# Hard lattice problems {% hint style="danger" %} This section is not complete. Help is needed with relevance + examples in cryptography, algorithms + hardness, relations between problems. Also needs review from more experienced people. {% endhint %} ## Introduction Now that we are comfortable with lattices we shall study why are they important to cryptography. Like we said, when we construct cryptosystems we usually are looking for hard problems to base them on. The lattice world provides us with such problems such as the s**hortest vector problem** or the c**losest vector problem.** What makes lattices even more special is that some cryptographic problems (which we will study in the next chapter) can be reduced to *worst-case* lattice problems which makes them crazy secure. Moreover, some problems are even secure against quantum computers. But enough talk, let's get right into it! ## Shortest vector problem + GapSVP Before we go into any problems we must first define the concept of distance in a lattice. Let: * $$L=$$ Lattice * $$\mathcal B =$$ the basis of the lattice * $$n =$$the dimension of the lattice **Distance function** Given some distance function (Example: Euclidean norm) the distance from a vector $$t$$ to the lattice $$L$$ is the distance from the vector to the closest point in the in lattice. $$ \mu(t, L) = \underset{v \in \mathcal{L}}{\min}{|t-v|} $$ ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_G-TFN1no4S3ObmyHo%2F-M_Gj5lgZJDty2Zzb_z0%2Fimage.png?alt=media\&token=ae64fce2-bc91-4409-8c16-9f11578b9586) We will denote the length of the shortest vector with $$|v| = \lambda\_1(L)$$and the length of the next **independent** vectors in order with $$\lambda\_i(L) \Rightarrow\lambda\_1({L}) \leq \lambda\_2({L}) \leq ... \leq \lambda\_n({L})$$ ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_G-TFN1no4S3ObmyHo%2F-M_GjFcgh-BUvnCektQM%2Fimage.png?alt=media\&token=c79813cf-5694-41b8-aef6-298e5ca7c16a) #### Shortest vector problem Given a lattice $$L$$ and an arbitrary basis $$\mathcal{B}$$ for it our task is to find the shortest vector $$v \in L$$. **Approximate SVP** We relax the SVP problem a bit. Given an arbitrary basis $$\mathcal{B}$$find a shortest nonzero lattice vector $$v \in L$$such that $$v < \gamma(n)\cdot \lambda\_1(L)$$. Here $$\gamma(n) > 1$$is some approximation factor. ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_G-TFN1no4S3ObmyHo%2F-M_Gh1fr0WxHiv2Pztb9%2Fimage.png?alt=media\&token=563ec5d7-5b3e-4c5e-a315-03671f48deb4) #### Decision SVP (GapSVP) Given a lattice $$L$$with a basis $$\mathcal B$$ we must distinguish if $$\lambda\_1(L) \leq 1$$ or $$\lambda > \gamma(n)$$ #### Sage example ```python # We can find the shortest vector using the LLL algorithm M = matrix([[-1, 2], [-2, 3]]) B = M.LLL() print(B[0]) # (0, -1) # Or we can use the Integer Lattice class L = IntegerLattice(M) L.shortest_vector() # (-1, 0) ``` ## Closest Vector problem + GapCVP **Closest vector problem** Given a lattice $$L$$ with an arbitrary basis $$\mathcal B$$ and a vector $$w \in \mathbb{R}^n$$ find the closest lattice vector to $$w$$ $$v \in {L}, |v-w| \leq \mu$$ ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_G-TFN1no4S3ObmyHo%2F-M_HFedCjh99aYzSK_Xu%2Fimage.png?alt=media\&token=d16de51c-b866-4afb-b8af-4089efb22942) ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_LmOjlAdCfD46sZgwq%2F-M_LnKU-pZNnPu1TlwwS%2Fimage.png?alt=media\&token=a7839a34-de2d-42d0-922a-798b416b8fbb) **Approximate CVP** Given a lattice $$L$$ with an arbitrary basis $$\mathcal B$$ and a vector $$w \in \mathbb{R}^n$$ find the closest lattice vector to $$w$$ $$v \in {L}, |v-w| < \gamma(n) \cdot \mu$$ ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_G-TFN1no4S3ObmyHo%2F-M_HFb9yodzG6YE58qns%2Fimage.png?alt=media\&token=13ed9bb5-4bd1-43b0-9ca7-d74c4c49d1cf) #### Decision CVP (GapCVP) Given a lattice $$L$$with a basis $$\mathcal B$$ and a vector $$w$$ we must decide if * There exists $$v \in L$$s.t $$| v - w| \leq 1$$ * $$\forall v \in L: |v - w| > \gamma(n)$$ #### Sage example ```python M = matrix([[-1, 2], [-2, 3]]) L = IntegerLattice(M) w = vector([1.8, 1.5]) L.closest_vector(w) # (2.00000000000000, 2.00000000000000) ``` ## Bounded distance decoding Given a lattice $$L$$ with an arbitrary basis $$B$$, a vector $$w \in \mathbb{R}^n$$ and a real number $$d \in \mathbb{R}$$ find a lattice vector $$v \in {L}$$ s.t $$|w-v| < d \cdot \lambda\_1({L})$$ **Remark** * If we have $$d < \dfrac 12$$ the solution to the BDD problem is guaranteed to be unique. ## Shortest independent vectors (SIVP) Given a full rank lattice $$L$$ with an arbitrary basis $$\mathcal B$$find $$n$$ **linearly independent** lattice vectors of length at most $$\lambda\_n(L) \Rightarrow \max\_i|v\_i| \leq \lambda\_n(L)$$ or $$\max\_i|v\_i| \leq \gamma(n) \lambda\_n(L)$$for the approximate version. ![](https://3048596314-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZDWnXlfe2CXv0vGqAA%2F-M_LNgyX24sOJlTW5zG1%2F-M_LlMsAW5e4Aj5soyV7%2Fimage.png?alt=media\&token=f5058610-a4c4-465b-9fa8-e614b4d6ecd1) ## Hardness of lattice problems ## Resources * Pictures taken from and "Cryptography made simple - Nigel Smart" and edited a bit * Or generated by me