 Welcome to the presentation on the work titled 2-to-the-end-over-2 time algorithm for square root n approach shortest vector problem and Hermit shortest vector problem. This is joint work with Devash Agarov and Noa Stevens Davidowitz. So first of all, let's look at some basics. What is a lattice? A lattice is a discrete subgroup. So here I have a two-dimensional lattice. And it's specified by a set of linearly independent basis vectors. The lattice is then generated by all integer combinations of these basis vectors. Why do we study lattice? Lattice has been used for cryptography since the seminal work of I-type in 1996. And it has a bunch of advantages. So there is this worst case-to-average case reduction. Therefore, the security of lattice-based cryptography relies on the worst case hardness of some lattice problem. It is believed to be resistant to quantum computers. And it can do more. For example, it can do fully homomorphic encryption. Next, let's look at the lattice problem step. It's the focus of this work. So we start with the shortest vector problem, SVP. It looks for a shortest non-zero vector of a given lattice. So for example, in the two-dimensional lattice here, the red vector V is a shortest vector. And we use lambda 1 to denote its length. And for an approximate version, gamma SVP, it looks for a short lattice vector that is of length within gamma times lambda 1. And it's a non-zero vector. So for example, if we take gamma to be equal to 2, then any lattice vector within the green ball here is a valid solution to the two-SVP problem. The shortest vector problem is a hard problem. So just to give a simple illustration. For example, if the only information that is given is two basis vectors B1 and B2, and this set of basis is not a very nice set of basis, it's not straightforward to see where the shortest vector V would like. And more concretely, there has been a lot of studies on the hardness or the complexity of gamma SVP across different approximation factor. And when the approximation factor is around poly-n, it's most relevant to the cryptography. The next problem that we'll be looking at is the Hermit shortest vector problem, HSVP. So for each of the lattice, it has a determinant. And basically, the determinant of a lattice is just the volume. Over here, because we have a two-dimensional lattice, it's the area of this parallelogram. And from the diagram, we can see that if a lattice has small determinant, it would imply that it's fairly dense. And the gamma HSVP problem therefore looks for a short lattice vector, whose length is within the gamma times the determinant of the lattice, normalized to the power of 1 over n. And because of the Minkowski's theorem, we know that for any lattice, its shortest vector is a factor of square root n times this normalized determinant. And moreover, for random lattice, this actually takes equality up to some constant factor. So in other words, the best approximation factor that we can hope for for HSVP is square root n. So why do we care about this Hermit SVP problem? Because of the existence of this slide reduction algorithm, or the BKZ algorithm, where they reduce poly-approx SVP to constant-approx SVP of lower ranks, and we make the observation that in such reductions, they are using the constant-approx shortest vector problem as a oracle for a square root n-approx HSVP oracle. So in other words, if we can solve square root n-approx HSVP, it suffices for us to use it in this slide reduction to get a good algorithm for poly-approx SVP. So what do we achieve eventually? We find a 2-to-the-end of 2-time algorithm for square root n-approx SVP and also for square root n-approx HSVP. And because of the slide reduction, we are able to give faster algorithms for poly-approx SVP for almost all poly-end factor. I would like to emphasize that this work actually has no direct impact on cryptography. Because there exist heuristic algorithms for the shortest vector problem that runs in much faster time. So they achieve a running time of 3 over 2-to-the-end of 2 running time. And in these heuristic algorithms, they bring in heuristic assumptions that are not proven, but experimentally verified. So in some sense, there is a huge gap between proven algorithms and heuristic algorithms. And this work actually serves as a step towards closing the gap between proven and heuristic algorithms for the shortest vector problem. Next, let's look at what our algorithm actually do. So before that, I would like to repeat again what is our goal. We are looking for lattice vectors. They are short and they are non-zero. The zero vector is uninteresting. And here is an overview, a high-level idea of what's happening in our algorithm. So in the beginning, we are going to sample a bunch of vectors, lattice vectors from the input lattice L, such that this vector has some nice property and the expected square norm is going to be some parameter T. Next, for the next r iterations, we are going to keep pairing the vectors and subtracting the pair that we have. So in one step, we get a list of vectors that falls in L1. And after r steps, we are going to end up with a list of vectors who falls in Lr. And we will make sure that this Lr is going to be 2 to the k times the input lattice L. So it's a scaled-up version of the input lattice. And we also then show that the expected square norm of these vectors that we receive at the end would be 2 to the r times T. Now, if we do a little bit of scaling, so if we scale them down to become the input lattice, its expected square norm would be 2 to the r minus 2k times T. And if we can show that the factor here is less than 1, then we are making progress at least in terms of the length. Now let's zoom in into what happens in one step of the algorithm. So we start with some nicely distributed vectors that falls in the lattice L0. And for sub-lattice L1, we are going to partition the vectors into buckets. And for the audience who are familiar with lattice cosets, these buckets are just cosets in L0 over L1. We partition the vectors into buckets, and within the same bucket, we are going to arbitrarily pair and subtract vectors. And in the end, we are going to receive a bunch of nicely distributed vectors that falls into the lattice L1. The reason why these vectors fall into L1 is because when we take a pair of vectors in the same bucket and we subtract them, the offset is cancelled out. So the remaining component has to be falling in the lattice L1. Now let's see what happens to the expected square norm. So we are taking a pair of vectors and we subtract them. Now if we expand out this norm squared, we have the expected square norm of the first vector and the second vector, and we have a inner product in the middle. And we claim that this inner product term is actually going to take the value of 0. This is because these list of vectors that we get are going to be distributed as the... So x is going to be distributed the same as minus x. We guaranteed this property along the way. Therefore the expected value of the inner product is going to be the same as the expected value of the inner product, but we can allow to take one of the vectors to be syndicated, and it has to be equals to 0. Therefore the expected square norm has to be double the expected square norm of the vectors that we start with. So in one step, the expected square norm is doubled. In other steps, the expected square norm is going to grow by a factor of exactly 2 to the power of r. Next, we recall that the lattice is also getting sparser and sparser. So we will have 2 to the m buckets, and over here the number of buckets is actually the number of cosets we have. And in our steps, it's not hard to see that the lattice that we end up with Lr is going to be 2 to the m over n times r times the initial lattice. And we set this value to be 2 to the k. So in other words, k is equals to m over n times r. Now recall we are going to scale down the vectors. So after scaling down, the expected square norm will have 2 to the r minus 2k times t. And in order to make progress, we want this 2 to the power of r minus 2k term to be a lot less than 1. In other words, we want the exponent to be a lot less than 0. Now if we substitute back the value that k is equals to m over n times r, we want this term to be a lot less than 0. And if we manipulate the term a little bit, you can show that we need m to be above n over 2. So over here we have a small remark on the running time. The running time would be 2 to the m at least because we need this many vectors to start with to make sure that all the buckets have something in it and we are not losing too many vectors along the way. So the number of buckets is a minimum requirement of the number of vectors that we have to have. So the running time has to be 2 to the m at least and we just show that m has to be above n over 2 and therefore the best running time that we manage to achieve at the end is 2 to the n over 2 plus small of n. So with this, we show that the vectors are actually getting shorter and shorter. And it remains to show that we are not seeing too many 0 vectors in the end. And to do this, we will need the help of this nice distribution, essentially the discrete Gaussian distribution. So what is this discrete Gaussian distribution? It's basically for any discrete set A, any vector, if we draw from the discrete Gaussian distribution, any vector would show up with the probability that it's proportional to the Gaussian mass. You can take it as an analog of the continuous Gaussian distribution and it's also associated with a parameter s. This parameter s can be seen as the standard division of the continuous Gaussian distribution. So in particular here is a nice illustration on the discrete Gaussian distribution on z square. So when s is large on the left, it looks fairly smooth just like a continuous Gaussian distribution. And when s is small, it looks more and more discretized. So we have a few remarks on this discrete Gaussian distribution. For each of the lattice, it has an associated parameter called the smoothing parameter. And when the value of s is above the smoothing parameter, the discrete Gaussian behaves nicely like a continuous Gaussian distribution. And this allows us to manipulate fairly easily. And more importantly, why are we introducing this? It will allow us to upper bound the probability of seeing the zero vector. And with its help, we are going to show that we won't see too many zero vectors at the end of our algorithm. Now, in our algorithm, the actual distribution that we are using is a variant of the discrete Gaussian. It's called the mixture of discrete Gaussian. So in particular, we have some target subletters l prime. This target subletters l prime is not necessarily known. It only showed up for analysis purpose. So basically, if we look at vectors that are in the same cosets of l prime, these vectors are going to be distributed like a discrete Gaussian. But of course, across different cosets, they may not have any relationship at all. What we only care is that within the same cosets, the vectors behave like a discrete Gaussian. And with this, we can show that when our algorithm stops, we are going to see vectors of expected length squared n times s, where the value of s is roughly the smoothing parameter of this target subletters l prime. So it remains to show that there exists some target subletters l prime that has a small smoothing parameter. And here we are going to use the reverse Minkowski theorem, which is a fairly heavy hammer, and as a direct corollary of this reverse Minkowski theorem, we can show that for any lattice l, there exists a subletters l prime whose smoothing parameter is upper bounded by poly log n times the mean of the lambda one, the shortest vector of the lattice, or the normalized determinant of the lattice. So one term would then correspond to the SVP problem that we are trying to solve. The other term would correspond to the HSVP problem that we are trying to solve. Now plugging in the values together would therefore manage to show that the output length of the vectors is going to be upper bounded by square root n times the mean of lambda one and the normalized determinant of the lattice. So that concludes the algorithm. So some of the open problems from our algorithm, so can we find a better analysis to bring down the approximation factor of the algorithm? Or in other words, can we actually have a better guarantee on the approximation factor on SVP? In particular, before this work, as far as we know, all the algorithms that solve square root n HSVP, they will also solve constant approach SVP at the same time. And there is no reason why our algorithm is not doing so. Just that our analysis at the moment is unable to give us any better guarantee for SVP is unable to improve the approximation factor. And therefore we are wondering if we can find a different way to analyze the algorithm and if we can show that it actually gives us a better approximation factor for SVP. Secondly, I've mentioned just now that there is this, our running time is 2 to the n over 2 plus more of n. And this is exactly because we need at least 2 to the n over 2 number of cosets for the algorithm to make progress. So it seems that 2 to the n over 2 running time is a barrier here. So is there a way to break this barrier and ultimately matching the running time of heuristic algorithms? And that's all I have. Thank you for your attention.