1 / 40

The Complexity of Lattice Problems

The Complexity of Lattice Problems. Oded Regev, Tel Aviv University. (for more details, see LLL+25 survey). Amsterdam, May 2010. Lattice. For vectors v 1 ,…, v n in R n we define the lattice generated by them as L ={a 1 v 1 +…+ a n v n | a i integers}

niel
Télécharger la présentation

The Complexity of Lattice Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Complexity of Lattice Problems Oded Regev, Tel Aviv University (for more details, see LLL+25 survey) Amsterdam, May 2010

  2. Lattice • For vectors v1,…,vn in Rn we define the lattice generated by them as • L={a1v1+…+anvn| aiintegers} • We call v1,…,vna basis of L v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  3. Lattices from a Computational Complexity Point of View • Lattice problems are among the richest problems in complexity theory, exhibiting a wide range of behaviors: • Some problems are in P (as shown by LLL) • Some problems are NP-hard • Some problems are not known to be in P, but believed not to be NP-hard • As a rule of thumb, ‘algebraic’ problems are easy; ‘geometric’ problems are hard

  4. Shortest Vector Problem (SVP) • GapSVP: Given a lattice, decide if the length of the shortest vector is: • YES: less than 1 • NO: more than  v2 v1 0

  5. v Closest Vector Problem (CVP) v2 • GapCVP: Given a lattice and a point v, decide if the distance of v from the lattice is: • YES: less than 1 • NO: more than  • GapSVPis not harder than GapCVP[GoldreichMicciancioSafraSeifert99] • Both problems are clearly in NP (for any ) v1 0

  6. n 1 nc/loglogn Cryptography NP-hard [Ajtai96,AjtaiDwork97…] Known Results • Polytime algorithms for gap 2n loglogn/logn[LLL82,Schnorr87,AjtaiKumarSivakumar02] • Hardness is known for: • GapCVP: nc/loglogn[vanEmdeBoas81…,DinurKindlerRazSafra03] • GapSVP: 1 in l1[vanEmdeBoas81] 1 [Ajtai96] 2 [Micciancio98] 2^(log½-εn) [Khot04] nc/loglogn[HavivR07] ? 2n loglogn/logn P

  7. Known ResultsLimits on Inapproximability • GapCVPn2 NP∩coNP[LagariasLenstraSchnorr90, Banaszczyk93] • GapCVPn/logn2 NP∩coAM[GoldreichGoldwasser98] • GapCVPn2NP∩coNP[AharonovRegev04] 1 nc/loglogn n n 2n loglogn/logn NP∩coNP NP∩coAM NP∩coNP P NP-hard

  8. What’s ahead? • GapCVPn/logn2 NP∩coAM[GoldreichGoldwasser98] • GapCVPn2NP∩coNP[AharonovRegev04]

  9. What’s ahead? • GapCVPn/logn2 coAM[GoldreichGoldwasser98] • GapCVPn2coNP[AharonovRegev04]

  10. Chapter IGapCVPn in coAM[GoldreichGoldwasser98]

  11. Our Goal Given: - Lattice L (specified by a basis) - Point v We want to: Be convinced that v is far from L by interacting with an (all powerful) prover (using a constant number of rounds)

  12. The Idea

  13. Basic High-dimensional Geometry • How big is the intersection of two balls of radius 1 in n dimensions whose centers are at distance  apart? • When 2, balls disjoint • When =0, balls exactly overlap • When =0.1, intersection is exponentially small • When =1/n, intersection is constant fraction

  14. The Protocol • Flip a fair coin • If heads, choose a random point in L+B • If tails, choose a random point in L+B+v • Send the resulting point to the prover • The prover is supposed to tell whether the coin was heads of tails (Can be implemented efficiently)

  15. Demonstration of Protocol

  16. Demonstration of Protocol

  17. Analysis • If dist(v,L)>2 then prover can always answer correctly • If dist(v,L)<1/n then with some constant probability, the prover has no way to tell what the coin outcome was • Hence we catch the prover cheating with some constant probability • This completes the proof

  18. Chapter IIGapCVPn in coNP[AharonovR04]

  19. Our Goal Given: - Lattice L (specified by a basis) - Point v We want: A witness for the fact that v is far from L

  20. Overview Step 1:Define f Its value depends on the distance from L: • Almost zero if distance > n • More than zero if distance < log n Step 2:Encode f Show that the function f has a short description Step 3:Verifier Construct the NP verifier

  21. Step 1: Define f

  22. The function f Consider the Gaussian: Periodize over L: Normalize by g(0):

  23. The function f (pictorially)

  24. f distinguishes between far and close vectors (a) d(x,L)≥n  f(x)≤2-Ω(n) (b) d(x,L)≤logn f(x)>n-5 Proof:(a) [Banaszczyk93] (b)Not too difficult

  25. Step 2: Encode f

  26. The function f (again) Let’s consider its Fourier transform !

  27. Proof: g is a convolution of a Gaussian and δL f̂ is a probability distribution Claim: f̂: L*R+is a probability distribution on L*

  28. f as an expectation In fact, itis an expectation of a real variable between -1 and 1: Chernoff

  29. Encoding f Pick W=(w1,w2,…,wN)with N=poly(n) according to the f̂distribution on L* (Chernoff) This is true even pointwise!

  30. The Approximating Function (with N=1000 dual vectors)

  31. Interlude: CVPP GapCVPP Solve GapCVP on a preprocessed lattice (allowed infinite computational power, but before seeing v) (ideas led to [MicciancioVoulgaris10]’s recent deterministic 2n algorithm for lattice problems) Algorithm for GapCVPP: Prepare the function fW in advance; When given v, calculate fW(v).  Algorithm for GapCVPP(n/logn)(best known!)

  32. This concludes Step 2: Encode fThe encoding is a list W of vectors in L*fW(x) ≈ f(x)

  33. Step 3:NP Verifier

  34. 0.01 The Verifier (First Attempt) Given input L,v, and witness W, accept iff 1.fW(v) < n-10, and 2.fW(x) > n-5 for all x within distance logn from L • This verifier is correct • But: how to check (2) efficiently? • - First check that fWis periodic over L (true if W in L*) • - Then check that >n-5aroundorigin • We don’t know how to do this for distance logn • Instead, we do this for distance 0.01

  35. The Verifier (Second Attempt) Given input L,v, and witness W, accept iff 1.fW(v) < n-10, and 2. w1,…,wN L*, and 3. 2 implies that fW is periodic on L:

  36. The Verifier (Second Attempt) Given input L,v, and witness W, accept iff 1.fW(v) < n-10, and 2. w1,…,wN L*, and 3. 3 implies that fW is at least 0.8 within distance 0.01 of the origin: fW(x) 0 .01 -.01

  37. The Final Verifier Given input L,v, and witness W, accept iff 1.fW(v) < n-10, and 2. w1,…,wNL*, and 3. ||WWT||<N where 3 checks that in any direction the w’s are not too long:

  38. The Final Verifier Given input L,v, and witness W, accept iff 1.fW(v) < n-10, and 2. w1,…,wNL*, and 3. ||WWT||<N where

  39. Conclusion and Open Questions • Lattice problems with approximation factors >n are unlikely to be NP-hard • These are the problems used for crypto • Can we say anything about their hardness? • Perhaps relate to hardness of other problems, say factoring? • Extremely important question for crypto • Can the containment in NP∩coNP be improved to (n/logn) or even below?

  40. Thanks!

More Related