# The Mathematics of Lattices · PDF file 2020-02-07 · Point Lattices and Lattice Parameters (Point) Lattices Traditional area of mathematics Lagrange Gauss Minkowski Key to many algorithmic

• View
5

1

Embed Size (px)

### Text of The Mathematics of Lattices · PDF file 2020-02-07 · Point Lattices and Lattice...

• The Mathematics of Lattices

Daniele Micciancio

January 2020

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 1 / 43

• Outline

1 Point Lattices and Lattice Parameters

2 Computational Problems Coding Theory

3 The Dual Lattice

4 Q-ary Lattices and Cryptography

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 2 / 43

• Point Lattices and Lattice Parameters

1 Point Lattices and Lattice Parameters

2 Computational Problems Coding Theory

3 The Dual Lattice

4 Q-ary Lattices and Cryptography

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 3 / 43

• Point Lattices and Lattice Parameters

(Point) Lattices

◦ ◦ ◦ Lagrange Gauss Minkowski

Key to many algorithmic applications

Cryptanalysis (e.g., breaking low-exponent RSA) Coding Theory (e.g., wireless communications) Optimization (e.g., Integer Programming with fixed number of variables) Cryptography (e.g., Cryptographic functions from worst-case complexity assumptions, Fully Homomorphic Encryption)

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 4 / 43

• Point Lattices and Lattice Parameters

(Point) Lattices

◦ ◦ ◦ Lagrange Gauss Minkowski

Key to many algorithmic applications

Cryptanalysis (e.g., breaking low-exponent RSA) Coding Theory (e.g., wireless communications) Optimization (e.g., Integer Programming with fixed number of variables) Cryptography (e.g., Cryptographic functions from worst-case complexity assumptions, Fully Homomorphic Encryption)

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 4 / 43

• Point Lattices and Lattice Parameters

Lattice Cryptography: a Timeline

1982: LLL basis reduction algorithm

Traditional use of lattice algorithms as a cryptanalytic tool

1996: Ajtai’s connection

Relates average-case and worst-case complexity of lattice problems Application to one-way functions and collision resistant hashing

2002: Average-case/worst-case connection for structured lattices. Key to efficient lattice cryptography.

2005: (Quantum) Hardness of Learning With Errors (Regev)

Similar to Ajtai’s connection, but for injective functions Wide cryptographic applicability: PKE, IBE, ABE, FHE.

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 5 / 43

• Point Lattices and Lattice Parameters

Lattices: Definition

e1 e2

The simplest lattice in n-dimensional space is the integer lattice

Λ = Zn

b1

b2

Other lattices are obtained by applying a linear transformation

Λ = BZn (B ∈ Rd×n)

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43

• Point Lattices and Lattice Parameters

Lattices: Definition

e1 e2

The simplest lattice in n-dimensional space is the integer lattice

Λ = Zn

b1

b2

Other lattices are obtained by applying a linear transformation

Λ = BZn (B ∈ Rd×n)

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 6 / 43

• Point Lattices and Lattice Parameters

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:

L = n∑

i=1

bi · Z

= {Bx : x ∈ Zn}

The same lattice has many bases

L = n∑

i=1

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

b1

b2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43

• Point Lattices and Lattice Parameters

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:

L = n∑

i=1

bi · Z = {Bx : x ∈ Zn}

The same lattice has many bases

L = n∑

i=1

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

b1

b2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43

• Point Lattices and Lattice Parameters

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:

L = n∑

i=1

bi · Z = {Bx : x ∈ Zn}

The same lattice has many bases

L = n∑

i=1

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

c1

c2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43

• Point Lattices and Lattice Parameters

Lattices and Bases

A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:

L = n∑

i=1

bi · Z = {Bx : x ∈ Zn}

The same lattice has many bases

L = n∑

i=1

ci · Z

Definition (Lattice)

A discrete additive subgroup of Rn

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 7 / 43

• Point Lattices and Lattice Parameters

Determinant

Definition (Determinant)

det(L) = volume of the fundamental region P = ∑

i bi · [0, 1)

Different bases define different fundamental regions

All fundamental regions have the same volume

The determinant of a lattice can be efficiently computed from any basis.

P b1 b2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43

• Point Lattices and Lattice Parameters

Determinant

Definition (Determinant)

det(L) = volume of the fundamental region P = ∑

i bi · [0, 1)

Different bases define different fundamental regions

All fundamental regions have the same volume

The determinant of a lattice can be efficiently computed from any basis.

P b1 b2

c1

c2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43

• Point Lattices and Lattice Parameters

Determinant

Definition (Determinant)

det(L) = volume of the fundamental region P = ∑

i bi · [0, 1)

Different bases define different fundamental regions

All fundamental regions have the same volume

The determinant of a lattice can be efficiently computed from any basis.

P b1 b2

c1

c2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43

• Point Lattices and Lattice Parameters

Determinant

Definition (Determinant)

det(L) = volume of the fundamental region P = ∑

i bi · [0, 1)

Different bases define different fundamental regions

All fundamental regions have the same volume

The determinant of a lattice can be efficiently computed from any basis.

P b1 b2

c1

c2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 8 / 43

• Point Lattices and Lattice Parameters

Density estimates

Definition (Centered Fundamental Parallelepiped)

P = ∑

i bi · [−1/2, 1/2)

vol(P(B)) = det(L) {x + P(B) | x ∈ L} partitions Rn

For all sufficiently large S ⊆ Rn

|S ∩ L| ≈ vol(S)/ det(L)

b1

b2

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 9 / 43

• Point Lattices and Lattice Parameters

Minimum Distance and Successive Minima

Minimum distance

λ1 = min x,y∈L,x6=y

‖x− y‖

= min x∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = min{r : dim span(B(r) ∩ L) ≥ i}

Examples

Zn: λ1 = λ2 = . . . = λn = 1 Always: λ1 ≤ λ2 ≤ . . . ≤ λn

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43

• Point Lattices and Lattice Parameters

Minimum Distance and Successive Minima

Minimum distance

λ1 = min x,y∈L,x6=y

‖x− y‖

= min x∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = min{r : dim span(B(r) ∩ L) ≥ i}

Examples

Zn: λ1 = λ2 = . . . = λn = 1 Always: λ1 ≤ λ2 ≤ . . . ≤ λn

λ1

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43

• Point Lattices and Lattice Parameters

Minimum Distance and Successive Minima

Minimum distance

λ1 = min x,y∈L,x6=y

‖x− y‖

= min x∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = min{r : dim span(B(r) ∩ L) ≥ i}

Examples

Zn: λ1 = λ2 = . . . = λn = 1 Always: λ1 ≤ λ2 ≤ . . . ≤ λn

λ1

Daniele Micciancio (UCSD) The Mathematics of Lattices Jan 2020 10 / 43

• Point Lattices and Lattice Parameters

Minimum Distance and Successive Minima

Minimum distance

λ1 = min x,y∈L,x6=y

‖x− y‖

= min x∈L,x6=0

‖x‖

Successive minima (i = 1, . . . , n)

λi = min{r : dim span(B(r) ∩ L) ≥ i}

Examples

Zn: λ1 = λ2 = . . . = λn = 1 ##### Classes of completely distributive complete lattices by Ph. Dwinger · PDF file 2016. 12. 31. · MATHEMATICS Classes of completely distributive complete lattices by Ph. Dwinger Department
Documents ##### Introduction to Hexagonal Lattices in CompuCell3D · PDF file Introduction to Hexagonal Lattices in CompuCell3D ... Cartesian lattices. However those lattices do look different and
Documents ##### 1 Game Mathematics. Matrices Matrices Vectors Vectors Fixed-point Real Numbers Fixed-point Real Numbers Triangle Mathematics Triangle Mathematics Intersection
Documents ##### Positive Operators and Semigroups on Banach Lattices: Proceedings of a Caribbean Mathematics Foundation Conference 1990
Documents ##### Mathematics of Incidence (part 3): What's with Abby and Doughnuts? (More about concept lattices)
Data & Analytics ##### Minimal co-volume hyperbolic lattices, · PDF file Minimal co-volume hyperbolic lattices, II: ... (ABA 1B 1) 2 = 0. 1 is a two ... where each of Aand Bis either a point or
Documents ##### Point Lattices: Bravais Lattices - 2D & 3D Crystal Structures A. Orthogonal Primitive Lattices Vectors Then choose primitive lattice vectors along the x, y and z axes The 3D sampling
Documents ##### THE FIXED-POINT PARTITION LATTICES · PDF filestructure theory for supersolvable lattices given by Stanley and particularly with his elegant results concerning Birkhoff ... lattice
Documents ##### Mathematics of incidence (part 2): formal concepts and formal concept lattices
Data & Analytics ##### Lecture 12 Crystallography Internal Order and 2-D Symmetry Internal Order and 2-D Symmetry Plane Lattices Planar Point Groups Planar Point Groups Plane
Documents ##### THE FIXED-POINT PARTITION LATTICES - · PDF fileTHE FIXED-POINT PARTITION LATTICES ... particularly with his elegant results concerning Birkhoff polynomials ... lattice theory see
Documents ##### An Introduction to the Theory of Lattices and jhs/Presentations/ of Lattices and Applications to Cryptography ... † Lattices and Lattice Problems ... Lattices and Lattice Problems
Documents ##### EE -lattices and dihedral groups - University of · PDF fileEE8-lattices and dihedral groups Robert L. Griess Jr. Department of Mathematics University of Michigan Ann Arbor, MI 48109
Documents ##### 14 bravais lattices and Screw axes - دانشگاه کاشان · PDF file 14 bravais lattices and Screw axes . Point and Space Groups •7 crystal systems •14 Bravais lattices •230
Documents ##### Subgroup Lattices of Groups - Department of Mathematics · PDF fileSubgroup Lattices of Groups by Roland Schmidt W DE G ... referred to the books of Birkhoff, ... 1.1 Basic concepts
Documents ##### Multidimensional quadrilateral lattices with the values in ... · PDF filePlan • Introduction • Multidimensional quadrilateral lattices (planar lattices, Q-nets) • Grassmann
Documents Documents