Discrete Gaussian Sampling Reduces to CVP and SVP

@article{StephensDavidowitz2016DiscreteGS,
  title={Discrete Gaussian Sampling Reduces to CVP and SVP},
  author={Noah Stephens-Davidowitz},
  journal={ArXiv},
  year={2016},
  volume={abs/1506.07490}
}
The discrete Gaussian $D_{L- t, s}$ is the distribution that assigns to each vector $x$ in a shifted lattice $L - t$ probability proportional to $e^{-\pi \|x\|^2/s^2}$. It has long been an important tool in the study of lattices. More recently, algorithms for discrete Gaussian sampling (DGS) have found many applications in computer science. In particular, polynomial-time algorithms for DGS with very high parameters $s$ have found many uses in cryptography and in reductions between lattice… 

Figures and Tables from this paper

Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract

The SVP result follows from a natural reduction from SVP to DGS, and a more refined algorithm for DGS above the so-called smoothing parameter of the lattice, which can generate 2n/2 discrete Gaussian samples in just 1.93-approximate decision SVP.

Improved (Provable) Algorithms for the Shortest Vector Problem via Bounded Distance Decoding

New algorithms that improve the state-of-the-art for provable classical/quantum algorithms for SVP are presented, including a new algorithm that provides a smooth tradeoff between time complexity and memory requirement.

Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again!

A 2n+o(n)-time and space randomized algorithm for solving the exact Closest Vector Problem (CVP) on n-dimensional Euclidean lattices and it is shown that the approximate closest vectors to a target vector t can be grouped into “lower-dimensional clusters,” and the discrete Gaussian sampling algorithm can be used to solve this variant of approximate CVP.

On the Gaussian Measure Over Lattices

We study the Gaussian mass of a lattice coset ρs(L − t) := ∑ y∈L exp(−π‖y − t‖/s) , where L ⊂ R is a lattice and t ∈ R is a vector describing a shift of the lattice. In particular, we use bounds on

Search-to-Decision Reductions for Lattice Problems with Approximation Factors (Slightly) Greater Than One

The first dimension-preserving search-to-decision reductions for approximate SVP and CVP are shown and they generalize the known equivalences of the search and decision versions of these problems in the exact case when $\gamma = 1".

Lattice Gaussian Sampling by Markov Chain Monte Carlo: Convergence Rate and Decoding Complexity

Decoding by MCMC-based lattice Gaussian sampling is investigated in full details, revealing a flexible trade-off between the decoding performance and complexity.

Approximate $\mathrm{CVP}$ in time $2^{0.802 \, n}$ -- now in any norm!

We show that a constant factor approximation of the shortest and closest lattice vector problem in any norm can be computed in time 20.802n . This contrasts the corresponding 2n time, (gap)SETH based

Dimension-Preserving Reductions Between SVP and CVP in Different p-Norms

The techniques combine those from the recent breakthrough work of Eisenbrand and Venzin [EV20] (which showed how to adapt the current fastest known algorithm for these problems in the l2 norm to all lp norms) together with sparsification-based techniques.

Deterministic Sampling Decoding: Where Sphere Decoding Meets Lattice Gaussian Distribution

The regularized SD (RSD) algorithm based on Klein's sampling probability is proposed, which achieves a better decoding trade-off than the equivalent SD by fully utilizing the regularization terms.

Just how hard are rotations of ℤn? Algorithms and cryptography with the simplest lattice

The “provably hard” distribution of bases described above is studied and a threshold phenomenon in which “basis reduction algorithms on Z n nearly always find a shortest non-zero vector once they have found a vector with length less than √ n/ 2 is observed.

References

SHOWING 1-10 OF 58 REFERENCES

Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract

The SVP result follows from a natural reduction from SVP to DGS, and a more refined algorithm for DGS above the so-called smoothing parameter of the lattice, which can generate 2n/2 discrete Gaussian samples in just 1.93-approximate decision SVP.

Solving the Closest Vector Problem in 2^n Time -- The Discrete Gaussian Strikes Again!

A 2n+o(n)-time and space randomized algorithm for solving the exact Closest Vector Problem (CVP) on n-dimensional Euclidean lattices and it is shown that the approximate closest vectors to a target vector t can be grouped into “lower-dimensional clusters,” and the discrete Gaussian sampling algorithm can be used to solve this variant of approximate CVP.

The Equivalence of Sampling and Searching

This paper uses tools from Kolmogorov complexity to show that sampling and search problems are “essentially equivalent” and classical computers can efficiently sample the output distribution of every quantum circuit if and only if they can efficiently solve every search problem that quantum computers can solve.

On Bounded Distance Decoding for General Lattices

It is shown how a recent technique can be used to solve α-BDD with pre-processing in polynomial time for α=O\left(\sqrt{(\log{n})/n}\right)$, which improves upon the previously best known algorithm due to Klein.

Quadratic Time, Linear Space Algorithms for Gram-Schmidt Orthogonalization and Gaussian Sampling in Structured Lattices

The main result of the current work is a series of algorithms that ultimately lead to a sampling procedure producing the same outputs as the Klein/GPV one, but requiring only linear-storage when working on lattices used in ideal-lattice cryptography.

Enumerative Lattice Algorithms in any Norm Via M-ellipsoid Coverings

A novel algorithm for enumerating lattice points in any convex body known as the M-ellipsoid is given, and an expected O(f*(n))^n-time algorithm for Integer Programming, where f*( n) denotes the optimal bound in the so-calledflatnesstheorem, which is conjectured to be f* (n) = O(n).

Finding Shortest Lattice Vectors in the Presence of Gaps

An SVP approximation algorithm modified by the ListSieve-Birthday algorithm, which terminates sieve process earlier and relaxes the birthday search, and hence decreases the time complexity significantly.

Worst-case to average-case reductions based on Gaussian measures

It is shown that solving modular linear equation on the average is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the rank of the lattice, and it is proved that the distribution that one obtains after adding Gaussian noise to the lattices has the following interesting property.

The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)

  • M. Ajtai
  • Mathematics, Computer Science
    STOC '98
  • 1998
There is a prob-abilistic Turing-machine which in polynomial time reduces any problem in NP to instances of the shortest vector problem, provided that it can use an oracle which returns the solution of the longest vector problem if an instance of it is presented (by giving a basis of the corresponding lattice).

Lattice Sparsification and the Approximate Closest Vector Problem

A method for "spar-sifying" any input lattice while approximately maintaining its metric structure is employed, which employs the idea of random sublattice restrictions, which was first employed by Khot for proving hardness for Shortest Vector Problem (SVP) under lp norms.
...