Abstract
In this work we consider the closest vector problem (CVP)—a problem also known as maximum-likelihood decoding—in the tensor of two root lattices of type A (\(A_m \otimes A_n\)), as well as in their duals (\(A^*_m \otimes A^*_n\)). This problem is mainly motivated by lattice based cryptography, where the cyclotomic rings \({\mathbb {Z}}[\zeta _c]\) (resp. its co-different \({\mathbb {Z}}[\zeta _c]^\vee \)) play a central role, and turn out to be isomorphic as lattices to tensors of \(A^*\) lattices (resp. A root lattices). In particular, our results lead to solving CVP in \({\mathbb {Z}}[\zeta _c]\) and in \({\mathbb {Z}}[\zeta _c]^\vee \) for conductors of the form \(c = 2^\alpha p^\beta q^\gamma \) for any two odd primes p, q. For the primal case \(A_m \otimes A_n\), we provide a full characterization of the Voronoi region in terms of simple cycles in the complete directed bipartite graph \(K_{m+1,n+1}\). This leads—relying on the Bellman-Ford algorithm for negative cycle detection—to a CVP algorithm running in polynomial time. Precisely, our algorithm performs \(O(l\ m^2 n^2 \min \{m,n\})\) operations on reals, where l is the number of bits per coordinate of the input target. For the dual case, we use a gluing-construction to solve CVP in sub-exponential time \(O(n m^{n+1})\).
Similar content being viewed by others
Notes
We remind that this lattice has dimension \(\varphi (c)\), the Euler totient of c.
Such details are out of the scope of this paper, but are described in the B.S. Thesis of the second author, available online https://www.math.leidenuniv.nl/scripties/BachVanWoerden.pdf.
The algorithm is typically stated with \(C = |V|\), the number of vertices.
Where \(K_{m',n'}(\mathbf {u})\) denotes the weigthed complete bipartite graph, as defined in the proof of Lemma 7.
References
Babai L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). doi:10.1007/BF02579403.
Bonifas N., Dadush D.: Short paths on the Voronoi graph and the closest vector problem with preprocessing. CoRR (2014). http://arxiv.org/abs/1412.6168.
Conway J., Sloane N.: Fast quantizing and decoding and algorithms for lattice quantizers and codes. IEEE Trans. Inf. Theory 28(2), 227–232 (1982). doi:10.1109/TIT.1982.1056484.
Conway J., Sloane N.: Voronoi regions of lattices, second moments of polytopes, and quantization. IEEE Trans. Inf. Theory 28(2), 211–226 (1982).
Conway J., Sloane N.: Sphere Packings. Lattices and Groups. Grundlehren der mathematischen Wissenschaften. Springer, New York (1998).
Cormen T.H., Leiserson C.E., Rivest R.L., Stein C.: Introduction to Algorithms, 3rd edn. MIT Press, Cambridge (2009).
Lyubashevsky V., Peikert C., Regev O.: On Ideal Lattices and Learning with Errors over Rings, pp. 1–23. Springer, Berlin (2010). doi:10.1007/978-3-642-13190-5_1.
Lyubashevsky V., Peikert C., Regev O.: A Toolkit for Ring-LWE Cryptography, pp. 35–54. Springer, Berlin (2013). doi:10.1007/978-3-642-38348-9_3.
McKilliam R.G., Clarkson I.V.L., Quinn B.G.: An algorithm to compute the nearest point in the lattice \({A}_n^*\). CoRR 54, 4378–4381 (2008). http://arxiv.org/abs/0801.1364.
McKilliam R.G., Clarkson I.V.L., Smith W.D., Quinn B.G.: A linear-time nearest point algorithm for the lattice \({A}_n^*\). In: International Symposium on Information Theory and Its Applications, 2008. ISITA 2008, pp. 1–5 (2008). doi:10.1109/ISITA.2008.4895596.
Micciancio D., Voulgaris P.: A deterministic single exponential time algorithm for most lattice problems based on voronoi cell computations. In: Proceedings of the Forty-second ACM Symposium on Theory of Computing, STOC ’10, pp. 351–358. ACM, New York, NY, USA (2010). doi:10.1145/1806689.1806739.
Oggier F., Viterbo E.: Algebraic Number Theory and Code Design for Rayleigh Fading Channels. Now Publishers Inc, Hanover (2004).
Voronoi G.: Nouvelles applications des paramètres continus à la théorie des formes quadratiques. deuxième mémoire. recherches sur les parallélloèdres primitifs. Journal für die reine und angewandte Mathematik 134, 198–287 (1908). http://eudml.org/doc/149291.
Acknowledgements
The authors wish to thank Onno Berrevoets, Marcello Bonsangue, Daniel Dadush and Daan van Gent for their interest and helpful feedback on this work. This work has been supported by a grant from CWI from budget for public–private-partnerships and in part by a grant from NXP Semiconductors.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by S. D. Galbraith.
Rights and permissions
About this article
Cite this article
Ducas, L., van Woerden, W.P.J. The closest vector problem in tensored root lattices of type A and in their duals. Des. Codes Cryptogr. 86, 137–150 (2018). https://doi.org/10.1007/s10623-017-0332-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-017-0332-x
Keywords
- Lattice based cryptography
- Cyclotomic lattices
- Tensored root lattices
- Closest vector problem
- Maximum likelihood decoding