144 research outputs found
Markov Chain Monte Carlo Algorithms for Lattice Gaussian Sampling
Sampling from a lattice Gaussian distribution is emerging as an important
problem in various areas such as coding and cryptography. The default sampling
algorithm --- Klein's algorithm yields a distribution close to the lattice
Gaussian only if the standard deviation is sufficiently large. In this paper,
we propose the Markov chain Monte Carlo (MCMC) method for lattice Gaussian
sampling when this condition is not satisfied. In particular, we present a
sampling algorithm based on Gibbs sampling, which converges to the target
lattice Gaussian distribution for any value of the standard deviation. To
improve the convergence rate, a more efficient algorithm referred to as
Gibbs-Klein sampling is proposed, which samples block by block using Klein's
algorithm. We show that Gibbs-Klein sampling yields a distribution close to the
target lattice Gaussian, under a less stringent condition than that of the
original Klein algorithm.Comment: 5 pages, 1 figure, IEEE International Symposium on Information
Theory(ISIT) 201
On the Lattice Isomorphism Problem
We study the Lattice Isomorphism Problem (LIP), in which given two lattices
L_1 and L_2 the goal is to decide whether there exists an orthogonal linear
transformation mapping L_1 to L_2. Our main result is an algorithm for this
problem running in time n^{O(n)} times a polynomial in the input size, where n
is the rank of the input lattices. A crucial component is a new generalized
isolation lemma, which can isolate n linearly independent vectors in a given
subset of Z^n and might be useful elsewhere. We also prove that LIP lies in the
complexity class SZK.Comment: 23 pages, SODA 201
Lattice Gaussian Sampling by Markov Chain Monte Carlo: Bounded Distance Decoding and Trapdoor Sampling
Sampling from the lattice Gaussian distribution plays an important role in
various research fields. In this paper, the Markov chain Monte Carlo
(MCMC)-based sampling technique is advanced in several fronts. Firstly, the
spectral gap for the independent Metropolis-Hastings-Klein (MHK) algorithm is
derived, which is then extended to Peikert's algorithm and rejection sampling;
we show that independent MHK exhibits faster convergence. Then, the performance
of bounded distance decoding using MCMC is analyzed, revealing a flexible
trade-off between the decoding radius and complexity. MCMC is further applied
to trapdoor sampling, again offering a trade-off between security and
complexity. Finally, the independent multiple-try Metropolis-Klein (MTMK)
algorithm is proposed to enhance the convergence rate. The proposed algorithms
allow parallel implementation, which is beneficial for practical applications.Comment: submitted to Transaction on Information Theor
An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices
In this paper, we study the Learning With Errors problem and its binary
variant, where secrets and errors are binary or taken in a small interval. We
introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on
a quantization step that generalizes and fine-tunes modulus switching. In
general this new technique yields a significant gain in the constant in front
of the exponent in the overall complexity. We illustrate this by solving p
within half a day a LWE instance with dimension n = 128, modulus ,
Gaussian noise and binary secret, using
samples, while the previous best result based on BKW claims a time
complexity of with samples for the same parameters. We then
introduce variants of BDD, GapSVP and UniqueSVP, where the target point is
required to lie in the fundamental parallelepiped, and show how the previous
algorithm is able to solve these variants in subexponential time. Moreover, we
also show how the previous algorithm can be used to solve the BinaryLWE problem
with n samples in subexponential time . This
analysis does not require any heuristic assumption, contrary to other algebraic
approaches; instead, it uses a variant of an idea by Lyubashevsky to generate
many samples from a small number of samples. This makes it possible to
asymptotically and heuristically break the NTRU cryptosystem in subexponential
time (without contradicting its security assumption). We are also able to solve
subset sum problems in subexponential time for density , which is of
independent interest: for such density, the previous best algorithm requires
exponential time. As a direct application, we can solve in subexponential time
the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201
A New View on Worst-Case to Average-Case Reductions for NP Problems
We study the result by Bogdanov and Trevisan (FOCS, 2003), who show that
under reasonable assumptions, there is no non-adaptive worst-case to
average-case reduction that bases the average-case hardness of an NP-problem on
the worst-case complexity of an NP-complete problem. We replace the hiding and
the heavy samples protocol in [BT03] by employing the histogram verification
protocol of Haitner, Mahmoody and Xiao (CCC, 2010), which proves to be very
useful in this context. Once the histogram is verified, our hiding protocol is
directly public-coin, whereas the intuition behind the original protocol
inherently relies on private coins
- …