1 / 37

Lattice Salad

Lattice Salad. S.Safra I.Dinur G.Kindler. Lattice Problems. Definition: Given a basis v 1 ,..,v n  R n , The lattice L=L(v 1 ,..,v k ) = {  a i v i | integers a i } SVP: Find the shortest non-zero vector in L . CVP: Given a vector y  R n , find a v  L closest to y. y.

hina
Télécharger la présentation

Lattice Salad

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice Salad S.SafraI.Dinur G.Kindler

  2. Lattice Problems • Definition: Given a basis v1,..,vnRn, The lattice L=L(v1,..,vk)={aivi | integers ai} • SVP: Find the shortest non-zero vector in L. • CVP: Given a vector yRn, find a vLclosest to y. y shortest closest

  3. What’s the nearest lattice point ? Another basis

  4. Lattice Approximation Problems • g-Approximation version: Find a vector y s.t. ||y||< g  shortest(L) • g-Gap version:Given L,and a number d, distinguish between • The ‘yes’ instances( shortest(L)  d ) • The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

  5. Lattice Approximation Problems • g-Approximation version: Find a vector y s.t. ||y||< g  shortest(L) • g-Gap version:Given L,and a number d, distinguish between • The ‘yes’ instances( shortest(L)  d ) • The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

  6. Lattice Problems - Brief History • [Dirichlet, Minkowsky] no CVP algorithms… • [LLL] Approximation algorithm for SVP,factor 2n/2 • [Babai] Extension to CVP • [Schnorr] Improved factor,(1+)nfor both CVP and SVP • [vEB]: CVP is NP-hard • [ABSS]: Approximating CVP is • NP hard to within any constant • Almost NP hard to within an almost polynomial factor.

  7. Lattice Problems - Recent History • [Ajtai96]: average-case/worst-case equiv. for SVP. • [Ajtai-Dwork96]: Cryptosystem. • [Ajtai97]:SVP isNP-hard (for randomized reductions). • [Micc98]:SVP is NP-hardto approximate to within some constant factor. • [DKRS]: NP hard to within an almost polynomial factor. • [LLS]: Approximating CVP to within n1.5 is in coNP. • [GG]: ApproximatingSVP and CVP to within n is in coAMNP.

  8. CVP/SVP - which is easier? • Definition: Given a basis v1,..,vnRn, The lattice L=L(v1,..,vk)={aivi | integers ai} • SVP: Find the shortest non-zero vector in L. • CVP: Given a vector yRn, find a vLclosest to y. y shortest closest

  9. b2 shortest: b2-2b1 b1 Reducing g-SVP to g-CVP [GMSS99] The lattice L

  10. The lattice L’’ L The lattice L’ L L’’=span (2b1,b2) shortest vector in L = cibi Reducing g-SVP to g-CVP [GMSS98] CVP oracle: apx. minimize ||c1b1+2c2b2-b2|| L’=span (b1,2b2) Note: at least one coef. ci of the shortest vector must be odd

  11. The Reduction Input: A pair (B,d), B=(b1,..,bn) and dR for j=1 to n: invoke the CVP oracle on(B(j),bj,d) Output: The OR of all oracle replies. Where B(j) = (b1,..,bj-1,2bj,bj+1,..,bn)

  12. The Dual Lattice L* = { y | x  L: yx  Z} Give a basis {v1, .., vn} for L one can construct, in poly-time, a basis {u1,…,un}: ui vj =0 ( i  j) ui vi =1 In other wordsU = (Vt)-1where U = u1,…,un V = v1, .., vn

  13. distance = 1/||S|| Shortest Vector - Hidden Hyperplane s – shortest vector H – hidden hyperplane -s H0 = {y| ys = 0} H1 = {y| ys = 1} Hk = {y| ys = k}

  14. Encoding 0 Encoding 1 s s (1) Choose a random lattice point Choose a random point (2) Perturb it Public Key Cryptosystem s – shortest vector H – hidden hyperplane

  15. Public Key Cryptosystem Decoding (using s): Decoding 0 Decoding 1 s s

  16. Ajtai: SVP Instances Hard on Average Approximating SVP (factor= nc ) On random instances from a specific constructible distribution Approximating Shortest Basis (factor= n10+c ) Approximating SVP (factor= n10+c ) Finding Unique-SVP

  17. Average-Case Distribution • Pick an n*m matrix A, with coefficients uniformly ranging over [0,…,q-1]. (q= poly (n), n = O(m log q) • A = v1 v2 … vm Def: (A) = {x  Zn | xA  0 mod q }

  18. 2v1+v4 v2 v3 v1 v4 q 1 A mod-q lattice: (v1 v2 v3 v4) (2,0,0,1) (1,1,1,0) q(a,b,c,d)

  19. Hardness of approx. CVP [DKRS] g-CVPis NP-hard for g=n1/loglog n n- lattice dimension Improving • Hardness (NP-hardness instead of quasi-NP-hardness) • Non-approximation factor (from 2(logn)1-)

  20. [ABSS] reduction:uses PCP to show • NP-hard for g=O(1) • Quasi-NP-hardg=2(logn)1- by repeated blow-up. • Barrier - 2(logn)1- const >0 • SSAT: a new non-PCP characterization of NP. NP-hard to approximate to within g=n1/loglogn .

  21. SAT Input: =f1,..,fn Boolean functions ‘tests’ x1,..,xn’ variables with range {0,1} Problem: Is  satisfiable? Thm (Cook-Levin): SAT is NP-complete (even when depend()=3)

  22. SAT as a consistency problem Input =f1,..,fn Boolean functions - ‘tests’ x1,..,xn’ variables with range R for each test: a list of satisfying assignments Problem Is there an assignment to theteststhat is consistent? f(x,y,z) g(w,x,z) h(y,w,x) (0,2,7) (2,3,7) (3,1,1) (1,0,7) (1,3,1) (3,2,2) (0,1,0) (2,1,0) (2,1,5)

  23. f(x,y,z)’s super-assignment SA(f)=-2(3,1,1)+2(3,2,5)+3(5,1,2) 3 2 1 0 -1 -2 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2) ||SA(f)|| =|-2|+|2|+|3|= 7Norm SA - Averagef||A(f)|| Super-Assignments A natural assignment for f(x,y,z) A(f) = (3,1,1) 1 0 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2)

  24. Consistency In the SAT case: A(f) =(3,2,5) A(f)|x :=(3) x  f,gthat depend on x:A(f)|x= A(g)|x

  25. -2+2=0 SA(f)|x :=+3(1) 0(3) (1,1,2) 3 2 1 0 -1 -2 (3,3,1) (1) (2) (3) (3,2,5) Consistency SA(f) =+3(1,1,2)  -2(3,2,5)  2(3,3,1) Consistency:x  f,g that depend on x:SA(f)|x= SA(g)|x

  26. g-SSAT - Definition Input: =f1,..,fn tests over variables x1,..,xn’ with range R for each test fi - a list of sat. assign. Problem:Distinguish between [Yes] There is a natural assignment for  [No]Any non-trivial consistent super-assignment is of norm > g Theorem: SSAT is NP-hard for g=n1/loglog n. (conjecture: g=n ,  = some constant)

  27. SSAT is NP-hard to approximateto within g = n1/loglogn

  28. Yes --> Yes: dist(L,target) = n w w 0 w 0 0 w 0 No --> No: dist(L,target) > gn I Choose w = gn + 1 Reducing SSAT to CVP f,(1,2) f’,(3,2) w w w w w w w w * 1 2 3 f,f’,x 0 0 0 0 0 0 0 0 f(w,x) f’(z,x)

  29. A consistency gadget w w 0 w 0 0 w 0 w w w w * 1 2 3

  30. a1 a2 a3 b1 b2 b3 w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w w 0 w w a1 + a2 +a3 = 1 a2 +a3 +b1 = 1 a1 + +a3 +b2 = 1 a1 + a2 +b3 = 1 A consistency gadget w 0 w w w w 0 w w w w 0 0 w 0 0 0 0 w 0 0 0 0 w w w w w * 1 2 3

  31. GG • Approximating SVP and CVP to within n is in NP  coAMHence if these problem are shown NP-hard the polynomial-time hierarchy collapses

  32. Poly-time approximation NPco-AM The World According to Lattices DKRS GG Ajtai-Micciancio LLL CVP SVP 1+1/n 1 O(1) O(logn)  2 n1/loglogn nO(1) 2n NP-hardness

  33. Poly-time approximation NPco-AM OPEN PROBLEMS Is g-SVP NP-hard to within n ? A class of its own? Can LLL be improved? CVP SVP 1+1/n 1 O(1) O(logn)  2 n1/loglogn nO(1) 2n NP-hardness

  34. Open Problems • Is SVP NP-hard to approximate to within n factor • Can the LLL algorithm be improved? • Maybe for factors between and these problems are on a class of their own

More Related