In this chapter we will study some specific types of lattices that appear in cryptography. These will help us understand how certain problems we base our algorithms on reduce to other hard problems. They will also give insight about the geometry of lattices.
Intuitively, if we have a problem (1) in some lattice space we can reduce it to a hard problem (2) in another related lattice space. Then if we can prove that if solving problem (1) implies solving problem (2) then we can conclude that problem (1) is as hard as problem (2)
Understanding this chapter will strengthen the intuition for the fututre when we will study what breaking a lattice problem means and how to link it to another hard lattice problem.
Dual lattice
Let be a lattice. We define the dual of a lattice as the set of all vectors such that for all vectors :
Note that the vectors in the dual lattice are not necessarily in the initial lattice . They are spanned by the basis vectors of the lattice .
Examples:
because the dot product of all vectors in stays in
Scaling:
Proof:
If
If
Plot: - green, - red
Intuition: We can think of the dual lattice as some kind of inverse of the initial lattice
Basis of the dual lattice
We will now focus on the problem of finding the basis of the dual lattice given the lattice and its basis .
Reminder: We can think of the lattice as a transformation given by its basis on .
We have the following equivalences:
Therefore so we have found a base for our dual lattice:
Let's look at some plots. With green I will denote the original lattice and with red the dual. The scripts for the plots can be found in in the interactive fun section
Properties
The dual of the dual is the initial lattice (to prove think of the basis of )
(to prove think of the basis of )
Successive minima
We've seen that we can find the basis of the dual lattice given the basis of the original lattice. Let's look at another interesting quantity: the successive minima of a lattice and its dual . Let's see what can we uncover about them.
We recommend to try and think about the problem for a few minutes before reading the conclusions.
What is ? What about ? Can you see some patterns?
Reminder: We defined the successive minima of a lattice as such:
Claim 1:
Proof:
By Minkowski's bound we know:
and . By multiplying them we get the desired result.
From this result we can deduce that the minima of the and have an inverse proportional relationship (If one is big, the other is small).
Claim 2:
Proof:
Let be such that . Then take any set of linearly independent vectors in .
Not all of them are orthogonal to . Hence, there exists an such that .
By the definition of the dual lattice, we have and hence
Geometry + Partitioning
// TODO
Q-ary lattices
We've seen that in cryptography we don't like to work with infinite sets (like ) and we limit them to some finite set using the operation (). We will apply the same principle to the lattices so let us define the concept of a q-ary lattice.
Definition:
For a number we call a lattice q-ary if
Intuition:
is periodic
We use arithmetic
We will now look at 2 more types of lattices that are q-ary. Let be a matrix with . Consider the following lattices:
Intuition:
Think of as the image of the matrix , the matrix spanned by the rows of
Think of as the kernel of modulo . The set of solutions
Remark: If the same matrix is used ( is fixed ) then
Claim:
and are the dual of each other (up to scaling):
Proof:
Firstly we will show
Let for some
Let for some
Then we have:
The second part is left as an exercise to the reader :D. Show
Resources
For xβL,yβLβ¨consider the vector dot product and addition
- xβ yβZ
- x+y has no geometric meaning, they are in different spaces
