 Hi. Welcome to this talk. So today I'll be talking about lattice reduction for modules or how to reduce module SVP to module SAP. I'm Tamalika and this is joint work with Noah Stephens Davidowitz from Cornell. So the first half of this talk will be background and motivation and the second half will be an overview of our techniques. So let's begin. Let's start with the basics. So a Euclidean lattice is just an additive, a discrete additive subgroup of r to the d. Another way of defining a lattice of rank d is just taking the integer in your combination of its basis vectors. So we care about the geometry of lattices and one of the most important quantities associated with the geometry of the lattice L is the length of the shortest non-zero vector. And this is denoted by lambda 1 of L. Since this is a talk on module lattices, let's actually define what a module lattice is. So we fix a number field K of degree N and we fix a full-rank discrete subring r in K. So for example you could take K to be the power of two subatomics and you can take r to be the ring of integers of that, but essentially r can be any full-ranked discrete subring. And then we define a module lattice as being a module lattice of rank K over the ring r as the set of all r-linear combinations of finitely many generating vectors y1 through yn in our number field K to the K. So notice that an ideal of a ring is just a rank 1 module lattice. And you can also observe that this definition is somewhat generalizing the definition I presented for Euclidean lattices. To see this essentially in the Euclidean lattice definition we took the z span of our basis vectors in Euclidean space r to the d and here we're taking the r span of our generating vectors in our number field K to the K. To make this association a little bit more concrete, essentially module lattices are just a subset of Euclidean lattices. And we can see this in two ways. So the first way is that if we equip our number field K to K with the norm then we can just embed our module lattice and K to K into Euclidean space or into Euclidean lattice in r to the KN. And by doing so we now have well-defined geometric properties like the lengths of vectors are well-defined and a volume is well-defined so determinant is well-defined and so on. The second way of seeing this association is to notice that module lattices are just Euclidean lattices with some symmetry. More formally, module lattice is just an Euclidean lattice that's closed under some set of linear transformations and these linear transformations correspond to multiplication by ring elements. One of the most important problems in associated with lattices is the approximate shortest vector problem and the problem statement is as follows. Given the lattice basis B, the problem is to find a non-zero vector B in our lattice L such that the length of this vector is at most gamma times the length of the shortest non-zero vector in L. Now you can see that we can generalize this problem to the context of module lattices and to do so we call this problem now gamma K module SVP and this is essentially solving gamma SVP on module lattices of rank K. Notice that based on our previous discussion gamma K module SVP can be no harder than gamma SVP over Euclidean lattices with rank KN and to see this essentially like we said before you can always embed a module lattice in a number field K to the K of rank K to a Euclidean lattice in R to the KN and just solve gamma SVP there. So for crypto we care about approximation factor of gamma to be polynomial in the rank or the dimension of the lattice and this will become relevant or this will come up again when we see the technical results. Since we're at crypto I'd be remiss to not mention the relevance of module lattices to crypto. So essentially most lattice based crypto schemes use module lattices as a building block and more specifically the candidates strong candidates for post quantum crypto standardization by NIST that are being considered they all use module lattices as building blocks and so faster algorithms for module SVP would essentially break the security of these schemes and this is a very high level motivational idea of why we should care from a crypto perspective. One thing I'll note here is that we use module lattices instead of Euclidean lattices because the added structure of module lattices improves the efficiency of the crypto scheme. So I'll go into basis reduction algorithms for SVP in more detail in the second half of this talk but it's useful to describe the general idea at this point here. So essentially basis reduction algorithms for SVP work as follows we want to try and solve gamma SVP or approximate SVP on a lattice of high rank say rank D and to do this we reduce the problem to solving approximate SVP on lattices of lower rank say D prime and this D prime is known as a block size. So a very famous and renowned application of this idea is the LLL algorithm and so the LLL algorithm the idea behind it is in order to solve approximate SVP for lattices of large rank the algorithm reduces this to solving exact SVP for lattices of rank two and as we've been seeing in the previous slides since module SVP is just a special case of SVP basis reduction algorithms for SVP also solve module SVP. So this brings us to our broad motivational question. So as we saw we can always embed our module lattices into the Euclidean space and perform the basis reduction algorithms for SVP in that manner but the question that we ask is can we do better can we find faster algorithms for module SVP if we actually take advantage of the added structure that module lattices have and from a crypto perspective this is the motivational question translates into does specializing to module lattices impact the security of our crypto schemes. So there's been a vast and rich line of work that's looked at faster algorithms for solving module SVP on rank one module lattices and there are indeed faster algorithms for the rank one module lattice module SVP case but fortunately these most crypto schemes were not broken by these algorithms but if we have a similar improvement for higher rank lattices this would indeed result in jeopardizing the security of the crypto schemes that use module lattices and again I am sweeping a lot of technical details under the rug but this is the general idea as to why we should care about this problem. So what happens for higher rank what do we know for module SVP for higher rank module lattices? Spoiler alert we actually don't answer the motivational question that I posed earlier so till date we still don't know if there there are faster algorithms for module SVP for higher rank but our work actually makes progress towards understanding this problem better. So last year Lee Pelletmary, Stelly and Wallet independently showed a reduction from a high rank module SVP to rank two module SVP and this and their results can be thought of as a generalization of LLL to module lattices. What we show is can be thought of as a generalization of block reduction or slide reduction to module lattices and so we show a reduction from rank k module SVP to rank beta module SVP for any k and beta between two and k with an appropriate tradeoff between the approximation factor and the rank. So the forefront of our knowledge regarding that question that I posed earlier about faster algorithms for module lattices for higher rank is the following we know that solving module SVP for rank two module lattices is as hard as solving module SVP for higher rank module lattices and so there could be two possible consequences of this result. So the first consequence or scenario could be that maybe there is a large gap between the hardness of solving SVP for rank one versus rank two module lattices. The second scenario is a little bit more bleak since we already have faster algorithms for solving rank one module SVP. We only need to make progress in solving module SVP or getting faster algorithms for module SVP for rank two module lattices and even this progress would result in jeopardizing most crypto schemes that use module lattices as building blocks. So before we move on to the overview of our techniques here is the formal statement of our results. As I mentioned before we essentially generalized the slide reduction of gamma and nuen from 2008 to module lattices and so their result is the current state of the art for lattices and their results as follows they showed that there is an efficient reduction from gamma k and SVP to gamma prime beta n SVP where the approximation factor is given here. I'd like to note that the rank is parameterized as multiples of n just so we can compare their result to our result more easily. So our main theorem is that there is an efficient reduction from gamma k module SVP to gamma prime beta module SVP where the approximation factor is as follows. So I'd like to note three things on this slide. The first is an interpretation of our result. So our result is essentially saying that using a module SVP oracle up to certain approximation factors is as good as using a generic SVP oracle when it comes to basis reduction for module lattices and this is somewhat surprising. The second point I'd like to make here is that the approximation factor as I mentioned earlier for crypto we care about gamma being polynomial in the rank or the dimension and so you should think of k as being linear in beta. The third point is also regarding the approximation factor. If you notice I haven't defined the underlying ring or the number field in this main theorem statement but in reality this approximation factor does depend on the underlying ring and the associated norm. And so for this main theorem that we have here it's stated for the cyclotomic, it's stated for the canonical embedding of the ring of integers of cyclotomic fields. Okay so now we move on to the second half of this talk and before we dive into our techniques for reduction basis reduction of module lattices it helps to provide some intuition by going over the basis reduction techniques of Euclidean lattices. So for any Euclidean lattice L with the basis B we can always do Gram-Schmidt and QR decomposition to get B as a product of two matrices where Q is orthogonal matrix and R is the upper triangular matrix and here the Bi-tildes are the Gram-Schmidt vectors. So since Q is just a rotation matrix this doesn't change the length of the vectors and so we essentially can think of our lattice basis to be the upper triangular matrix up to a rotation. So we can just work with this upper triangular matrix as our lattice basis from now on and do block reduction on this. Now as I described earlier in the first half of this talk the idea for block reduction is essentially if you're given a if you want to solve approximate SVP on a lattice of high rank say rank D we reduce this problem to solving approximate SVP on lattices of lower rank say beta and to do so we use our SVP oracle for rank beta and we call that on each of these blocks of size beta by beta and the goal is to essentially make the first vector in each of these blocks the shortest vector and by doing so we end up with the resulting basis for this entire lattice the first vector in that resulting basis will be the solution to our approximate SVP problem for rank D. So is there a way that we can generalize this idea that I just described for block reduction with equidine lattices to module lattices the first natural attempt at trying to generalize this idea could be the following we could think of doing qr decomposition over our number field on the r-generating set of a module lattice. Now this idea doesn't work and it's because not all module lattices of rank k have r-generating sets that have exactly k elements. To illustrate this point take this example where we have the ideal generated by two and one plus square root negative five over the ring z square root negative five now this ideal is generated by two elements but the rank of this ideal is one over the number field so this particular approach to generalizing block reduction doesn't seem useful can we look at block reduction in a different way and perhaps generalize it from a different perspective. So the key observation here is that in the block reduction or basis reduction that I showed you earlier if we if you want to do block reduction for lattices of rank D we only need to know about the nested sequence of sub lattices l1 through ld where each of these li's is just the integer linear combination of the first i basis vectors and the i the block is just given by the projection of the i plus beta sub lattice orthogonal to the i minus one sub lattice. Now can we take this key observation and generalize this to module lattices? It turns out that we can and to do this to capture this idea we introduce filtrations for module lattices. So a filtration of a module lattice is just a nested sequence of module lattices. So for module lattice rank K we have a nested sequence m1 through mk and it has to satisfy the following three properties the first one primitivity is just a non degeneracy property the second one is we require that it has increasing ranks and this follows the same intuition as I described earlier for our Euclidean lattice setting so if we go back here these sub lattices indeed have increasing ranks where each li sub lattice has rank i and the third property is that we require that it has rank 1 projections and this is just an analog of Gram-Schmidt orthogonalization in the context of module lattices. So these mi tilde's are defined as projection of mi orthogonal to mi minus one. For the experts in the audience you might notice that actually the first property implies a second and the second implies a third but we state all three for the sake of clarity. And also we do show that every module lattice of rank K there exists a filtration for every module lattice of rank K and this can be computed efficiently. The last point I'll make on the side is that we need to be careful about the projection map or the way we define the projection map and in particular we need to be careful about regarding the spaces defined over and the associated norm. If you're interested in these technical details you should definitely go check out our full version. Okay so just to draw out that third property a little bit more as I mentioned the third property is a rank 1 projections and this is essentially the analog of Gram-Schmidt in the case of module lattices. So as you see here on the left hand side the Gram-Schmidt orthogonalization for Euclidean lattices is b1 tilde through bd tilde of over the Euclidean space r and now with now that we have our filtration definition we can define an analog of that in the context of module lattices and as m1 tilde through md tilde of a module lattice over the ring r. Okay so you might be wondering we want to do block reduction now on these filtrations on the filtration but each of these blocks is now consisting of module lattices and they're not consisting of vectors anymore so if you remember the idea for block reduction when we had Euclidean lattices was just to take each block of these vectors and make the first vector the shortest in each block in order to generalize that idea instead of making the first vector the shortest in each block what we do instead is we make the densest rank 1 module the first sub module in each block and to capture this we introduce a new problem called the dense ideal problem. I'll give a little bit more intuition on this slide so we define density in terms of determinants and essentially the more dense module lattices the smaller it's determinant and this implies that it contains a short vector and if you're interested in more details check out our full version but this is all I have to say about our techniques so to summarize our paper and this talk these are the key takeaways that you should have the first one is that module lattices are used in current lattice based crypto schemes especially the ones that are considered by NIST and we do know that there exists faster algorithms for module scp for rank 1 module lattices but we still don't know if this is true for higher rank module lattices and we in our work we make progress towards answering that question more specifically we show that solving module scp on a module lattice of rank k is no harder than solving it for a module lattice of rank beta where betas between 2 and k and we do this by generalizing basis reduction techniques on lattices so here's all the references feel free to pause on this slide thank you for listening to this talk