1 / 17

NP-Hardness of Closest Vector Problem With Pre-Processing in Lattices

This talk explores the complexity of the Closest Vector Problem (CVP) within lattices, revealing that approximating CVP with pre-processing (CV-PP) is NP-hard. We discuss foundational concepts related to lattices, the background and motivations for studying CVP, and present our significant results regarding its hardness. Our proofs involve innovative properties of probabilistically checkable proofs (PCPs) and the implications for various computational frameworks. This work contributes to understanding the limits of efficient solutions in lattice-based problems crucial for cryptography and complexity theory.

inari
Télécharger la présentation

NP-Hardness of Closest Vector Problem With Pre-Processing in Lattices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Closest Vector is Hard to Approximateand now, for unlimited time onlywith Pre-Processing !! Guy Kindler Microsoft Research Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint work with

  2. In this talk: • Lattices • The closest vector problem: background • Our results: NP-hardness for CV-PP • Proving hardness with preprocessing • Something about our proof: new property of PCPs

  3. A lattice,L: A discrete additive subgroup of Rn. • A basis for L: b1,…,bn2Rn, s.t. L={iaibi : a1,..,an2Z}.

  4. The Closest Vector Problem (CVP)

  5. The Closest Vector Problem (CVP) • CVP: Given a lattice L and a target vector t, find the point in L closest to t inlpdistance. • [Regev Ronen 05] Hardness results in l2 carry for any lp. • [Ajtai Kumar Sivakumar 01]:2O(nloglog(n)/log n)=2o(n) approx. • [Dinur Kindler Raz Safra 98]:nO(1/loglog n)=no(1) hardness. • [Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich Goldwasser 00, Aharonov Regev 04] NP-hardness of (n/log n)1/2 would collapse the polynomial hierarchy.

  6. Motivation for studying CVP • [Ajtai 96]: Worst case to average case reductions for lattice problems. • [Ajtai Dwork 97] Based cryptosystems on lattice problems. • [Goldreich Goldwasser Halevi 97] Cryptosystem based on CVP. • [Micciancio Vadhan 03] Identification scheme based on (n/log n)1/2 hardness for CVP. t – message. L – coding function: known in advance, and reused.

  7. Is it safe to reuse L as key? • CV-PP: • Preprocess L for unlimited time, • Given t, solve CVP on L,t. • [Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ] O(n1/2)-approx. for CV-PP. • [Feige Micciancio 02](5/3)1/p approx. hardness for CV-PP. • [Regev 03]31/p approx. hardness for CV-PP.

  8. Our Results • Thm:CV-PP in NP-hard(!) to approximate within any constant. Also applies to NC-PP. • Unless NPµDTIME(2polylog n), • NC-PP is hard to approximate within (log n)1- • CV-PP is hard to approximate within(log n)(1/p)- • 1st Proof : By reduction from E-k-HVC[DGKR 03]. • 2nd proof: Using PCP-PP constructions, plus smoothing technique of [Khot 02].

  9. Reduction I: Instance of ¦2NPC L , t Proving hardness with preprocessing • Hardness of approximation within gap g: I2¦) dist(t,L)· d I¦ ) dist(t,L)¸ d¢g

  10. Size of I PreprocessedL Proving hardness with preprocessing • Hardness of approximation within g, with preprocessing: • Hardness of approximation within gap g: Partial Input Generator Reduction I: Instance of ¦2NPC L , t t I2¦ ) dist(t,L)· d I¦) dist(t,L)¸ d¢g CV-PP

  11. PreprocessedL LEFT t RIGHT CV-PP x2+2xy=7 x2+z2=5 . . PCP with preprocessing (PCP-PP) • PCP: Gap version of Quadratic equations. Partial Input Generator Size of I Reduction I: Instance of ¦2NPC I2¦ ) dist(t,L)· d I¦ ) dist(t,L)¸ d¢g PCP-PP

  12. LEFT RIGHT x2+2xy=7 x2+z2=5 . . PCP with preprocessing (PCP-PP) • PCP: Gap version of Quadratic equations. Partial Input Generator Size of I Reduction I: Instance of ¦2NPC I2¦ ) opt(LEFT,RIGHT)=1 I¦ ) opt(LEFT,RIGHT)·c<1 PCP-PP

  13. LEFT RIGHT PCP with preprocessing (PCP-PP) • PCP: Gap version of Quadratic equations. Partial Input Generator Size of I Reduction I: Instance of ¦2NPC PCP-PP

  14. PreprocessedL LEFT t RIGHT CV-PP PCP with preprocessing (PCP-PP) • PCP: Gap version of Quadratic equations. Size of I I: Instance of ¦2NPC PCP-PP

  15. PCP with preprocessing (PCP-PP) • PCP: Gap version of Quadratic equations. LEFT RIGHT PCP-PP

  16. PCP-PP construction • PCP: Gap version of Quadratic equations. LEFT Just (carefully) apply usualPCP construction! RIGHT PCP-PP

  17. Open problems • Get better hardness parameters for CV-PP (perhaps using methods from [DKRS 98]). • Get improved hardness results for lattice problems, under stronger assumptions than NPP. • Find more uses for PCP-PP constructions.

More Related