论文信息 - A note on a Claim of Eldar & Hallgren: LLL already solves it

A note on a Claim of Eldar & Hallgren: LLL already solves it

In a recent talk of Hallgren on a joint work with Eldar (Sept 21, 2021, Simons Institute), a polynomial-time quantum algorithm for solving BDD in a certain class of lattices was claimed. We show here that known classical (and even, deterministic) polynomial-time algorithms already achieve this result. 1 Context and Claims The problem considered by Eldar and Hallgren [Hal21] can be read as a worstcase version of the LWE problem, with a secret dimension k “ 1, n samples, modulus q “ c for some c ą 1, and a sub-exponential approximation factor α “ 1{2Θp ? nq. More formally, let us start by defining the Bounded Distance Decoding. Definition 1.1 (Bounded Distance decoding (BDD)). The BDD problem in a lattice L Ă R and radius with r ą 0 is the problem of, given t “ v` e for a lattice vector v P L and an error e P R with }e} ă r, finding v. For the solution to be unique, one requires r{λ1pLq ă 1{2. More generally, this ratio is referred to as the BDD approximation factor. The family of lattices considered in [Hal21] are the q-ary lattices spanned by a single vector a P Z La “ qZ ` aZ. Theorem 1.2 (Eldar & Hallgren [Hal21]). There exists a quantum polynomialtime algorithm that solves BDD in La for any a P Z and for any error up to radius λ1pLaq ̈ 2 ́Θp ? nq. In the average-case, this problem with these parameters is already known to be easy to solve, simply by ignoring all but Op ? nq many samples (geometrically, a projection onto certain cannonical axes), applying the LLL reduction algorithm to the basis, and finally decoding with Babai nearest plane algorithm. During the panel discussion following the presentation, various expert discussed the plausibility of a provable classical algorithm achieving the same result via known randomization techniques. While we share their optimism regarding the plausibility of such a classical rerandomisation, we will show that such randomization is not even needed! Namely we will prove that the LLL [LLL82] and Babai [Bab86] algorithms already solve the problem in the full dimensional lattice, in the worst-case, and deterministically. Proving so requires considering the q-ary structure of the lattice, and other guarentees of LLL than its approximation factor. Such reasoning are not new, and already played a role in lattice cryptanalysis [CL15, KF17]. More specifically, a key remark in our case is to note that the "perp lattice" (the dual lattice scaled up by q) is an integer lattice with small determinant; the situation appears as the dual of [CL15]. We also provide constant in the exponent for more refined comparison. To this end, let us introduce δ “ a 4{3 ` for some arbitrary small ą 0 as the constant appearing in László condition in LLL [LLL82]. The constant c ą 1 below is the constant such that q “ c. Theorem 1.3 (This note – First Version, Sept. 24, 2021). There exists a deterministic polynomial-time algorithm that solves BDD in La for any a P Z for any error up to radius λ1pLaq ̈ pc ? δq ́ ? n ́Op1q. 1.1 General analysis In the same talk [Hal21], a more general result was claimed, but the exact parameters for that result were unclear and uncertain. The analysis of the deterministic algorithm considered in this note also generalizes to other regimes: arbitrary choice of q, and more generating vectors. Namely, for any matrix A P Znˆk, consider the lattice LA “ qZ `AZ. Theorem 1.4 (This note – Second version, Oct. 14, 2021). There exists a deterministic polynomial-time algorithm that solves BDD in LA for any A P Znˆk for any error up to radius 12λ1pLAq ̈ expp ́ ? 2k ̈ ln q ̈ ln δq. Remark: Instantiating the new version with k “ 1 and q “ c we recover the same asymptotic result than in the first version, but with a better constant. This is explained by a better choice for the concrete value of d in the proof below. 2 Proof The volume of this lattice is an integer comprised between qn ́k and q. A key remark to show that LLL already solves the problem is to exploit the knowledge of a full rank set of short lattice vectors, namely the q-vectors p0, . . . , 0, q, 0, . . . , 0q. We produce a controlled basis of the lattice via the following Lemma. Lemma 2.1 ([MG02, Lemma 7.1, page 129], simplified). There is a deterministic polynomial-time algorithm that, given an arbitrary basis of an ndimensional lattice Λ and a full-rank set of lattice vectors V Ă Λ outputs a basis pb1, . . . ,bnq of Λ such that the asssociated Gram-Schmidt vectors satisfy }bi } ď maxvPV }v}.

Léo Ducas | Wessel P. J. van Woerden | L. Ducas | W. V. Woerden

[1] Shafi Goldwasser,et al. Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[2] J. Cheon,et al. Approximate Algorithms on Lattices with Small Determinant ( Extended Abstract ) , 2016 .

[3] László Babai,et al. On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[4] László Lovász,et al. Factoring polynomials with rational coefficients , 1982 .

[5] Pierre-Alain Fouque,et al. Revisiting Lattice Attacks on Overstretched NTRU Parameters , 2017, EUROCRYPT.