 Hi, I'm Bess van Woerden and thank you for watching this video. I'm going to talk about our analysis of the iterative slicer algorithm to solve the closest factor problem. This is joint work with LeoDegas and Dijslaarhoven. Let's start with the basic objects and problems we will be considering in this video. As most of you already know, let's is a discrete additive group. In our case, restrict yourself to full dimensional real let'ss. An equivalent definition is that let's is generated by all inter-combinations of some basis vectors. In this example, such a basis could consist of the vectors p1 and p2. The shortest vector problem is probably the most famous hard let's problem. Given a basis, it asks for a shortest non-zero let's point. This minimal length is called the first minimum of the let'ss and is often denoted by lambda1. A related problem and the aim of our work is the closest vector problem. Given a target t, the goal is to find a close let's point to this target. In this example, the closest let's point is to spot. But in higher dimensions, this also becomes a hard problem. One way to look at a CFP algorithm is a black box that receives a let's basis and the target and outputs a close let's point to this target. This is repeated for each target separately. However, if there are many targets, it might be beneficial to do some pre-processing first. The pre-processing phase receives the let'ss and outputs some data that the CFPB solver can use. In this way, the time complexity per target can hopefully be reduced. This comes often as a trade-off between the size of the pre-processed data and the time complexity per target. Such a CFP algorithm with pre-processing has numerous use cases. Concrete examples are ideal SVP, enumeration hybrids for SVP, or even computing class group actions in a relation lettuce. Also important to note is that the pre-processing can be started before any target is known. As in cryptography, the let's often already known in the form of a public key, a long offline computation can already be done to speed up the online part of an attack. One particular simple SVP algorithm is the iterative slicer. For the pre-processing, we obtain a list of preferably short lettuce factors. In this example, we have these six vectors in our list. Using a target, we then try to move it close to zero by reducing it with vectors from the list, until this is no longer possible. After this reduction, we hopefully found the shortest coset representative of the target, which results in finding the closest lettuce point. This algorithm always succeeds if and only if the list contains all so-called foreigner relevant vectors. However, the problem is that most D-dimensional lettuce have in the order of 2 to the D relevant vectors, which makes this algorithm worse than other known SVP algorithms without pre-processing, in terms of both storage and time complexity. Therefore a good question is what happens if we pick a smaller list? In this example, we only have plus minus B1 and B2 in our list. If we now reduce the target, it might not actually lead to the closest lettuce point. Note that this seems to depend on the location of the target. So one idea would be to re-randomize the target by translating it by some random lettuce vectors. Now we see that the reduction actually succeeds. Heuristically, one could say that there is some success probability P, depending on the list, that the target is properly reduced after each randomization. Then the naive time complexity would be proportional to the list size divided by the success probability. And the main aim of this work is to analyze the success probability. Before we start with this analysis, we first need to get more concrete about our pre-process list. From further analysis, it quickly becomes clear that we preferably want short factors in this list. So let's fix some size parameter alpha, and let our list contain all alpha to the shortest non-zero lettuce vectors. Then the widely used Gaussian heuristic is a somewhat equivalent to saying that the list contains all lettuce vectors up to length alpha times the first minimum. So they are all included in this ball. More importantly, under this heuristic we can assume that the factors are uniformly distributed over this d-dimensional ball. This distribution allows us to actually analyze the success probability. So what's actually known about the success probability? Well we have two lower bounds from previous works. Notice note that a parent list of the size 2 to the half d is already enough to almost always succeed, already improving the list size by square root compared to the iterative slicer. Furthermore, as expected, we see a trade-off between the list size and the success probability. But these two lower bounds have some problems. First one of them has some asymptote and is even undefined in the low memory regime. And secondly, given the crossover point, the union of these two bounds is unlikely to be tight with the actual success probability. With our improved and tight analysis, we show that the success probability actually has the following trade-off curve. Note that it is the same as one of the old lower bounds in the high memory regime and strictly better than both in the low memory regime. In the bounded distance decoding regime, where we get the guarantee that the target lies unusually close to the lattice, the situation is even more strange. Firstly, this guarantee could not be incorporated into one of the two lower bounds. Secondly, we still have these asymptotes. And thirdly, this lower bound seems to imply that BDD is actually harder for the iterative slicer than CVP for our smallest sizes. But generally BDD is supposed to be easier. Our new analysis resolves all of this and shows that the success probabilities have the following curves. This also shows that BDD is indeed easier for that algorithm than CVP, even though they converge in the low memory regime. So why do these lower bounds fail to be tight everywhere? The main problem seems to be that they only look at a single event. One of them looks at the so-called approximate four-nose cell that is induced by the vectors in the list. After a target is reduced, it lies inside this approximate four-nose cell. However, it's only successfully reduced if it lies in the real four-nose cell. So you would expect success probability to be somewhat equal to the volume ratio between the real and approximate four-nose cell. However, as the iterative slicer prefers a reduction to shorter representatives, one could argue why this ratio in effect only gives a lower bound on success probability. The other lower bound follows what in our model we would call a one-step analysis. First one can show that it's always easy to reduce the target to some length at most beta, where beta only depends on the list size parameter alpha. Now one can compute the small probability that after reaching beta, the target is reduced to the gold norm of Kappa in a single step. And the total success probability is at least the probability that this particular event happens. This also explains the asymptotes from before. As for small list sizes, this beta is too large to actually reach Kappa in a single reduction step. When we phrase the letter lower bound like this, it seems clear that what we need to do. For tight analysis, we have to model all possible events, which gives us a model that's like a random walk. Like before, it's easy to reach beta, so ignore that part. But after that, we allow the reduction to take multiple steps to cross the hard part. Say it first reduces to some norm at most x1, then to at most x2, x3, and finally to at most Kappa. Actually, we can simplify things significantly by only looking at the norms of the target while this being reduced. Now suppose we have a partially reduced target that has norm x2 in the worst case. Then we can compute the probability that it is reduced by the list in a single step to norm at most x3. And we call this the transition probability from x2 to x3. Taking the product of these transition probabilities gives us the probability that the iterative slicer reaches Kappa via this specific path. And of course, this would give a lower bound on the total success probability. So in short, each path gives us a lower bound on the success probability. Asymptotically, these transition probabilities from norm y to z are just single exponentially small in the dimension. An important fact is that this constant in the exponent only depends on the list size parameter alpha and the norms of y and z. Because we take the product of these transition probabilities, the asymptotic success probability of the path is fully determined by the sum of these constants. So to find the asymptotic optimal path, we only need to find the path that maximizes, minimizes the sum of these constants. Hence, turning this into an optimization problem. Although this is only a lower bound, one can show that it is tight up to polynomial factors by a more formal analysis using densities. So we reduce our problem to an optimization problem of finding the best path. And we're lucky, because the function cx is actually a strictly convex function, when we only consider paths of a fixed number of steps. This implies a unique local and global minimum if it exists. And this makes it easy to optimize numerically. Actually, this was already enough to plot the new success probability curve that we have shown before. However, we went even further and surprisingly found a closed form analytic solution for the asymptotic optimal path, depending only on the input parameters. So how do we do this? We first try to construct a local optimal path of exactly s steps. For this, we could use analytical strains, such as the partial derivatives and the known starting and ending point of a path. Then we use symbolic algebra to express the solution in terms of a alpha and kappa. After having found each optimal s step path, we showed what the optimal number of steps is. This analysis led to the following non-trivial explicit solution for all parameters involved. I don't expect you to fully read this, but there are two nice things to observe. First note that the number of steps is somewhat proportional to beta squared. As beta grows when the list size decreases, the number of steps also increases when the list size decreases. Secondly, the squared norms of the optimal path actually follow a quadratic equation. So what we have shown is that for large dimensions, almost all successful reductions follow this specific path. And of course, one can compute the eventual success probability of this optimal path. So now we have improved the success probability, but we still need to iterate over all our list factors in each reduction step, leading to a cost proportional to the list size. However, using nearest neighbor searching data structures, this can be reduced, but this comes at a cost of a higher memory cost. If included is nearest neighbor search techniques, we obtain the following new time memory trade-off for CFTP. You can see that we didn't improve in the high memory regime, which makes sense as the success probability didn't improve there. However, in the low memory regime, we strictly improve on the previous optimal trade-off curves. Next to the nearest neighbor data structures, there are also what we call memory-less nearest neighbor techniques, reducing the time complexity significantly without any extra memory overhead. However, the catch is that this can only be used if reduced many targets at the same time, to be precise in a batch of at least our list size. Note, however, that each CFTP target already gives us one over the success probability of re-randomized targets. Therefore, the necessary number of targets to apply this technique can be much lower, even as low as one. This leads to the following time memory trade-off curve for batch CFTP. Using our observation, it significantly lowers the required batch size, even all the way down to regular CFTP with a single target in the low memory regime. To conclude, I come back to our title. Our analysis is sharper because we now have a full understanding of the asymptotic behavior of the iterative slicer, leading to a tight bound on the success probability. It's faster because you obtain better time memory trade-offs for CFTP. It's smaller because you decrease the memory requirement for nearest neighbor searching, even when we only have a single target. And it's better because we show how to significantly improve on the per-target time complexity for batch CFTP and reduce the size of these targets, these batches. Thank you for your attention.