This post gives a (hopefully!) simple introduction to lattices and hard problems based on lattices. Lattices are interesting to the field of cryptography as the below problems are difficult for a quantum computer to solve, as opposed to problems based on discrete logarithms or factoring such as Diffie-Hellman based problems or RSA.



In Part 2, we’ll look at one simple lattice-based key exchange, to understand how to use these underlying hard problems in cryptosystems.

Much of the material from this post is assembled from notes from a class by Douglas Stebila and Chris Peikert’s A Decade of Lattice Cryptography (Peikert 2015).

Important Terms and Notation

Let’s review notation we’ll use and a few basic Linear Algebra terms.

We will denote a vector using the following notation: \(\vec{a}\), as opposed to a scalar, \(a\). Matrices will be denoted as capital letters, \(A\). We denote random sampling via \(\stackrel{\$}{\gets}\); for example, sampling a vector of length \(n\) from the integers modulo \(q\) randomly is denoted: \(\vec{a} \stackrel{\$}{\gets}{\mathbb{Z}_q}^n\).

The inner product of two vectors is denoted by the notation \(\langle \vec{a}, \vec{b} \rangle\), and can also be referred to as the dot product, denoted as \(\vec{a} \cdot \vec{b}\). The inner product/dot product operation can also be performed between a matrix and a vector (or a vector and a scalar).

A basis is a set of vectors such that these vectors are linearly independent. For vectors to be linearly independent, this means that no two vectors can be reduced to each other, meaning that no two vectors in the basis are multiples of one other. Bases can also be reduced, and we say that a basis is "better" than another basis if the basis is more reduced than another. For example, the set \(\{[0, 1], [1, 0]\}\) is a fully-reduced basis, but \(\{[1, 0], [2, 0]\}\) is not, because \([2, 0]\) is a multiple of \([1, 0]\).

A basis generates a vector space by combining basis vectors to create new points in the vector space. For a basis \(B\) comprised of the set of vectors \(\{[0, 1], [1, 0]\}\), \(B\) generates a vector space that includes points such as \([2, 3] = 3[0, 1] + 2[1, 0]\).

What is a Lattice?

A lattice, denoted \(\mathcal{L}\), is a finite set of points (the points are represented as vectors) generated by a basis, such that any lattice point is a integer linear combination of basis vectors. This means that the lattice point is equal to some combination of basis vectors added together, where each basis vector can be multiplied by an integer scalar. Taking our example of a basis in Section 1, one lattice point generated from the integer linear combination of basis vectors is \(\{[0, 1], [1, 0]\}\) is \([4, 2] = 2[0, 1], 4[1, 0]\).

The lattice generated by a basis \(B\) is denoted as \(\mathcal{L}(B)\).

It is important to emphasize that a lattice can be generated by multiple possible bases. Two bases are equivilant (in that they generate the same lattice) if the follwing relation holds: \(B_1 = B_2 \times U\), where \(U\) is a unimodular matrix. A unimodular matrix is a square matrix whose determinant is \( \pm 1 \). For example, the basis \(B_1 = \{[2, 0], [0, 2]\}\) and the basis \(B_2 = \{[2, -6], [-2, 8]\}\) both generate the same lattice. This is easy to see after confirming \(\{[2, -6], [-2, 8]\} = \{[2, 0], [0, 2]\}\ \times \{[1, -3], [-1, 4]\}\), where \(\{[1, -3], [-1, 4]\}\) is a unimodular matrix.

A more formal way of expressing the definition of a lattice as a combination of integer scalar multiples of basis vectors can be defined as follows (as demonstrated by Peikert (Peikert 2015)):

\[\mathcal{L} = \mathcal{L}(B) = \sum_{i=1}^{m} (\mathbb{Z} \cdot b_i)\]

Another important concept to understand when studying lattices is the \(i\)th successive minima of a given lattice \(\mathcal{L}\). Intuitively, the \(i\)th successive minima are the \(i\)th shortest vectors in the lattice, where for each \((i+1)\)th minima, some bound is increased by a constant factor (every \(i\)th successive minima is less than the \(i\)th bound).

The \(i\) successive minima of \(\mathcal{L}\) is a integer linear combination of basis vectors, where the length of the \(i\)th successive minima is under the \(i\)th bound \(i \cdot \gamma\). In this case, \(\gamma\) is simply a scaling factor.

Hard Problems based on Lattices

In cryptography, it is important to have assurance of the hardness of given problems, so that we can build cryptosystems on top of these hard problems. This ensures that the difficulty an adversary will face when attacking this cryptosystem reduces to the hardness of the underlying hard problem. We will now examine a series of hard lattice problems. In part 2, we’ll see how to use these hard problems to build cryptosystems which in turn are hard for a given adversary.

Shortest Vector Problem (SVP)

Intuitively, the Shortest Vector Problem reduces to the hardness an adversary will face when required to find a lattice point that is within a given bound, if all that the adversary knows is a set of basis vectors for the lattice. As any point in the lattice is a linear combination of basis vectors, the SVP problem is hard as no efficient algorithm exists to test all possible points. Furthermore, as a lattice can be generated by multiple bases (as described in Section [sect:what-are-lattice]), where some valid bases are "better" (i.e, more reduced) than others, this in turn further frustrates the search techniques for an adversary.

More formally, the Shortest Vector Problem is defined as follows:

Shortest Vector Problem. Given a basis \(B\) of \(\mathcal{L}\), find a nonzero point \(v \in \mathcal{L}\) (in other words, "v is in the lattice") such that: \[||v|| \leq \gamma \lambda_i (\mathcal{L})\] Where \(\gamma\) is some multiplicative constant, and \(\lambda_i\) is the \(i\)th successive minima of \(\mathcal{L}\).

Note that an inefficient algorithm does exist to solve the SVP problem, but runs in exponential time \(2^{O(n)}\). Therefore, as \(n\) increases, the difficulty for an adversary increases exponentially as the adversary tries to guess a lattice point \(v\) which is less than the given bound \(\gamma \lambda_i\). Why? As lattice vectors are linear combinations of basis vectors, an exhaustive-search approach (or something similar) is required to find the closest lattice points to the given bound.

Closest Vector Problem

The closest vector problem (CVP) is a derivation of the SVP problem. Intuitively, the CVP requires an adversary to find the closest lattice point \(v \in \mathcal{L}(B)\) to a given point \(w \in \mathbb{Q}^n\), where \(w\) is an arbitrary point not within the given lattice.

More formally, this can be written as follows:

Closest Vector Problem Given a basis \(B\) and a lattice \(\mathcal{L}\) and a point \(w \in \mathbb{Q}^n\), find \(v \in \mathcal{L}\) such that \(w - v\) is minimized.

Bounded Distance Decoding Problem

While multiple points in the lattice could be solutions to the Closest Vector Problem, sometimes it is useful to bound a solution to a single lattice point. The Bounded Distance Decoding (BDD) problem is similar to the Closest Vector Problem, but requires that the distance between a point \(v\) in the lattice and an arbitrary point \(w\) be less than some bound \(\alpha \lambda_i\), where \(0 \leq \alpha \leq \frac{1}{\sqrt{2}}\).

More formally:

Bounded Distance Decoding Problem Given a basis \(B\) for a lattice \(\mathcal{L}\) and a point \(w \in \mathbb{Q}^n\), find \(v \in \mathcal{L}\) such that: \[||w-v|| \leq \alpha \lambda_i(\mathcal{L}), where \ 0 \leq \alpha \leq \frac{1}{\sqrt{2}}.\]

Hard Problems Continued: Learning with Errors

Many current lattice-based cryptosystems are based on the hardness of the Learning with Errors (LWE) problem, first introduced by Regev (Regev 2005). Intuitively, the LWE problem is based on the hardness of finding a hidden input from a "noisy inner product," where the noise is induced by explicitly adding a randomly-selected error term.

More formally, LWE can be defined as follows: