390 likes | 593 Vues
Shortest Vector In A Lattice is NP-Hard to approximate . Daniele Micciancio. Speaker: Asaf Weiss. Definitions. A Lattice in : All integer combinations of given linearly independent vectors: The vectors are called the Lattice Basis . The integer n is called the Lattice Rank .
 
                
                E N D
Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss
Definitions • A Lattice in : All integer combinations of given linearly independent vectors: • The vectors are called the Lattice Basis. • The integer n is called the Lattice Rank. • We will only discuss integer lattices, where all .
Matrix Representation of a Lattice • We can put the lattice basis in a matrix: • This way the lattice points are exactly: • The Lattice generated by B is denoted .
Examples • This is the lattice generated by the set :
Examples – Cont. • The very same lattice is generated by the set :
More definitions • The minimum distance of a lattice is: • Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. • Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.
Reduction from SVP to CVP In order to find where : • Define and solve the CVP problem , to get a vector . • Remember . • Repeat 1-2 for . • Find the shortest among .
Why is CVP so hard? Consider the following algorithm for CVP: • Given , solve the set of linear real equations to find a solution . • Round the result to get the answer: • The rounding error = • This bound is very dependent of B.
Why is CVP so hard – Cont. • For instance, the two bases and generate the same lattice. • However, the expression is 1.4 forthe first base, and about 199 for the other.
Why is SVP well-defined? • Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? • This isn’t necessarily true for general geometric shapes, e.g.
Why is SVP well-defined – Cont. • One can find a lower bound on : • Proposition:every lattice basis B obeys . • Integer lattices: . • Real lattices: one can prove that , where B* is the corresponding G.S Orthogonalization of B.
Why is SVP well-defined – Cont. • The proposition implies that the distance between two lattice points has a lower bound. • Therefore, the number of lattice points in the sphere is finite.
Yet more definitions • - distinguish between (YES) and (NO) . • - distinguish between and . • is easier than approximating SVP with a ratio of : if , then can be solved by checking whether or .
Definitions – Cont. • We define a new problem, , as follows: • is a YES instance if for some . • is a NO instance if for all .
Types of reductions • Deterministic reductions map NO instances to NO instances and YES instances to YES instances. • Randomized reductions: • Map NO instances to NO instances with probability 1. • Map YES instances to YES instances with non-negligible probability. • Cannot be used to show proper NP-hardness.
History • 1981– CVP is NP-hard. • 1997– GAPCVP and GAPCVP’ are NP-hard for any constant factor . • 1998 – SVP is NP-hard for randomized reductions [Ajtai]. • 2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot]
Hardness of approximating SVP • Idea: Solving CVP’(B,y) is similar to solving : both minimize , where w is an integer. • Problem: what if w=0? • Solution: we embed the lattice in a higher dimensional space.
The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: • two positive integers • a lattice basis • a vector • a linear transformation Such that: • With probability at least 1-1/poly(k), for allthere exists s.t. and .
The Geometric Lemma – Cont. • The lemma doesn’t depend on input! • It asserts the existence of a lattice and a sphere, such that: • is bigger than times the sphere radius. • With high probability the sphere contains exponentially many lattice vectors. • Proof: Later.
Theorem 1 • For any constant , is hard for NP under randomized reductions. • Proof: By reduction from GAPCVP’. • First, choose and . • Assume w.l.o.g that and are rational.
Proof of Theorem 1 – Cont. • Let be an instance of ( ). • We define an instance of , s.t: • If is a NO instance then is a NO instance. • If is a YES instance then is a YES instance with high probability.
Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain s.t: • . • With probability at least 1-1/poly(k), for all there exists s.t. and .
Proof of Theorem 1 – Cont. • Definition of : • Choose integers a,b s.t and .
Proof of Theorem 1 – Cont. • Fact: for every vector : • And therefore:
Proof of Theorem 1 – Cont. • If is a NO instance: Let be a generic non-zero vector.We show that . • If then by definition of GAPCVP’: • If then and by the lemma:
Proof of Theorem 1 – End • If is a YES instance: There exists . • Provided the construction in the lemma succeeds: . • We define and get .
Proof of The Geometric Lemma • The real lattice: • Lemma 1: Let be relatively prime odd integers. Then, for any real , the real lattice defined by: obeys .
The real lattice – Cont. • Lemma 2: • Set . • For any and , if then . • A connection between finding lattice vectors close to s and approximating b as a product of the .
The real lattice – Cont. • If we take , we get: • Also, there are many lattice points in , provided that the interval contains many products of the form . • If are the first odd primes, these are the square-free - smooth numbers.
The real lattice – Cont. • Lemma 3: For every positive numbers and any finite integer set , the following holds: If b is chosen uniformly at random from M, then: • Applying this to the set of square-free smooth numbers gets the following proposition:
The real lattice – Cont. • Proposition 4: For all reals , there exists an integer c such that for all sufficiently large integer h the following holds:Let , be the first m odd primes, and . If b is chosen uniformly at random from M, then:
The real lattice – Cont. • Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all , there exists an integer c such that: Let , , and be the first m odd primes. Let b be the product of a random subset of of size h. Set as before, and . Then: • For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.
Working over the integers • Using rounding of and , a similar result can be achieved for integers: Theorem 8: for any , there exists a polynomial time algorithm that given an integer h outputs: • two positive integers • a matrix • a vector Such that: • For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.
Reminder: The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: • two positive integers • a lattice basis • a vector • a linear transformation Such that: • With probability at least 1-1/poly(k), for allthere exists s.t. and .
Projecting lattice points to binary strings • Theorem 9: Let be a set of vectors containing exactly h ones, s.t. .Choose by setting each entry to 1 independently at random with probability . Then, with probability at least , all binary vectors are contained in . • Using this theorem with appropriate constants completes the proof of the Geometric Lemma.
Concluding Remarks • We proved that approximating SVP is not in RP unless NP=RP. • The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. • With this assumption, we get that approximating SVP is not in P unless P=NP.
Concluding Remarks – Cont. • The theorem can be generalized for any norm ( ), with constant . • 2000 – is NP-hard to approximate with ratio [Dinur]