Point lattices are powerful mathematical objects that can be used to efficiently solve many important problems in computer science, most notably in the areas of cryptography and combinatorial optimization. This course gives a general introduction to the theory of point lattices, their algorithms, computational complexity, mathematical techniques, and applications to cryptography. Specific topics touched by the course include:

**Algorithms**: approximation algorithms for the efficient solution of lattice approximation problems, exponential time algorithms for the exact solution of NP-hard lattice problems.**Lattice based cryptanalysis**: using lattice algorithms to break cryptographic functions.**Computational Complexity**: NP-hardness, reductions, connection between*average-case*and*worst-case*complexity**Lattice Based Cryptography**: the design of cryptographic functions that are as hard to break as solving hard lattice problems.**Advanced mathematical techniques**: Fourier/Harmonic analysis methods for the study of lattice problems. Lattice problems from Algebraic Number Theory and their application to the design of very efficient cryptographic functions.

The main *prerequisites* for the course are general mathematical maturity, knowledge of basic mathematics (good linear algebra and probability theory, basic abstract algebra, and a little bit of calculus) and introductory level algorithms and complexity theory (mathematical models of computation, analysis of algorithms, polynomial time solvability, NP-hardness, etc.) Some prior knowledge of cryptography is useful, but not strictly required. No prior knowledge of advanced complexity theory, Fourier analysis, or algebraic number theory is assumed, but you should be prepared to learn a bit about all this through the course.

*Coursework* for students enrolled in the course will include a substantial amount of reading, 2 or 3 individual homework assignments, and a team project to be executed in groups of 2 or 3 students. Projects should be discussed with the instructor by the end of the 5th week of classes, and will be due during the 10th week. Each group should submit a written report, and possibly deliver a short presentation.

Homework 1: Due Wed Oct 27, 2021. Please submit your solutions through gradescope as groups of 2 or 3 students.

Homework 2: Due Wed Nov 10, 2021. Submit your solution through gradescope.

Latex template for lecture notes.

The course will be based on a combination of lecture notes, research papers and other online material as posted below. The list will be updated as the course moves forward. You can find information about additional topics to be covered on the web pages of previous editions of this course (Fall 2019, Fall 2017, Winter 2016, Spring 2014, Winter 2012, Winter 2010, Spring 2007, Winter 2002)

**Point Lattices**: Lattices, Bases, Gram-Schmidt orthogonalization, and Lattice determinant.**Minkowski’s Theorem**: The Shortest Vector Problem (SVP), Shortest Independent Vectors Problem (SIVP), and Minkowski’s Theorems.**The LLL Algorithm**: The Basis Reduction algorithm of Lenstra, Lenstra and Lovasz. Approximating SVP and CVP with 2^{O(n)}in polynomial time.**PRG Cryptanalysis**: Subsetsub and Linear Congruential Generators, and their cryptanalysis**Computational Complexity:**simple NP-hardness and reductions- The hardness of the closest vector problem with preprocessing (IEEE Trans. IT, 2001)
- Approximating shortest lattice vectors is not harder than approximating closest lattice vectors (Info. Proc. Letters, 1999)
- Efficient reductions among lattice problems (SODA 2008)
- On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem (CRYPTO 2009)

**Duality**: The dual lattice and the Closest Vector Problem (CVP)**Block basis reduction:**improving LLL approximation factor using low dimensional SVP solvers- Series of blog posts by former UCSD student Michael Walter
- Finding short lattice vectors within mordell’s inequality (STOC 2008)
- Slide Reduction, Revisited - Filling the Gaps in SVP Approximation (Crypto 2020)
- Practical, Predictable Lattice Basis Reduction (Eurocrypt 2016)

**Exact algorithms for SVP and CVP****Harmonic Analysis**lecture notes, Improved Discrete Gaussian and Subgaussian Analysis for Lattice Cryptography (PKC 2020)**Worst-case/Average-case connection**:The reduction for SIS is mostly from

- Worst-case to average-case reductions based on Gaussian measure (FOCS 2004/SICOMP 2007)

with some improvements/simplifications using the sampling algorithm from

- Finding the closest lattice vector when it’s unusually close (SODA 2000)
- Trapdoors for hard lattices and new cryptographic constructions (STOC 2008)

For the LWE problem, see

- On lattices, learning with errors, random linear codes, and cryptography (STOC 2005/JACM 2009)
- Public-key cryptosystems from the worst-case shortest vector problem (STOC 2009)
- Classical hardness of learning with errors (STOC 2013)

**Random Lattices and Lattice Cryptography**: Random lattices, the SIS and LWE problems, and construction of basic cryptographic primitives, like one-way functions and collision resistant hashing.

A collection of Links to papers and other resources on lattice cryptography and algorithms (not very actively) maintained by Daniele Micciancio, mostly for his own personal use.

- Introductory chapter on lattices from
*“Complexity of Lattice problems: a cryptographic perspective”*(2002). The rest of the book is a bit out of date, but still a good introduction to the subject. - Survey chapter on Lattice-Based Cryptography from
*“Post Quantum Cryptography”*(2009) - A Decade of Lattice Cryptography. An more recent extensive survey covering most advanced applications of lattices in cryptography.
- Survey chapter on Cryptographic functions from worst-case complexity assumptions from
*“The LLL Algorithm: Survey and Applications”*(2009). The book has many other interesting chapters covering more applications of lattices in computer science and mathematics. - Tutorial on The Geometry of Lattice Cryptography from FOSAD 2011.
- Survey on The Learning With Errors Problem from CCC 2010.

- Oded Regev’s couorse on Lattices in Computer Science at Tel Aviv university.
- Chris Peikert’s course on Lattices in Cryptography at U. Michigan.
- Vinod Vaikuntanathan’s course on Advanced Topics in Cryptography: Lattices at MIT

The two main libraries implementing the lattice reduction algorithms studied in this course are:

- fpLLL: state of the art impementation of lattice reduction and related algorithms using fast floating point arithmetics.
- Number Theory Library (NTL). A C++ library for lattice basis reduction, polynomial arithmetics and other algebraic problems.

There are many more libraries implementing cryptographic functions based on lattices, including:

- PALISADE. A general purpose C++ library for lattice cryptography.
- Lambda o lambda (Lol). A high level Haskell library for lattice based cryptography. See also paper.
- NFLlib. An NTT-based Fast Lattice Library for computations in power-of-two cyclotomic rings.
- HElib. A library for Fully Homomorphic Encryption.
- RingLWE C++ library: A C++implementation of the RingLWE Toolkit of Lyubashevsky, Peikert and Regev, as described in this MS Thesis.