Lattices

Mathematical background

{ }

T1

T T1 1

1/2

: -dimensional Euclidean space. That is,

( , , ) : , 1 .

If ( , , ) , ( , , ) , then , (inner product of and )

,

u (E

Latticesn

nn i

n n

i ii

n

x x x i n

x x y yx y

= ∈ ≤ ≤

=

=

•

=

•

=

∑x y

x y x y

x x x

lattice

clidean length or norm of ) : Euclidean distance between and .

A in is a discrete subgroup of . subgroup: if , , then . discrete:

Definition 1: n nLL L

−

∈ − ∈•

xx y x y

x y x y

0 s.t. for all . Lε ε∃ > − ≥ ≠ ∈x y x y

{ }1 1

1

i

An -dimensional of is a subset of the form :

where , , are linearly independent vectors in . Every vector in is an

latticeDefinit

nte

ion r

ank

: 2

g

nm m i

nm

nL L x x x

L

m•

⊆ = + + ∈b b

b b

( )1

1

linear combination of , , .

: , , is called a of . has if . We will be mostly interested

er

B

in

as

full rank lattices, and call th

is basisfull ran

em k

m

m LL m n

=

=

b bB b b

{ }

-dimentional lattices.

We denote by ( ) the lattice generated by . Thus,

if is a basis, then ( ) : .m m

n

L

L = ⋅ = ∈

• B B

B B B Bx x

( ) { }

( )

1

1 1 1

1

1

1

Let , , (not necessarily linearly independent).

Let , , : .

Theorem. , , is a lattice

if , , , or if , , are linearly indepen d

nm

m m m i

m

nm

m

L x x x

L

∈

+ + ∈

∈

•

•

b b

b b b b

b b

b bb b

( ) ( )

( )

1 1

1

ent.

When , , is a lattice, , , is said to be a . If the 's are further lineraly independent, then

generat , , is a

orb s s.a i

m m

i

m

L• b b b bb

b b

{ }

Zero lattice: .

Lattice of integers: .

Integral lattices : sublattices of .

( ) : mod , where is

a matrix of dimensions , and an integer.

1,

Example lattices

n

n

m n mq q

n m q

L

⊥ ×Λ ∈ = ∈

×

•

•

•

•

•

0

A x Ax 0 A

( ) { }( ) 1

2 2 : , is a lattice, for there

exists a sequence of ra

not

tionals s.t. 2.n n n nn

x y x y

x y x y≥

= + ∈

→

A Lattice in 2 dimensions

Source: http://cseweb.ucsd.edu/~daniele/lattice/lattice.html

A different basis for the same lattice

Source: http://cseweb.ucsd.edu/~daniele/lattice/lattice.html

( ) ( )1

square, having integer entries, and determinant 1.

1 If and det 0, then , where det

( 1) det ,

with r

Unimodula

ow and column o

r matrix:

m

Lattice Bases

ij ij

i jij ji

ji

a c

cj i

−

+

= ±

= ≠ =

=

•

•

−

=

A A AA

AA A

1

1

ited.

1 Furthermore, det .det

If is unimodular, then is unimodular.

−

−•

=AA

A A

1

1

Two bases and generate the same lattice,i.e., ( ) ( ), iff for some unimodular matrix .

( ) Assume , unimodular. Then

The

,

P unimodular.

orem:

ro

of

:

L L

L

−

−

= =

⇐ = =

= ⇒

B CB C B CU U

B CU U C BUUB CU

1

( ) ( )( ) ( ).

( ) ( )( ) Assume ( ) ( ). Each is in the lattice, hence

for some , 1 , and , where ( ). Similarly, for s ome square matrix integer

im

i i i

i

LL L

L LL L

i m

−⇒

⇒

⊆ =

= ⊆ ⇒ = ∈

= ⋅ ∈ ≤ ≤=

==

B CB C

C BU C BB C b B

b C B CVC BV W

v vv W

( ) ( lin. indep.)de

.

t det det det 1 det d

Hence

et 1.= − = − =

⋅ =

⇒ ⇒

= =⇒ ⇒ = = ±

B BWV B I WV 0 I WV 0 BW V WV I W V

For each 1, there is an infinite number of -dimentional

unimodular matrices.

1 For example, is unimodular for any .

1 1

Each lattice of rank 1 has an infinite number of bases

n n

a aa

n

•

•

•

>

− ∈

>

.

( )

{ }

1

T1

Let , , be a full rank basis.

Fundamental parallelepiped associated to :

( ) : ( , , ) , 0 1 .

Centered fundamental parallelepiped:

( )

Fundamental Parallelepipedn n

n

n iP x x x

C

ו = ∈

= ⋅ = ≤ <

•

•

B b b

B

B B x x

B

{ }T1: ( , , ) , 1 2 1 2 .

( ) and ( ) are half open.

n ix x x

P C•

= ⋅ = − ≤ <B x x

B B

{ }

( )( )

The translates ( ) : ( )

form a partition of the whole space :

( )

For any , there exists a unique point ( ) s.t. ( ). This unique is denoted

n

n

L

n

P L

P

PL

∈

+ ∈

= +

•

∈ ∈− ∈

•

v B

B v v B

B v

t r Bx r B r

1

by .

mod can be computed efficiently as:

mod

where

m

rounds 's coordinates to

od

.i ix x

− = − ⋅ ⋅

•

t B

t B t B B t

x x

t B

{ }

( )( )

Similarly, the translates ( ) : ( )

form a partition of the whole space :

( )

For any , there exists a unique point ( ) s.t. ( ). Let's denote

n

n

L

n

C L

C

CL

∈

+ ∈•

•

= +

∈ ∈− ∈

v B

B v v B

B v

t r Bx r B

1

this unique is by .

mod can be computed efficiently as:

mod

where rounds 's coordi

a

n

ls

at

o mo

es to the nearest

d

integer.

−= − ⋅ ⋅

•

r

t B

t B B t

B

x

t

t B

x

( )1

1

A basis , , of a vector space is

if , 0

orthogonal

orthonormafor . is if , ,

where is Kronecker's delta.

Any basis ,

l

,

Gram-Schmidt orthogonalization

n

i j i i ij

ij

i j δ

δ

=

= ≠ =

=

•

•

B b b

b b B b b

B b

( )( )1

1 1

, ,

can be transformed into an

orthogonal basis , , using the well-known

Gram-Schmid

t orthogonalization process:

.

, , wh ere

,

n

n

i j i ji i i j j i j

j i j j

µ µ

∗ ∗ ∗

∗

∗ ∗∗ ∗

∗ ∗<

=

=

= − = =∑

b

B b b

b b

b b b bb b b

b b

2 .j∗b

: full rank bases.

: the Gram-Schmidt basis of .

If are two bases of the same lattice, then

det de

dete

t . A

Theorem 1:

Defin

lso, det .

Theition: r

Determinantn n

ii

×

∗

∗

∈

=

•

•

•

± = ∏

B, C

B B

B, C

B C B b

( ) of a lattice ( ) is

det det ( ) vol ( ) det .

This quantity is an invariant of

minant

, independent of bases.

ii

L

L P ∗

•

Λ =

Λ = = = =

Λ

∏B

B B b B

( ) A square, non-singular, integer or rational matrix

is in Hermite normalower triangular

l form (HNF) iff is ( 0 for )

For all , 0 .

Some

Hermite normal form

ij

ij

ij ii

b

b i jj i b b

=

= <

< <

•

≤

• B

B

authors prefer using matrices.

0

upper triangular

3 3 1 4 01 7 7 0 64

0 00 0 0

Examples: or 0 0 0

0 00 5 5 3

0 6 3 8 80

•

( )( ) ( )1 2

, ,

An integer or rational matrix is in HNF if

1 s.t. 0 .

For all , 0 .

0 0 0 0 02 0 0 0 03

3

Example:

8

HNF for singular or non-square matrices

j j

ij

h ij j

i k i j

n m b

i i i n b j h i i

k j b b

× =

∃ ≤ < < < ≤ ≠ ⇒ ≤ ∧ ≥

< ≤ <

•−

• B

5 01 0 0 0 04 3 1 0 01 9 0 2 0

2

05

− −

The first columns are linearly independent.

If two matrices , in HNF generate the samelattice, then (except for the number of zero-columns

at the

Th

end).

eorem

A

:

Theorem:

ny

h

′′=

•

•

•

B BB B

lattice ( ) has a unique basis in HNF, which can be constructed from in polynomial time.

HNF is useful for solving many lattice problems.

Given a set ofBasis Pro rationalble vec: om t rs

L

•

•

B HB

B, find a basis for the lattice ( ).L B

( )1

goo

Let , , be a basis of lattice .

Roughly speaking, is a basis if the vectors are reasonably short an d nearly orthogonal the inequal

d

ity

Good bases and bad basses

n

i

i

L=•

•

B b b

Bb

b

det( ) comes close to equality.

HNF( ) is a basis and is a good choice for the public lattice basis. It reveals no more info about 's structure than any other basis, because HNF( )

bad

ca

iL

LL

L

•

≥∏

n be computed from any basis in polynomial time.

{ }

( ) ( )T 11 T

The of a (full rank) lattice ( ) is the set

: , for all .

The dual of a lattice ( ) is a lattice with

basis . That

dual

T

i

heorem

s )

, (

:

Dual Latticen

n

L

L

L

∗

−−

Λ = ⊆

Λ = ∈ ∈ ∈ Λ

Λ =

= = =

•

•

B

x x v v

B

D B B D

( )

( )

T

1T T

.

( ) , .

( ) : If , then , for all , which m

eans

( )

i j i j

j

n n n

L i j

L j

L

∗

∗ ∗

∗ ∗

−

Λ

⊆ Λ ⊆ Λ ∈ ∀ = =

Λ ⊆ ∈ Λ

⇐ ⇐ ⇐

⇒

∈

∈ ∈ = =

D D d b d b D B I

D x x b

B x x B D D

{ }

Definition: The of a lattice ( ) is the smallest distance between any two lattice points: ( ) min : , , .

Note

minimum distan

tha (

ce

t )

Minimum distance and shortest vectorL

λ

λ

Λ =

Λ = − ∈Λ ≠

Λ

•

•

B

x y x y x y

{ } 1

is equal to the length of a : ( ) ( ) min : , .

We can use because lattices are disc

shortest nonzero lattice vecto

rete.

r

min

λ λΛ = Λ = ∈Λ ≠

•

x x x 0

Definition: For any lattice and integer rank( ), let ( ) be the smallest s.t. the closed ball ( ) contains at least linearly independent lattice vectors. That is

Successive minima

k

kr B r

kλ

Λ ≤ Λ

Λ

•

{ }

1 1

1 2

1

, ( ) min max , , : , , linearly ind. //length of the th shortest linearly independent vector//

Obviously, ( ) ( ) ( ).

, , are called succesive minima of

k k k

k

k

kλ

λ λ λ

λ λ

Λ = ∈Λ

Λ ≤ Λ ≤ ≤•

•

Λ

Λ

x x x x

: first minimum, second minimum, and so on.

: Given two bases and , determine if they generate

Equivalence problem

Sum of lat

Solution: the same lattice, ( ) ( ).

Compute and check if HNF( ) HNF( )

tice

.

s:

Easy Lattice Problems

L L′

′

•

=′=

• B BB B

B B

{ }

Given bases and , find a basis for the smallest lattice containing both ( ) and ( ), whic

Solution:

h is ( ) ( ) : ( ), ( ) .

Compute HNF( , ).

: GivContainment problem

L LL L L L

′′

′ ′+ = ∈ ∈

′

•

B BB B

B B x + y x B y BB B

en two bases and , determine if ( ) Solution

( ).Is HNF( ) HN (: F , )?

L L′

′⊆′ ′=

B BB B

B B B

( ) ( )T 11 T

Is ( )? Check if HNF( , ) HNF( ).

: Given a lattice basis , compute i

Solution:

Solution:

Membership problem

ts dual.

: or .

: Give

:

Dual lattice

Intersection of lattices n

L

−−

•

•

•

∈=

=

v BB v B

B

D B B

two bases and , find a basis for the intersection ( ) ( ).

If , are the dual of , , then the dual lattice of ( ) ( ) is ( , ). So, Compute the dual ba

Solutio

ses

n: L L

L L L

′′∩

′ ′′ ′∩

B BB B

D D B BB B D D

, of , . Compute a basis for ( , ) : : HNF( , ). Compute the dual of .

L′ ′

′ ′=D D B B

D D H D DH

( )

1 1 1

1

Let ( ) be the cyclic rotation of vector ,

i.e., ( , , ) ( , , , ). A lattice is i

Cyclic

ff cycli

l

implies ( ) . Pro

blem: Given ,

attice

,c

:

,

n n n

m

rr x x x x x

r−= …

Λ ∈ Λ ∈ Λ

•

=

x x

x xB b b

{ }( )

0

1

find the smallest cyclic lattice containing ( ).

The lattice generated by all the vector rotations

( ) : 0 1, 1 , where ( ) and

( ) ( ) .

Proble

Sol:

m:

ij

i i

L

r i m j n r

r r r −

≤ ≤ − ≤ ≤ =

=

B

b x x

x x

( ) Is a given lattice ( ) cyclic?

( ) cyclic ( ) ( )

So

l:

( ) ( ).

LL r L L

r L⇔ ⊆

⇔ ⊆

BB B B

B B

Some Important Hard Lattice Problems

1

: Given a basis for a lattice of rank , find a nonzero vector

Exact Shortest Vector Problem (SVP)

( )

Approximate Shortest Vector Problem (SVP )

of length .

:

Shortest Vector Problems

LL n

L

γ

λ∈

•

•

v

1

Given a basis for a lattice of rank , find a nonzero vector of length at most . (The approximation factor may be a function of .)

SVP has been studied since

(

the time of

)L n

LLn

γ λγ

⋅

•

∈v

Gauss (1801).

log log

NP-hard for . There is no polynomial algorithm unless P NP.

Hard for for some 0. There is n

any

o polynomial algorithm unless NP RSUBEXP.

constant

( )

Hardness of SVP

c nn cn

γ

γ

γ

=

>⊆

•

• =

•

log log

Cannot be NP-hard for unless NP coAM.

Cannot be NP-hard for unle

( ) log

( )

constant log

ss NP coNP.

NP-hard hard unlikely NP-hard unlikely NP-hard

c n

n n n

n n

n n n n

γ

γ

⊆

=•

=

=

2

/2

( (log log ) log )

LLL algorithm (1982): for . Deterministic alg

( ) 2

( )

orithm.

Schnorr (1985) : for . Deterministic algorithm.

Ajtai, K m

2

u

SVP can be solved in polynomial timen

O n n n

n

n

γ

γ

γ

• =

=•

•

( )

( ) 2

log log log

log log log ( (log log ) log ) /2

ar, and Sivakumar(2001) : . Ramdomized algorithm with

( ) 2bounded error.

unlikely NP-hard B P

2 2PP P

2

O n n n

O n n n O n n n n

n

n

γ =

It would be a breakthrough if one can:

Solve SVP in polynomial time for some 0.

Prove SVP hard or NP-hard for

:

some 0.

SVP open problems

cn

n

c

ε

γ

ε

•

•

>

>

:

Given a basis for a lattice (of rank ) and a vector , find a nonzero vector s.

Closest Vector Problem (CVP )

( ) dist( , )t.

Two other important problems: CVP and SIVP

n

n

n L

n LL

γ

γ− ≤ ⋅

⊆

∈

•

∈t vt v t

1

:

Given a basis for a lattice of rank , find linearly independent vect

.

Short

ors

est Independent Vect

, ,

ors Problem (SIVP )

( ) ( ) of length at most

.n

n

L nL

n n

γ

γ λ∈

•

⋅v v

( ) 1

SVP can be reduced to CVP : SVP CVP .

: Let , , be the input to SVP

Theorem:

.

Wish to find a shortest vector ( ) by callingCVP. The

Proof (for 1)

CVP SVP is at least as hard as

i

n

i Lx

γ γ γ γ

γ γ

γ =

= ∈

≤

=

∑B b

b Bs

b

( )

,idea is to consider a sublattice ( ) and

a point s.t. in which case, dist( )

Thus, if CVP , then is a a solution to SVP( ). Based on this idea, for each , con

.

sider

,

L LL

L L

L

i

L L′ ⊂

′′ ′∈ − + ∈ =

′← −

c s

y c y c

c c sB

( )( )

{ }

1

1

the point and the

sublattice generated by , , 2 , , . We have

, and

The

is odd.

shortest vector in is a

if Let CVP , .

shortest vector in ).

(

ii i

i n

ii i i

ni i i

ii

L

L L L x

L=

=

′ ′∈ − + ∈ ←

−

bB b b b

b b s y B b

y b B

1 1

SVP CVP .

SIVP CVP .

SVP SIVP .

Open problem: SVP SIV

,

P ?

Relationship among SVP , CVP SIVP

γ γ

γ γ

γ γ

γ γ γ

•

• ≤

•

≤

• ≤

≤

( )1

:

Given a lattice and a vector satisfying fin

Bounded Distance Decoding Problem (

d a nonzero vector

s.t.

BDDP )

dist( , ) ( ) ( ) 1 ,

( ) dist( , ).

Same as CVP

n nLL

n

L n

L

L

γ

γ

λ γ<

⊆ ∈

∈

− ≤ ⋅

+

•

tv

t

t

t v

except for the "bounded" condition

on , which implies a .

Uniqueness: The vector with dist( , )) is obviously a solution,

unique solu

and any oth

tion

er is not a solut

L LL

γ

∈ − =

∈

t

v t v tw

( )1

ion since ( ) dist( , )

( ) 1 dist( , ) dist( , ) ( ) dist( , ).

n L

n L L n L

λ

γ γ

− ≥ − − − ≥ −

> + ⋅ − = ⋅

t w v w v t t

t t t

( )

( )1

1

T1

Let , , be a basis.

Let = , , be the Gram-Schmidt matrix of .

Centered orthogonalized parallelepiped:

( ) : ( , , ) ,

Centered Orthogonalized Parallelepipedm n

n

n

nC x x

×

∗ ∗ ∗

∗ ∗

•

•

•

= ∈

= ⋅ =

B b b

B b b B

B B x x

{ }

( )( )

1 2 1 2 .

( ) is a fundamental region: pan( ) ( ) .

Nearest plane algorithm: Given a target point pan( ), find the unique cell ( ) that contains .

i

L

x

C S C

SC

∗ ∗

∈

∗

− ≤ <

= +

∈

+

•

•

v B

B B B v

t BB v t

A Lattice in 2 dimensions

Source: http://cseweb.ucsd.edu/~daniele/lattice/lattice.html

[ )1 1

2

Given and , find a lattice point ( )

s.t. , 1 2, 1 2 for all 1 .

In particular, if pan( ), then ( ) . Let ( ) be the sublatt

Nearest Plane Algorithm

n n

i i

c c L

i n

S CL

∗ ∗

∗

= + + ∈

− ∈ −

•

•

≤ ≤

∈ ∈ +′

B t v b b B

t v b b

t B t B vB

( )

( ) ( )

1 1

2

ice generated by , , . ( ) can be decomposed into "sublattices"

( ) ( ) span( )

The hyperplane span( ) closest to is when

,

n

n nc c

n

n n

L

L c L c

c c

−

∗

∈ ∈

∗ ∗

′ =

′ ′= + ⊂ +

′

•

+ =•

.

B b bB

B b B b B

b B t

t b b

We choose .nc c=

( )

( )

1

2

1 1

0 return

Gram-Schmidt( )

Algorithm NearestPlane( , , , )

if then

els

,

NearestPlane( , ,

e

return , )

n n

n n n

n

n

c

c c

∗

∗ ∗

−

=

←

←

+

=

−

0

B B

B b b t

t b b

b b b t b

( ) ( ) ( )1 1

By induction. For 0, the output meets the requirement.

Assume the algorithm returns a correct answer for ranks .

Let , , and , . Then , .

By

Correstness Proof

n n n

n

n

∗ ∗ ∗−

•

•

•

•

=

<

= = =C b b B C b B C b

[ )

[ )

2

2

IH, the recursive call returns a lattice point ( ) s.t.

( ) , 1 2, 1 2 for all 1, ..., 1.

The output of the algorithm is .

Need to prove , 1 2, 1 2 for a

n i i

n

i i

L

c i n

c

∗ ∗

∗ ∗

′∈

′− − ∈ − ⋅ = −

′= +

• − ∈ −

•

⋅

v C

t b v b b

v v b

t v b b ll 1 .i n≤ ≤

2 2

2

For 1, it follows from the IH since

, ( ), ( ) , .

For ,

( ), , , ,

, 1 2

i n i n i

n n n n n n

i i

n

i

i n

c c

i n

c c

c

∗ ∗ ∗

∗ ∗ ∗ ∗

∗ ∗

∗

∗

≤ −

′ ′− = − + = − −

=

′ ′− + − −=

= − ∈ −

•

•

t v b t v b b t b v b

t v b b t b v b b b

b b

t b

b[ )

2

, 1 2 .

where we have used , 0 and , .n n n i∗ ∗ ∗′ = =v b b b b

( )

( )

1

1

Fact: ( ) min .

The fundamental region ( ) contains a sphere centered

at

Nearest Plane Algorithm an

of radius

d Closest Vec

min 2 ( ) 2.

Thus, if a point

tor P

is

roblem

with

i i

i i

L

C

L

λ

ρ λ

∗

∗

∗

≥

=

•

•

≤

•

B b

B

0 b B

t in distance of a lattice point

( ), then is the closest lattice point to .

NearestPlane( , ) will solve the CVP.

L

ρ

∈v B v t

B t

1

(a) Randomly generate : for large primes , . (b) Public key: , coprime to ( ). (c) Secret key: : mod ( ).

The security of R

Key ge

SA requ

neration:

i

Recall RSA Cryptosystem

n pq p qe nd e n

ϕ

ϕ−

=

•

=

•

res that breaking RSA is hard for (but a negligible portion of) instances. By breaking RSA we mean finding the secret key.

It depends on the assumption that factoring

all

randomly a

e

g n•

erated semiprime is hard.n pq=

Worst-case to worst-case reduction, say P1 P2: If there is an algorithm that solves P2 in the worst case, then there is an algorithm that slove P

Ajtai's worst-case to average-case reduction • ≤

1 in the worst case.

Worst-case to average-case reduction, say P1 P2: If there is an algorithm that solves a randomly generated instance of P2 with nonnegligible probability, then there is

• ≤

an algorithm that solves the worst case of P1 with probability 1.

In 1996, Ajtai established such an worst-case to average-case reduction for some lattice problems. •

≈

{ }2

1

Let be a matrix of dimensions , and an

integer, where log and . Define

( ) : mod .

Ajtai showed worst -unique-SVP on an -dimentio- nal e ls aca

n m

c

mq

c

n m q

m c n n q n

q

n n

×

⊥

∈ ×

= =

=

•

•

Λ ∈

A

A x Ax 0

1 2

ttice SVP on ( ) for some and .

Based on this reduction, Ajtai and Dwork in 1997 constructed a public-key cryptosystem whose security depends on the

average-ca

(conjectured) wor

se q c c⊥≤

•

Λ A

st-case hardness of unique-SVP.

Later when we study FHE schemes, it is important to note whether the security is based on worst-case or average-case hardness.

Q: Is the security of RSA based on the worst-case hardness

•

•or the average-case hardness of semiprime factorization?