Polynomial time bounded distance decoding near Minkowski’s bound in discrete logarithm lattices

Ducas, Léo; Pierrot, Cécile

doi:10.1007/s10623-018-0573-3

Cited by 9 publications

(6 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…So, the results of [GP12] are quite far from optimal in terms of (determinant-normalized) decoding distance. By contrast, a recent work of Ducas and Pierrot [DP19] gave, for a certain family of lattices, a simple and efficient decoding algorithm for normalized distance Θ( √ n/ log n), which is tight with Minkowski's bound up to an O(log n) factor. However, their algorithm only performs unique (not list) decoding, below half the minimum distance.…”

Section: Introductionmentioning

confidence: 86%

Lattice (List) Decoding Near Minkowski's Inequality

Mook¹,

Peikert²

2020

Preprint

View full text Add to dashboard Cite

Minkowski proved that any n-dimensional lattice of unit determinant has a nonzero vector of Euclidean norm at most √ n; in fact, there are 2 Ω(n) such lattice vectors. Lattices whose minimum distances come close to Minkowski's bound provide excellent sphere packings and error-correcting codes in R n . The focus of this work is a certain family of efficiently constructible n-dimensional lattices due to Barnes and Sloane, whose minimum distances are within an O( √ log n) factor of Minkowski's bound. Our primary contribution is a polynomial-time algorithm that list decodes this family to distances approaching 1/ √ 2 times the minimum distance. The main technique is to decode Reed-Solomon codes under error measured in the Euclidean norm, using the Koetter-Vardy "soft decision" variant of the Guruswami-Sudan list-decoding algorithm.

show abstract

Section: Introductionmentioning

confidence: 86%

Lattice (List) Decoding Near Minkowski's Inequality

Mook¹,

Peikert²

2020

Preprint

View full text Add to dashboard Cite

show abstract

“…The endgame would be to instantiate with lattices for which all three factors would be very small. In particular, one would naturally turn to recent work on decoding the Chor-Rivest lattices [9,12,25,21] and the Barnes-Sloane lattices [32] giving f " polylogpnq and f 1 " polylogpnq, but unfortunately their dual are not that good: f ˚ě Θp ? nq.…”

Section: Potential Advantagesmentioning

confidence: 99%

“…More specifically, these works attempted to construct particularly good lattices with efficient decoding algorithms, to use it as a secret-key, and to give a bad description of a similar lattice as the corresponding public-key. For example, it was analysed in [12] that the Chor-Rivest cryptosystem [9] was implicitly relying on a family of lattices for which it is possible to efficiently decode errors up to a radius within a factor of Oplog nq from optimal (Minkowski bound). For comparison, the decoding algorithm underlying schemes based on the Learning with Error problem [42] (LWE) fall short from the Minkowski bound by polynomial factors; they essentially reduce decoding to the case of the trivial lattice Z n .…”

Section: Introductionmentioning

confidence: 99%

On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography

Ducas

Woerden

2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

A natural and recurring idea in the knapsack/lattice cryptography literature is to start from a lattice with remarkable decoding capability as your private key, and hide it somehow to make a public key. This is also how the code-based encryption scheme of McEliece (1978) proceeds. This idea has never worked out very well for lattices: ad-hoc approaches have been proposed, but they have been subject to ad-hoc attacks, using tricks beyond lattice reduction algorithms. On the other hand the framework offered by the Short Integer Solution (SIS) and Learning With Errors (LWE) problems, while convenient and well founded, remains frustrating from a coding perspective: the underlying decoding algorithms are rather trivial, with poor decoding performance. In this work, we provide generic realizations of this natural idea (independently of the chosen remarkable lattice) by basing cryptography on the lattice isomorphism problem (LIP). More specifically, we provide:a worst-case to average-case reduction for search-LIP and distinguish-LIP within an isomorphism class, by extending techniques of Haviv and Regev (SODA 2014). a zero-knowledge proof of knowledge (ZKPoK) of an isomorphism.This implies an identification scheme based on search-LIP. a key encapsulation mechanism (KEM) scheme and a hash-then-sign signature scheme, both based on distinguish-LIP. The purpose of this approach is for remarkable lattices to improve the security and performance of lattice-based cryptography. For example, decoding within poly-logarithmic factor from Minkowski's bound in a remarkable lattice would lead to a KEM resisting lattice attacks down to poly-logarithmic approximation factor, provided that the dual lattice is also close to Minkowski's bound. Recent works have indeed reached such decoders for certain lattices (Chor-Rivest, Barnes-Sloan), but these do not perfectly fit our need as their duals have poor minimal distance.

show abstract

“…Finally, with respect to our result in Theorem 1.2, we note that a number of previous works have given algorithms for efficient decoding near Minkowski's bound on other families of lattices. These include [MN08,GP12], which showed how to (list) decode to a distance within a O(n 1/4 ) factor of Minkowski's bound on Barnes-Wall lattices; [DP19], which showed how to decode to a distance within a O(log n) factor of Minkowski's bound on a family of discrete-logarithm lattices; and [MP22], which showed how to (list) decode to a distance within a O( √ log n) factor of Minkowski's bound on lattices obtained by applying Construction D to towers of BCH codes.…”

Section: Additional Related Workmentioning

confidence: 99%

Hardness of the (Approximate) Shortest Vector Problem: A Simple Proof via Reed-Solomon Codes

Bennett¹,

Peikert²

2022

Preprint

View full text Add to dashboard Cite

We give a simple proof that the (approximate, decisional) Shortest Vector Problem is NP-hard under a randomized reduction. Specifically, we show that for any p ≥ 1 and any constant γ < 2 1/p , the γapproximate problem in the ℓp norm (γ-GapSVP p ) is not in RP unless NP ⊆ RP. Our proof follows an approach pioneered by Ajtai (STOC 1998), and strengthened by Micciancio (FOCS 1998 and SICOMP 2000), for showing hardness of γ-GapSVP p using locally dense lattices. We construct such lattices simply by applying "Construction A" to Reed-Solomon codes with suitable parameters, and prove their local density via an elementary argument originally used in the context of Craig lattices.As in all known NP-hardness results for GapSVP p with p < ∞, our reduction uses randomness. Indeed, it is a notorious open problem to prove NP-hardness via a deterministic reduction. To this end, we additionally discuss potential directions and associated challenges for derandomizing our reduction. In particular, we show that a close deterministic analogue of our local density construction would improve on the state-of-the-art explicit Reed-Solomon list-decoding lower bounds of Guruswami and Rudra (STOC 2005 and IEEE Transactions on Information Theory 2006).As a related contribution of independent interest, we also give a polynomial-time algorithm for decoding n-dimensional "Construction A Reed-Solomon lattices" (with different parameters than those used in our hardness proof) to a distance within an O( √ log n) factor of Minkowski's bound. This asymptotically matches the best known distance for decoding near Minkowski's bound, due to Mook and Peikert (IEEE Transactions on Information Theory 2022), whose work we build on with a somewhat simpler construction and analysis.

show abstract

Polynomial time bounded distance decoding near Minkowski’s bound in discrete logarithm lattices

Cited by 9 publications

References 18 publications

Lattice (List) Decoding Near Minkowski's Inequality

Lattice (List) Decoding Near Minkowski's Inequality

On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography

Hardness of the (Approximate) Shortest Vector Problem: A Simple Proof via Reed-Solomon Codes

Contact Info

Product

Resources

About