A time-distance trade-off for GDD with preprocessing---Instantiating the DLW heuristic
share
For 0 ≤α≤ 1/2, we show an algorithm that does the following. Given appropriate preprocessing P(L) consisting of N_α := 2^O(n^1-2α + n) vectors in some lattice L⊂R^n and a target vector t∈R^n, the algorithm finds y∈L such that y- t≤ n^1/2 + αη(L) in time poly(n) · N_α, where η(L) is the smoothing parameter of the lattice. The algorithm itself is very simple and was originally studied by Doulgerakis, Laarhoven, and de Weger (to appear in PQCrypto, 2019), who proved its correctness under certain reasonable heuristic assumptions on the preprocessing P(L) and target t. Our primary contribution is a choice of preprocessing that allows us to prove correctness without any heuristic assumptions. Our main motivation for studying this is the recent breakthrough algorithm for IdealSVP due to Hanrot, Pellet--Mary, and Stehlé (to appear in Eurocrypt, 2019), which uses the DLW algorithm as a key subprocedure. In particular, our result implies that the HPS IdealSVP algorithm can be made to work with fewer heuristic assumptions. Our only technical tool is the discrete Gaussian distribution over L, and in particular, a lemma showing that the one-dimensional projections of this distribution behave very similarly to the continuous Gaussian. This lemma might be of independent interest.
READ FULL TEXT
