Notes for UMich EECS 598 (2015): Clean-up

Notes for UMich EECS 598 (2015) are for Lattices in Cryptography virtually instructed by Chris Peikert (i.e., I taught myself using resources made available by him). This entry is for homework 3, homework 4 and lecture note 5.

This series of blog entries are complementary to the course lecture notes. Since I have nothing I want to add for lecture note 6, there will not be a dedicated entry for that. Also, there is basically only one paragraph of comments to lecture note 5, buried in the solution to homework 3 problem 1. Together with that homework 3 and 4 are short, I decided to merge all these into one entry.

Homework 3

Problem 1. I can do this for all $γ \geq 1 + ε$ for any fixed positive $ε,$ or alternatively, for density $\leq \frac{C}{ε + l o g γ}$ for any fixed positive $ε .$ However, my method breaks down once we move to the original formulation with $γ = 1 + o (1) .$

Updated on 13 January. The homework problem definitely should assume use either density $\leq \frac{C}{ε + l o g γ}$ or assume $γ \geq 1 + ε$ for some $ε > 0 .$ Otherwise, this would contradict the last sentence of lecture note 5. For simplicity, I will assume $γ \geq 2 .$

WLoG, assume $a_{1}$ is the largest entry in $a .$ By the density constraint, we have $a_{1} \geq γ^{n / C} .$ We set $B = ⌈ γ n ⌉$ in Frieze’s attack, then any $γ -$ approximation of the shortest non-zero vector is in the form of $(z 0) = B (z z_{n + 1}) .$ Assuming $z$ is not a multiple of $x$ and following the same argument in lecture note 5, we find $a^{T} y = 0$ for $y = z - z_{n + 1} x \neq = 0 .$ Moreover, $y$ has at least two non-zero entries, since all entries in $a$ are positive.

Let $S$ be the set of tuples of integer vectors and integers $(z, z_{n + 1}, x, y, i)$ s.t. $∣ z ∣ \leq γ n, ∣ z_{n + 1} ∣ \leq 2 γ n, x \in {0, 1}^{n}, y = z - z_{n + 1} x$ and $i \geq 2$ is the smallest index s.t. $y_{i} \neq = 0 .$ Note that $y, i$ are uniquely determined by $z, z_{n + 1}, x .$ If we sample non-largest entries in $a$ uniformly at random, we have $a Pr [\exists s \in S : a^{T} y = 0] \leq s \in S \sum a Pr [a_{i} = \frac{- \sum _{j \neq = i} a _{j} y _{j}}{y _{i}}] \leq \frac{∣ S ∣}{γ ^{n / C}} .$

We now bound $∣ S ∣ .$ Let $X = [\frac{- 1}{2}, \frac{1}{2})^{n},$ then for any two distinct integer vectors $z, z^{'},$ we have $(z + X) \cap (z^{'} + X) = \emptyset .$ Moreover, for any integer vector $z$ of length at most $γ n,$ we have $(z + X) \subseteq (γ + 1) n \overline{B} .$ Therefore, by counting the volume, $∣ S ∣ \leq V_{n} (γ + 1)^{n} n^{n / 2} \cdot (2 γ n + 1) \cdot 2^{n} \sim 2 γ π (8 π e (γ + 1)^{2})^{n / 2} .$ If we set $C = 1 / 5,$ we get $∣ S ∣ / γ^{n / C} = o (γ^{1 - n / 2}) = o (2^{- n / 2}) .$

For large enough $n,$ we use Frieze’s attack with the above $B;$ for small $n ’s$ we can solve the subset-sum problem using brute force. This solves all but an exponentially small fraction of subset-sum instances of density $\leq \frac{1}{5 l o g γ}$ in polynomial time using an $S V P_{γ}$ oracle.

Question. In lecture note 5, the author did not fix $x$ when considering the probability of $a^{T} y = 0 .$ This seems to be an error, because $y$ is dependent on $a$ (because $x$ is dependent on $a, s),$ and the right-hand side of $‘ a_{1} = \frac{- \sum _{i = 2}^{n} a _{i} y _{i}}{y _{1}} ’$ is highly non-independent of $a_{1} .$ I cannot make a useful estimation of the probability of this event. The conclusion in the lecture note is unaffected, because the extra loss of $2^{n}$ is killed by $2^{- ε n^{2}} .$

Problem 2. This is true due to the uniqueness of QDU/LDQ decomposition and that $(Q D U)^{- T}$ is exactly in the form of $L D Q .$

Problem 3. This seems beyond the scope of the (incomplete) lecture notes and beyond my knowledge base.

Homework 4

Clearly, starting from this homework, the course entered the phase of using lattice assumptions to construct cryptographic objects. The lecture notes, on the other hand, cover nothing about this topic.

Problem 1(a). This problem is trivial if $q$ is a prime power (using Gaussian elimination). For general $q,$ the problem seems non-trivial to me. ~~I’m very interested to learn how the algorithm for general $q$ works.~~

Note that if we’re not restricted to permuting the columns but arbitrary invertible operations over them, the problem is again simple using Smith normal form.

Updated today later. I posted this question to IIIS WeChat group, and a few alumni/students had a discussion. Tianqi Yang suggested looking at matroid structure and Qi Zhang suggested this could be NP-hard. Indeed, Wikipedia says computing the maximum common independent subset of three (general) matroids is NP-hard, and this StackExchange response by Sahil Singla suggests a simpler reduction from 3D matching.

With these hints, it’s straightforward to come up with $3D- MATCHING \leq_{m}^{P} INV- SUBMATRIX- Z_{30} .$ Here, $INV- SUBMATRIX- Z_{30}$ is the problem of deciding whether there is an invertible $n \times n$ submatrix of a given $n \times m$ matrix over $Z_{30} .$

More precisely, the problem can be solved in polynomial time if $q$ has at most two distinct prime factors and one prime factor is known; and the problem is NP-hard if $q$ has at least three distinct prime factors and two of them are known.

This shouldn’t affect most use cases in cryptography. I suppose people will use a prime power $q .$ Even if not, when all prime factors of $q$ are super-polynomially large and the matrix is sampled uniformly at random, the first $n$ columns will be invertible with overwhelming probability, so we don’t have to deal with this NP-hard problem at all.

Problem 1(b). Writing $A = (P R) Q$ for invertible matrix $P$ and permutation matrix $Q,$ we have $L^{⊥} (A) = L^{⊥} (P^{- 1} A) .$ Therefore, we can replace $A$ by $P^{- 1} A,$ which has $I_{n}$ as a submatrix (position determined by $Q),$ without changing the lattice.

Problem 1(c). Writing $A = P (I_{n} \overline{A}) Q$ for invertible matrix $P$ and permutation matrix $Q,$ we have $L^{⊥} (A) = {Q^{- 1} (q u - \overline{A} v v) : u \in Z^{n}, v \in Z^{m - n}} .$ The basis can be chosen as $B = Q^{- 1} (q I_{n} - \overline{A} I_{m - n}) .$

Problem 1(d). For typical parameters, we use the property that a random $A$ contains an invertible $n \times n$ submatrix with high probability (say, with probability $1 - p),$ and we reduce SIS to ‘SIS with small noise’ at the price of removing $p -$ fraction of solvable instances. Conditioned on $A$ containing an invertible $n \times n$ submatrix, we write $A = P (I_{n} A^{'}) Q .$ Note that $A^{'}$ is uniformly random. We use the ‘SIS with small noise’ oracle to get $z, e$ s.t. $z \neq = 0, A^{'} z = e$ and $e$ is small. Now, $Q^{- 1} (- e z)$ is a non-zero small (because $e, z$ are small and $Q$ only permutes the indices) solution to $A x = 0 .$

Problem 2. For any multi-secret LWE distinguisher, construct the following LWE distinguisher that internally runs the multi-secret LWE distinguisher:

At the beginning, sample $t^{'} \leftarrow $ [t]$ and $s_{i} \leftarrow $ Z_{q}^{n}$ for $t^{'} < i \leq t .$
Whenever LWE distinguisher asks for a new challenge tuple $(a, b_{1}, \dots, b_{t}),$ ask for an LWE challenge pair $(a, b),$ sample $b_{i} \leftarrow $ Z_{q}$ for $i < t^{'}$ and $e_{i} \leftarrow $ χ$ for $t^{'} < i \leq t,$ and return $(a, b_{1}, \dots, b_{t^{'} - 1}, b, ⟨ a, s_{t^{'} + 1} ⟩ + e_{t^{'} + 1}, \dots, ⟨ a, s_{t} ⟩ + e_{t})$ to the LWE distinguisher.
At the end, output whatever the multi-secret LWE distinguisher outputs.

The LWE distinguisher has advantage (at least) $1 / t$ of that of the multi-secret LWE distinguisher.

Problem 3. I don’t know what cryptosystem was discussed in the lecture. Regev’s LWE-based encryption has ciphertext size $n lo g q,$ but its public-key is of size $\sim n^{2} lo g^{2} q .$ So does dual Regev (GPV) scheme. If the problem is indeed talking about Regev’s encryption, we could simply use the $n$ instances with shared $A .$ This blows up the public key/ciphertext sizes by a constant factor.