1 / 38

Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate . Daniele Micciancio. Speaker: Asaf Weiss. Definitions. A Lattice in : All integer combinations of given linearly independent vectors: The vectors are called the Lattice Basis . The integer n is called the Lattice Rank .

garin
Download Presentation

Shortest Vector In A Lattice is NP-Hard to approximate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss

  2. Definitions • A Lattice in : All integer combinations of given linearly independent vectors: • The vectors are called the Lattice Basis. • The integer n is called the Lattice Rank. • We will only discuss integer lattices, where all .

  3. Matrix Representation of a Lattice • We can put the lattice basis in a matrix: • This way the lattice points are exactly: • The Lattice generated by B is denoted .

  4. Examples • This is the lattice generated by the set :

  5. Examples – Cont. • The very same lattice is generated by the set :

  6. More definitions • The minimum distance of a lattice is: • Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. • Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.

  7. Reduction from SVP to CVP In order to find where : • Define and solve the CVP problem , to get a vector . • Remember . • Repeat 1-2 for . • Find the shortest among .

  8. Why is CVP so hard? Consider the following algorithm for CVP: • Given , solve the set of linear real equations to find a solution . • Round the result to get the answer: • The rounding error = • This bound is very dependent of B.

  9. Why is CVP so hard – Cont. • For instance, the two bases and generate the same lattice. • However, the expression is 1.4 forthe first base, and about 199 for the other.

  10. Why is SVP well-defined? • Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? • This isn’t necessarily true for general geometric shapes, e.g.

  11. Why is SVP well-defined – Cont. • One can find a lower bound on : • Proposition:every lattice basis B obeys . • Integer lattices: . • Real lattices: one can prove that , where B* is the corresponding G.S Orthogonalization of B.

  12. Why is SVP well-defined – Cont. • The proposition implies that the distance between two lattice points has a lower bound. • Therefore, the number of lattice points in the sphere is finite.

  13. Yet more definitions • - distinguish between (YES) and (NO) . • - distinguish between and . • is easier than approximating SVP with a ratio of : if , then can be solved by checking whether or .

  14. Definitions – Cont. • We define a new problem, , as follows: • is a YES instance if for some . • is a NO instance if for all .

  15. Types of reductions • Deterministic reductions map NO instances to NO instances and YES instances to YES instances. • Randomized reductions: • Map NO instances to NO instances with probability 1. • Map YES instances to YES instances with non-negligible probability. • Cannot be used to show proper NP-hardness.

  16. History • 1981– CVP is NP-hard. • 1997– GAPCVP and GAPCVP’ are NP-hard for any constant factor . • 1998 – SVP is NP-hard for randomized reductions [Ajtai]. • 2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot]

  17. Hardness of approximating SVP • Idea: Solving CVP’(B,y) is similar to solving : both minimize , where w is an integer. • Problem: what if w=0? • Solution: we embed the lattice in a higher dimensional space.

  18. The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: • two positive integers • a lattice basis • a vector • a linear transformation Such that: • With probability at least 1-1/poly(k), for allthere exists s.t. and .

  19. The Geometric Lemma – Cont. • The lemma doesn’t depend on input! • It asserts the existence of a lattice and a sphere, such that: • is bigger than times the sphere radius. • With high probability the sphere contains exponentially many lattice vectors. • Proof: Later.

  20. Theorem 1 • For any constant , is hard for NP under randomized reductions. • Proof: By reduction from GAPCVP’. • First, choose and . • Assume w.l.o.g that and are rational.

  21. Proof of Theorem 1 – Cont. • Let be an instance of ( ). • We define an instance of , s.t: • If is a NO instance then is a NO instance. • If is a YES instance then is a YES instance with high probability.

  22. Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain s.t: • . • With probability at least 1-1/poly(k), for all there exists s.t. and .

  23. Proof of Theorem 1 – Cont. • Definition of : • Choose integers a,b s.t and .

  24. Proof of Theorem 1 – Cont. • Fact: for every vector : • And therefore:

  25. Proof of Theorem 1 – Cont. • If is a NO instance: Let be a generic non-zero vector.We show that . • If then by definition of GAPCVP’: • If then and by the lemma:

  26. Proof of Theorem 1 – End • If is a YES instance: There exists . • Provided the construction in the lemma succeeds: . • We define and get .

  27. Proof of The Geometric Lemma • The real lattice: • Lemma 1: Let be relatively prime odd integers. Then, for any real , the real lattice defined by: obeys .

  28. The real lattice – Cont. • Lemma 2: • Set . • For any and , if then . • A connection between finding lattice vectors close to s and approximating b as a product of the .

  29. The real lattice – Cont. • If we take , we get: • Also, there are many lattice points in , provided that the interval contains many products of the form . • If are the first odd primes, these are the square-free - smooth numbers.

  30. The real lattice – Cont. • Lemma 3: For every positive numbers and any finite integer set , the following holds: If b is chosen uniformly at random from M, then: • Applying this to the set of square-free smooth numbers gets the following proposition:

  31. The real lattice – Cont. • Proposition 4: For all reals , there exists an integer c such that for all sufficiently large integer h the following holds:Let , be the first m odd primes, and . If b is chosen uniformly at random from M, then:

  32. The real lattice – Cont. • Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all , there exists an integer c such that: Let , , and be the first m odd primes. Let b be the product of a random subset of of size h. Set as before, and . Then: • For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.

  33. Working over the integers • Using rounding of and , a similar result can be achieved for integers: Theorem 8: for any , there exists a polynomial time algorithm that given an integer h outputs: • two positive integers • a matrix • a vector Such that: • For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.

  34. Reminder: The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: • two positive integers • a lattice basis • a vector • a linear transformation Such that: • With probability at least 1-1/poly(k), for allthere exists s.t. and .

  35. Projecting lattice points to binary strings • Theorem 9: Let be a set of vectors containing exactly h ones, s.t. .Choose by setting each entry to 1 independently at random with probability . Then, with probability at least , all binary vectors are contained in . • Using this theorem with appropriate constants completes the proof of the Geometric Lemma.

  36. Concluding Remarks • We proved that approximating SVP is not in RP unless NP=RP. • The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. • With this assumption, we get that approximating SVP is not in P unless P=NP.

  37. Concluding Remarks – Cont. • The theorem can be generalized for any norm ( ), with constant . • 2000 – is NP-hard to approximate with ratio [Dinur]

  38. Questions???

More Related