Lattice Salad
37
Lattice Salad Lattice Salad S.Safra I.Dinur G.Kindler
description
Lattice Salad. S.Safra I.Dinur G.Kindler. Lattice Problems. Definition: Given a basis v 1 ,..,v n R n , The lattice L=L(v 1 ,..,v k ) = { a i v i | integers a i } SVP: Find the shortest non-zero vector in L . CVP: Given a vector y R n , find a v L closest to y. y. - PowerPoint PPT Presentation
Transcript of Lattice Salad
Lattice SaladLattice Salad
S.SafraI.Dinur G.Kindler
Lattice ProblemsLattice Problems
Definition: Given a basis v1,..,vnRn,
The lattice L=L(v1,..,vk) = {aivi | integers ai}
SVP: Find the shortest non-zero vector in L.
CVP: Given a vector yRn, find a vL closest to y.
shortesty
closest
Another basis
What’s the nearest lattice
point ?
Lattice Approximation ProblemsLattice Approximation Problems gg-Approximation version:
Find a vector y s.t. ||||yy|||| < g g shortest(L)
gg-Gap version: Given LL, and a number dd, distinguish between– The ‘yes’ instances (( shortest(L) shortest(L) d ) d )– The ‘no’ instances ( ( shortest(L) shortest(L) > gd )> gd )
If gg-Gap problem is NP-hard, then having a gg-approximation polynomial algorithm --> P=NP.
shortest
Lattice Approximation ProblemsLattice Approximation Problems gg-Approximation version:
Find a vector y s.t. ||||yy|||| < g g shortest(L)
gg-Gap version: Given LL, and a number dd, distinguish between– The ‘yes’ instances (( shortest(L) shortest(L) d ) d )– The ‘no’ instances ( ( shortest(L) shortest(L) > gd )> gd )
If gg-Gap problem is NP-hard, then having a gg-approximation polynomial algorithm --> P=NP.
shortest
Lattice Problems - Brief HistoryLattice Problems - Brief History
[Dirichlet, Minkowsky] no CVP algorithms… [LLL] Approximation algorithm for SVP, factor 2factor 2n/2n/2 [Babai] Extension to CVP [Schnorr] Improved factor, (1+(1+))nn for both CVP and SVP
[vEB]: CVP is NP-hard [ABSS]: Approximating CVP is
– NP hard to within any constant– Almost NP hard to within an almost polynomial factor.
Lattice Problems - Recent HistoryLattice Problems - Recent History [Ajtai96]: average-case/worst-case equiv. for SVP. [Ajtai-Dwork96]: Cryptosystem. [Ajtai97]: SVP is NP-hard (for randomized reductions). [Micc98]: SVP is NP-hard to approximate to within some constant
factor.
[DKRS]: NP hard to within an almost polynomial factor. [LLS]: Approximating CVP to within n1.5 is in coNP. [GG]: Approximating SVP and CVP to within n is in coAMNP.
CVP/SVP - which is easier?CVP/SVP - which is easier?
Definition: Given a basis v1,..,vnRn,
The lattice L=L(v1,..,vk) = {aivi | integers ai}
SVP: Find the shortest non-zero vector in L.
CVP: Given a vector yRn, find a vL closest to y.
shortesty
closest
Reducing g-SVP to g-CVP Reducing g-SVP to g-CVP [GMSS99][GMSS99]
The lattice LThe lattice L
shortest: b2-2b1
b1
b2
Reducing g-SVP to g-CVP Reducing g-SVP to g-CVP [GMSS98][GMSS98]
shortest vector in L = shortest vector in L = cciibbii
Note: at least one coef. ci of the shortest vector must be odd
The lattice L’The lattice L’ L L
CVP oracle:apx. minimize ||c1b1+2c2b2-b2||
L’=span (bL’=span (b11,2b,2b22))The lattice L’’The lattice L’’ L L
L’’=span (2bL’’=span (2b11,b,b22))
The ReductionThe Reduction
Where B(j) = (b1,..,bj-1,2bj,bj+1,..,bn)
Input:Input: A pair (B,d), B=(b A pair (B,d), B=(b11,..,b,..,bnn) and d) and dRR
for j=1 to n: for j=1 to n: invoke the CVP oracle on(Binvoke the CVP oracle on(B(j)(j),b,bjj,d),d)
Output:Output: The OR of all oracle replies. The OR of all oracle replies.
The Dual LatticeThe Dual LatticeL* = { y | x L: yx Z}
Give a basis {v1, .., vn} for L one can construct, in poly-time, a basis {u1,…,un}:ui vj = 0 ( i j)
ui vi = 1
In other words U = (Vt)-1 where
U = u1,…,un V = v1, .., vn
Shortest Vector - Hidden Shortest Vector - Hidden HyperplaneHyperplane
H0 = {y| ys = 0}
H1 = {y| ys = 1}
Hk = {y| ys = k}
-s
distance = 1/||S||s – shortest vectorH – hidden hyperplane
Public Key CryptosystemPublic Key Cryptosystems – shortest vectorH – hidden hyperplane
Encoding 1 s s
Encoding 0
(1) Choose a random lattice point(2) Perturb it
Choose a random point
Public Key CryptosystemPublic Key Cryptosystem
Decoding 1 s
Decoding (using s):
s
Decoding 0
Ajtai: SVP Instances Hard on Ajtai: SVP Instances Hard on AverageAverage
Approximating
SVP (factor= nc )
On randomrandom instances
from a specific constructible distribution
Finding Unique-SVP
Approximating
SVP (factor= n10+c )
Approximating
Shortest Basis (factor= n10+c )
Average-Case DistributionAverage-Case Distribution
Pick an n*m matrix A, with coefficients uniformly ranging over [0,…,q-1]. (q= poly (n), n = O(m log q)
A = v1 v2 … vm
Def:Def: (A) = {x Zn | xA 0 mod q }
1 q
v2
v4
v3
v1
2v1+v4
(2,0,0,1)(2,0,0,1)
(1,1,1,0)(1,1,1,0)q(a,b,c,d)q(a,b,c,d)
A mod-q lattice: A mod-q lattice: (v1 v2 v3 v4)
Hardness of approx. CVP Hardness of approx. CVP [DKRS][DKRS]
g-CVP is NP-hard for g=n1/loglog n
n - lattice dimension
Improving – Hardness (NP-hardness instead of quasi-
NP-hardness)
– Non-approximation factor (from 2(logn)1-)
[ABSS] reduction: uses PCP to show – NP-hard for g=O(1)– Quasi-NP-hard g=2(logn)1- by repeated blow-up.
Barrier - 2(logn)1- const >0
SSAT: a new non-PCP characterization of NP. NP-hard to approximate to within g=n1/loglogn .
SATSAT
Input:=f1,..,fn Boolean functions ‘tests’
x1,..,xn’ variables with range {0,1}
Problem: Is satisfiable?
Thm (Cook-Levin): SAT is NP-complete (even when
depend()=3)
SAT as a consistency problemSAT as a consistency problemInput=f1,..,fn Boolean functions - ‘tests’
x1,..,xn’ variables with range Rfor each test: a list of satisfying assignments
ProblemIs there an assignment to the tests that is consistent?
g(w,x,z) h(y,w,x)
(1,0,7)(1,3,1)(3,2,2)
f(x,y,z)
(0,2,7)(2,3,7)(3,1,1)
(0,1,0)(2,1,0)(2,1,5)
Super-AssignmentsSuper-Assignments
||SA(f)|| = |-2|+|2|+|3| = 7 Norm SA - Averagef||A(f)||
A natural assignment for f(x,y,z)
(1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2)
1
0
A(f) = (3,1,1)
f(x,y,z)’s super-assignment
SA(f)=-2(3,1,1)+2(3,2,5)+3(5,1,2)
3
2
1
0
-1
-2
(1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2)
ConsistencyConsistency
A(f) = (3,2,5)A(f)|x := (3)
x f,g that depend on x: A(f)|x = A(g)|x
In the SAT case:
ConsistencyConsistency
SA(f) = +3(11,1,2) -2(33,2,5) 2(33,3,1)
Consistency:Consistency: x f,g that depend on x: SA(f)|x = SA(g)|x
SA(f)|x := +3(1) 0(3)
-2+2=0
3
2
1
0
-1
-2
(3,2,5)
(3,3,1)
(1) (2) (3)
(1,1,2)
g-g-SSAT - DefinitionSSAT - Definition
Input:=f1,..,fn tests over variables x1,..,xn’ with range R
for each test fi - a list of sat. assign.
Problem: Distinguish between[Yes] There is a natural assignment for [No] Any non-trivial consistent super-assignment is of
norm > g
Theorem: SSAT is NP-hard for g=n1/loglog n.
(conjecture: g=n , = some constant)
SSAT is NP-hard to approximateSSAT is NP-hard to approximateto within to within g = ng = n1/loglogn1/loglogn
f(w,x)f’(z,x)
00000000
Reducing SSAT to CVPReducing SSAT to CVPf,(1,2) f’,(3,2)
f,f’,x
wwwwwwww
I
ww0w
00w0
*123
Yes --> Yes: dist(L,target) = n
No --> No: dist(L,target) > gn
Choose w = gn + 1
00w0
A consistency gadgetA consistency gadget
*123
wwww
ww0w
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
w0ww
00w0
A consistency gadgetA consistency gadget
*123
wwww
ww0w
w0ww
000w
0w00
www0
+ b3 a1 + a2 = 1
+ b2 a1 + + a3 = 1
+ b1 a2 + a3 = 1
a1 a2 a3 b1 b2 b3
a1 + a2 + a3 = 1
GGGG
Approximating SVP and CVP to within n is in NP coAM
Hence if these problem are shown NP-hard the polynomial-time hierarchy collapses
The World According to LatticesThe World According to Lattices
1 O)logn(O)logn(
nnO)1(O)1(2n
O)1(O)1(
2
1+1/n
n1/loglogn
SVPSVP
CVPCVP
NP-hardnessPoly-timeapproximationNPco-AM
LLL DKRS Ajtai-
Micciancio
GG
OPEN PROBLEMSOPEN PROBLEMS
1 O)logn(O)logn(
nnO)1(O)1(2n
O)1(O)1(
2
1+1/n
n1/loglogn
SVPSVP
CVPCVP
NP-hardnessPoly-timeapproximationNPco-AM
Can LLL be improved?
Is g-SVP NP-hard to within
n ?
A class of its own?
Open ProblemsOpen Problems
Is SVP NP-hard to approximate to within n factor
Can the LLL algorithm be improved?
Maybe for factors between and these problems are on a class of their own
