl epsiv//) is NP-hard under randomized conditions , 1998, Proceedings. Thirteenth Annual IEEE Conference on Computational Complexity (Formerly: Structure in Complexity Theory Conference) (Cat. No.98CB36247).

[39]  Jin-Yi Cai,et al.  Approximating the Svp to within a Factor ? , 2007 .

[40]  Johannes Blömer,et al.  Sampling Methods for Shortest Vectors, Closest Vectors and Successive Minima , 2007, ICALP.

[41]  Noah Stephens-Davidowitz,et al.  Discrete Gaussian Sampling Reduces to CVP and SVP , 2015, SODA.

[42]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[43]  Jacques Stern,et al.  The Two Faces of Lattices in Cryptology , 2001, CaLC.

[44]  Thomas Holenstein,et al.  Approximating the Closest Vector Problem Using an Approximate Shortest Vector Oracle , 2011, APPROX-RANDOM.

[45]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[46]  Daniele Micciancio,et al.  Efficient reductions among lattice problems , 2008, SODA '08.

[47]  N. S. Barnett,et al.  Private communication , 1969 .

[48]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[49]  Phong Q. Nguyen The Two Faces of Lattices in Cryptology , 2001, Selected Areas in Cryptography.

[50]  Ulrich Betke,et al.  Successive-minima-type inequalities , 1993, Discret. Comput. Geom..

[51]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[52]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[53]  Jacques Stern,et al.  The Hardness of Approximate Optima in Lattices, Codes, and Systems of Linear Equations , 1997, J. Comput. Syst. Sci..

[54]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 1998, Electron. Colloquium Comput. Complex..

[55]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[56]  Daniel Dadush,et al.  Short Paths on the Voronoi Graph and Closest Vector Problem with Preprocessing , 2014, SODA.

[57]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[58]  A. Joux,et al.  A sieve algorithm based on overlattices , 2014 .

[59]  Meir Feder,et al.  Finding the Closest Lattice Point by Iterative Slicing , 2007, 2007 IEEE International Symposium on Information Theory.

[60]  Antoine Joux,et al.  Improved low-density subset sum algorithms , 1992, computational complexity.

[61]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[62]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[63]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.