In [1]:
from sage.modules.free_module_integer import IntegerLattice

# Prerequisites

- Algebra for lattices

# Theory

- https://simons.berkeley.edu/sites/default/files/docs/14953/intro.pdf + talk https://www.youtube.com/watch?v=21IzHN9-CjE

## Lattices

**Definition**
> Let $B=(b_1, ...,b_n) \in \mathbb{R}^n$ be a set of *linearly independent vectors*
> A lattice is the set of vectors $$\mathcal{L}(b_1, ..., b_n) = \left \{ \sum_{i=1}^{n} a_ib_i : a_i \in \mathbb{Z} \right \}$$

- $dim(\mathbb{L}) = n$
- We can also defien the lattice as $\mathcal{L}(B) = \{Bx:x\in \mathbb{Z}^n\}$ 

**Note**
- A lattice can admit multiple bases => $B' = BU$ with $\det(U) = \pm 1$
 
![image.png](attachment:image.png)

**Determinant**
- $\det(\mathcal{L}(B)) = |\det(B)|$
- Independent of the choice of the basis

In [11]:
from sage.modules.free_module_integer import IntegerLattice

In [14]:
M = matrix([[0, 1], [1, 0]])
vector([2, 3]) in span(M) #the vector is in the lattice

True

In [16]:
L = IntegerLattice(M)

In [28]:
print(L.basis_matrix())
print(L.base_ring())
print(L.dimension())
print(vector([2, 3]) in L.span(L.basis_matrix()))
for v in list(L.some_elements())[:10]:
    print(v)

[0 1]
[1 0]
Integer Ring
2
True
(0, 1)
(1, 1)
(0, 1)
(-1, 2)
(-2, 3)
(-3, 4)
(-4, 5)
(-5, 6)
(-6, 7)
(-7, 8)


In [2]:
from fpylll import IntegerMatrix

In [5]:
M = IntegerMatrix.from_matrix([[2, 0], [1, 1]])

### Fundamental parallelipiped

**Fundamental domain (parallelipiped)** 

> Let $\mathcal{L}$ be a lattice of dimension $n$ and let $b_1,b_2,...,b_n$ be a basis for $\mathcal{L}$. The **fundamental domain** for $\mathcal{L}$ corresponding to this basis is the set  
> - $\mathcal{F}(b_1,...,b_n)=\{t_1b_1+t_2b_2+···+t_nb_n:0≤t_i<1\} = B \cdot [0, 1)^n$.
> - We can center the domain => $B \cdot \left[- \dfrac 1 2, \dfrac 1 2\right)^n$

**Note**
- We can generate the whole $\mathbb{R}^n$ using $\mathcal{F}(B)$
- $\mathbb{R}^n = \bigcup_{v \in \mathcal{L}} v + \mathcal{F}(B)$
- We can **partition** the space in fundamental domains

**Group theory Intuition**
- $(\mathcal{L}, +)$ is a subgroup of $(\mathbb{R}^n, +)$
- We can form the quotient group $\mathbb{R}^n / \mathcal{L}$. Elements of this group are cosets $t + \mathcal{L}$

**Theorem**
- $\det(\mathcal{L}(B)) = vol(\mathcal{F}(B))$

![image.png](attachment:image.png)

![image.png](attachment:image.png)

### Short vectors

**Distnance function**
- The distance from a vector to the lattice is the distance from the vector to the closest point in the in lattice
- $\mu(t, \mathcal{L}) = \underset{v \in \mathcal{L}}{\min}{\|t-v\|}$

**Minimum distance**
> Minimum distance of a lattice $\mathcal{L}$ is the length of the shortest nonzero lattice vector $\lambda_1 = \min \|v\|, \ v \in \mathcal{L} \backslash \{0\}$

![image.png](attachment:image.png)

**Shortest vectors**
- $λ_i(\mathcal{L}) = \min \{r:\mathcal{L} \text{ contains i linearly independent vectors of length}≤r\}$
- $\lambda_1(\mathcal{L}) \leq \lambda_2(\mathcal{L}) \leq ... \leq \lambda_n(\mathcal{L})$

![image-2.png](attachment:image-2.png)

## Lattice Duals

- https://en.wikipedia.org/wiki/Dual_lattice

**Vector space dual**

> The dual of a vector space $V$ is the set $V^\vee = Hom(V, \mathbb{R})$ of linear functions $\phi : V \to \mathbb{R}$  
> Every linear function can be represented as a vector  $x \in V$  
> Notation: $\phi_x(y) = x \cdot y$ - dot product

**Dual lattice**

> The dual of a lattice $\mathcal{L}^*$ is the set of all vectors $x \in span(L)$ s.t. $x\cdot y \in \mathbb{Z} \ \forall y \in \mathcal{L}$

**Examples**
- $(\mathbb{Z}^n)^\vee = \mathbb{Z}^n$ = The dot product of all vectors in $\mathbb{Z}^n$ stays in $\mathbb{Z}$
- Scaling $(q \cdot \mathcal{L})^\vee = \dfrac 1 q  \cdot \mathcal{L}^\vee$

**Properties**
- $\mathcal{L}_1 \subseteq \mathcal{L}_2 \iff \mathcal{L}^\vee_2 \subseteq \mathcal{L}^\vee_1$
- $(\mathcal{L}^\vee)^\vee =\mathcal{L}$
- For $x \in \mathcal{L}, \  y \in \mathcal{L}^\vee$
    - $x \cdot y \in \mathbb{Z}$
    - $x + y$ has no geometric meaning, they are in different spaces
- each dual vector $y\in \mathcal{L}^\vee$ **partitions** $\mathcal{L}$ into layers orthogonal to $y$
- ![image.png](attachment:image.png)


## Q-ary lattices

**Definition**
> Let $A \in \mathbb{Z}^{n \times d}_q$ be a matrix  
> Definition 1: $q\mathbb{Z^d} \subseteq \mathcal{L} \subseteq \mathbb{Z^n}$  
> Definition 2: $\mathcal{L}_q(A) = \{x : x \bmod q \in A^T \mathbb{Z}^n_q \} \subset \mathbb{Z^d}$  
> Definition 3: $\mathcal{L}^\perp_q(A) = \{x : Ax = 0 \bmod q \} \subset \mathbb{Z^d}$

*Intuition*
- $q\mathbb{Z^d} \subseteq \mathcal{L}$ is periodic $\bmod q$
- We use arithmetic $\bmod q$

**Note**
- $\mathcal{L}^\perp_q(A) \neq \mathcal{L}_q(A)$
- They are each other's dual

*Proof*
- Let 
    - $x \in \mathcal{L}_q(A)$
    - $x' \in \mathcal{L}^\perp_q(A)$  
- Then 
    - $x = A^T \cdot z \bmod q$
    - $Ax = 0 \bmod q$
- So $x^T \cdot x = (z^TA) \cdot x' = z^T \cdot (Ax') \in q\mathbb{Z}$

In [None]:
# Sage doesn't have direct Q-ary lattices so we make them from the basis

In [56]:
n = 5
d = 3
q = random_prime(101)
A = random_matrix(Zmod(q), d, n) #row vectors
A

[15 10 10  3  4]
[ 6  4 14  5 13]
[11  1  4  5  7]

In [57]:
A.echelonize()

In [58]:
N = A.change_ring(ZZ)
S = matrix(ZZ, n-d, d).augment(q * identity_matrix(n-d))
N.stack(S, subdivide=True)

[ 1  0  0  9 11]
[ 0  1  0 16 12]
[ 0  0  1 15 11]
[--------------]
[ 0  0  0 17  0]
[ 0  0  0  0 17]

## Hard problems

![image.png](attachment:image.png)

### SVP

> **SVP** Given an arbitrary basis $B$ find a shortest nonzero lattice vector $v \in \mathcal{L}, \|v\| = \lambda_1(\mathcal{L})$

> **ApprSVP** Given an arbitrary basis $B$ find a shortest nonzero lattice vector $v \in \mathcal{L}, \|v\| < \gamma(n) \lambda_1(\mathcal{L})$ for some approx factor $\gamma$

![image.png](attachment:image.png)

In [2]:
M = matrix([[-1, 2], [-2, 3]])
L = IntegerLattice(M)

In [3]:
L.shortest_vector()

(-1, 0)

In [None]:
L.bdd

### CVP

> **CVP** Given an arbitrary basis $B$ and a vector $w \in \mathbb{R}^n$ find the closest lattice vector $v \in \mathcal{L}, \|v-w\|$ is short

> **ApprCVP** Given an arbitrary basis $B$  and a vector $w \in \mathbb{R}^n$ find the closest lattice vector $v \in \mathcal{L}, \|v-w\| < \gamma(n) \cdot \text{short}$

![image.png](attachment:image.png)

In [32]:
M = matrix([[-1, 2], [-2, 3]])
L = IntegerLattice(M)

In [37]:
w = vector([1.8, 1.5])
L.closest_vector(w)

(2.00000000000000, 2.00000000000000)

### BDD

> Given an arbitrary basis $B$, a vector $w \in \mathbb{R}^n$ and a real number $d \in mathbb{R}$ find a lattice vector s.t $v \in \mathcal{L}, \|w-v\| < d \cdot \lambda_1(\mathcal{L})$ 

## Bounds

### Minkowski

- https://en.wikipedia.org/wiki/Minkowski%27s_theorem

**Minkowski theorem**:  
- Let $\mathcal{L} \subset \mathbb{R}^n, \dim \mathcal{L} = n$;
- $C \subset \mathbb{R}^n, C = $ bounded symmetrical convex set whose volume satisfies $\text{Vol}(C) > 2^n\det(\mathcal{L})$  
- Then $C$ contains a nonzero lattice vector

*Intuition*
- https://www.youtube.com/watch?v=tZx7K0Or70Y&list=PLgKuh-lKre12CuCYPwpfH77-K6U_3JweQ - watch 12 mins for intuition
- https://youtu.be/21IzHN9-CjE?t=1891 - Or 5 mins from here

**Corollary**
- $λ_1 \leq \left(\prod_i\lambda_i(\mathcal{L}\right)^{\frac 1 n} \leq(\mathcal{L})≤\sqrt{n}·\det(\mathcal{L})^{\frac 1 n}$

![image.png](attachment:image.png)

# Resources

- https://eprint.iacr.org/2015/938.pdf
- https://web.eecs.umich.edu/~cpeikert/pubs/lattice-survey.pdf
- https://www.math.auckland.ac.nz/~sgal018/crypto-book/crypto-book.html - lattice part 
- https://buildmedia.readthedocs.org/media/pdf/fpylll/latest/fpylll.pdf
- https://www.esat.kuleuven.be/cosic/blog/introduction-to-lattices/
- https://simons.berkeley.edu/sites/default/files/docs/14953/intro.pdf
