Download Shortest Vector In A Lattice is NP-Hard to approximate - CS

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
Document related concepts

Factorization of polynomials over finite fields wikipedia , lookup

Pattern recognition wikipedia , lookup

Laplace–Runge–Lenz vector wikipedia , lookup

Birthday problem wikipedia , lookup

Linear algebra wikipedia , lookup

Ising model wikipedia , lookup

Lattice delay network wikipedia , lookup

Transcript 
Shortest Vector In A Lattice
is NP-Hard to approximate
Daniele Micciancio
Speaker: Asaf Weiss
Definitions
Lattice in R : All integer combinations of n  m
given linearly independent vectors:
m
►A


L   xi bi : xi  Z 
 i 1

n
► The
vectors b1 ,..., b n are called the Lattice
Basis.
► The integer n is called the Lattice Rank.
► We will only discuss integer lattices, where all
n
bi  Z .
Matrix Representation of a Lattice
► We
can put the lattice basis in a matrix:
B  b1 | b2 | ...| bn   Z
► This
mn
way the lattice points are exactly:
Bx : x  Z n

► The

Lattice generated by B is denoted L(B) .
Examples
► This
is the lattice generated by the set
1, 0  ,  0,1:
Examples – Cont.
► The
very same lattice is generated by the
set 1,1 ,  2,1:
More definitions
► The
minimum distance of a lattice is:
 ( L)  inf  x  y : x  y  L  inf  x : 0  x  L
► Shortest
Vector in a Lattice (SVP) problem:
Find a lattice vector with minimal length.
► Closest
Vector in a Lattice (CVP) problem:
Find a lattice point closest to a given target.
Reduction from SVP to CVP
( L)
In order to find SVPwhere
1.
2.
3.
4.
L  L(b1 | ...|: bn )
Define L '  L 2b1 | ...| bn  and solve the CVP
problem CVP( L ', b1 ) , to get a vector v  L ' .
Remember s1  v  b1 .
Repeat 1-2 for b2 ,..., bn .
Find the shortest among s1 ,..., s n .
Why is CVP so hard?
Consider the following algorithm for CVP:
1.
2.
Given (B, y ) , solve the set of linear real
n
equations B  y to find a solution   R .
Round the result to get the answer: z   
1
b
► The rounding error = B  Bz 

i i
2
► This bound is very dependent of B.
Why is CVP so hard – Cont.
►
For instance, the two bases 1, 0  ,  0,1
and 100,1 ,  99,1 generate the same lattice.
►
However, the expression
b
i
i
is 1.4 for
the first base, and about 199 for the other.
Why is SVP well-defined?
► Is
the SVP problem well-defined? I.e., is
there always a lattice vector whose norm is
minimal?
► This
isn’t necessarily true for general
3
(
x
,
y
,
z
)

R
: x  y  z  0
geometric shapes, e.g. 
Why is SVP well-defined – Cont.
► One
can find a lower bound on  ( L) :
► Proposition:
every lattice basis B obeys  ( L(B))  0 .
 Integer lattices: ( L(B))  1 .
 Real lattices: one can prove that  ( L(B))  min i b*i ,
where B* is the corresponding G.S
Orthogonalization of B.
Why is SVP well-defined – Cont.
► The
proposition implies that the distance
between two lattice points has a lower
bound.
► Therefore,
the number of lattice points in
the sphere B(0,  ( L)  1)  0 is finite.
Yet more definitions
- distinguish between  (B)  d
(YES) and  (B)    d (NO) .
► GAPSVP (B, d )
- distinguish between
dist (y, L(B))  d and dist (y, L(B))    d .
► GAPCVP (B, y , d )
is easier than approximating SVP
with a ratio of  : if d '   ,     , then GAPSVP
can be solved by checking whether d '    d
or d '    d .
► GAPSVP
Definitions – Cont.
► We
define a new problem, GAPCVP ' (B, y, d ),
as follows:
 (B, y, d ) is a YES instance if Bz  y  d for
some z  0,1 .
n
 (B, y, d ) is a NO instance if Bz  wy    d
for all z  Z n and w  Z \ 0 .
Types of reductions
► Deterministic
reductions map NO instances
to NO instances and YES instances to YES
instances.
► Randomized
reductions:
 Map NO instances to NO instances with
probability 1.
 Map YES instances to YES instances with nonnegligible probability.
 Cannot be used to show proper NP-hardness.
History
– CVP is NP-hard.
► 1997 – GAPCVP and GAPCVP’ are NP-hard
for any constant factor   1 .
► 1998 – SVP is NP-hard for randomized
reductions [Ajtai].
► 1981
► 2004
– SVP is NP-hard to approximate with
ratio 2
(log n )0.5
for randomized reductions [Khot]
Hardness of approximating SVP
► Idea:
Solving CVP’(B,y) is similar to solving
SVP  B | y  : both minimize Bx  wy , where
w is an integer.
► Problem:
what if w=0?
we embed the lattice L(B | y ) in a
higher dimensional space.
► Solution:
The Geometric Lemma
Lemma: for any   [1, 2) , there exists a polynomial
time algorithm that given k  Z  outputs:





m
,
r

Z
two positive integers
a lattice basis L  Z ( m1)m
a vector s  Z m 1
k m
a linear transformation T  Z
Such that:
1.  (L)    r
k
2. With probability at least 1-1/poly(k), for all x  0,1
m
z

Z
there exists
s.t. Lz  B (s, r ) and Tz  x .
The Geometric Lemma – Cont.
► The
lemma doesn’t depend on input!
► It asserts the existence of a lattice and a
sphere, such that:
  ( L) is bigger than  times the sphere radius.
 With high probability the sphere contains
exponentially many lattice vectors.
► Proof:
Later.
Theorem 1
any constant   [1, 2) , GAPSVP is
hard for NP under randomized reductions.
► For
► Proof:
By reduction from GAPCVP’.


1
2

'






(

,
2)
 First, choose
and
.
 Assume w.l.o.g that  /  and  '/  are rational.
2
2
Proof of Theorem 1 – Cont.
► Let
(B, y, d ) be an instance of GAPCVP ' '
( B  Z nk , y  Z n , d  Z ).
► We
define an instance ( V , t ) of GAPSVP , s.t:
 If (B, y, d ) is a NO instance then ( V , t ) is a NO
instance.
 If (B, y, d ) is a YES instance then ( V , t ) is a YES
instance with high probability.
Proof of Theorem 1 – Cont.
Run the algorithm from the Geometric Lemma
(on input k) to obtain
L  Z ( m1)m , s  Z m \ 0, T  Z km , r  Z
s.t:
m
Lz



r

z

Z
\ 0 .
►
► With probability at least 1-1/poly(k), for all
k
x  0,1 there exists z  Z m s.t. Tz  x
and Lz  s  r .
Proof of Theorem 1 – Cont.
► Definition
of ( V , t ) :
'
a r
 .
 Choose integers a,b s.t 
and ad
b d '

 a  BT | a  y 
 V

 b L | b s 
'

 t  ad
 br


Proof of Theorem 1 – Cont.
z
► Fact: for every vector w    :
 w
 a  BT | a  y   z   a  (BTz  wy ) 
Vw  





 b  L | b  s   w  b  (Lz  ws) 
► And
therefore:
Vw  (a  BTz  wy ) 2  (b  Lz  ws ) 2
2
Proof of Theorem 1 – Cont.
z
► If (B, y , d ) is a NO instance: Let w    be a
w

generic non-zero vector.
2
2
We show that Vw  ( t ) .
 If w  0 then by definition of GAPCVP’:
a B(Tz)  wy  a   ' d   t
 If w  0 then z  0 and by the lemma:
b  Lz  ws  b  Lz  b   r   t
Proof of Theorem 1 – End
► If
(B, y, d ) is a YES instance: There exists
k
x  0,1 s.t. Bx  y  d.
► Provided
the construction in the lemma
succeeds: z  Z m s.t. Lz  s  r and Tz  x .
z
2
2
► We define w    and get Vw  t .
 1
Proof of The Geometric Lemma
► The
real lattice:
 Lemma 1: Let a1 ,..., am  N be relatively prime
odd integers. Then, for any real   0 , the
real lattice defined by:
 ln a1

0

L
 0
 ln a1
0
0


  R ( m 1)m
ln am 
 ln am 
0
0
obeys  ( L(L))  2 ln  .
The real lattice – Cont.
► Lemma
 Set
2:
 0 


.
s
 0 


 ln b 
z
 For any  , b  1 and z  0,1 , if i ai
then Lz  s  ln b  2 .
n
i
  b , b (1  1 ) 
 

 A connection between finding lattice vectors close
to s and approximating b as a product of the ai ' s .
The real lattice – Cont.
► If
we take   b 1 , we get:
 ( L(L))  2ln   2(1   )ln b
► Also,
there are many lattice points in B(s, ln b  2)

1




b
,
b
(1

)

b
,
b

b
, provided that the interval 
  
contains many products of the form  iS [ m ] ai .
► If a1 ,..., am
are the first odd primes, these are
the square-free (am ) - smooth numbers.
The real lattice – Cont.
► Lemma 3: For every positive numbers
  [0,1) , H  N and any finite integer set M
, the
following holds: If b is chosen uniformly at
random from M, then:



Prb M [ b , b  b )  M  H 
 1  H
M (1  2 1 )
where   max( M )
► Applying
this to the set of square-free smooth
numbers gets the following proposition:
The real lattice – Cont.
4: For all reals  ,   0 , there
exists an integer c such that for all sufficiently
large integer h the following holds:
c
Let m  h , a1 ,..., am be the first m odd primes,
and M   iS ai : S  h  . If b is chosen uniformly
at random from M, then:
► Proposition


Prb M [ b , b  b  )  M  h h  2 h
The real lattice – Cont.
►
Combining the previous lemmas and proposition we get
the following theorem:
Theorem 5: for all  ,   0 , there exists an integer c such that:
c
Let h  N , m  h , and a1 ,..., am be the first m odd primes.
Let b be the product of a random subset of a1 ,..., am  of
size h.
Set L , s as before, and r  (1   )ln b  1 . Then:
1.
2.
 ( L(L))  2(1   ) /(1   )  r
For all sufficiently large h, with probability at least 1  2 h , the
sphere B (s, r ) contains at least h h lattice points of the form
Lz where z is a 0-1 vector with exactly h ones.
Working over the integers
Using rounding of L and s , a similar result can be
achieved for integers:
►
Theorem 8: for any   [1, 2) , there exists a polynomial time
algorithm that given an integer h outputs:



two positive integers m, r  Z 
a matrix L  Z ( m1)m
a vector s  Z m 1
Such that:
1.  ( L(L))    r
2.
For all sufficiently large h, with probability at least 1  2 h , the
sphere B(s, r ) contains at least h h lattice points of the form
Lz where z is a 0-1 vector with exactly h ones.
Reminder: The Geometric Lemma
Lemma: for any   [1, 2) , there exists a polynomial
time algorithm that given k  Z  outputs:





m
,
r

Z
two positive integers
a lattice basis L  Z ( m1)m
a vector s  Z m 1
k m
a linear transformation T  Z
Such that:
1.  (L)    r
k
2. With probability at least 1-1/poly(k), for all x  0,1
m
z

Z
there exists
s.t. Lz  B (s, r ) and Tz  x .
Projecting lattice points to binary
strings
► Theorem
9:
Let Z  0,1 be a set of vectors containing exactly
h ones, s.t. Z  h !m 
.
k m
T

0,1
  by setting each entry to 1
Choose
1
p

independently at random with probability
.
4 hk
Then, with probability at least 1  6 , all binary
k
vectors 0,1 are contained in T(Z )  Tz : z  Z  .
m
4
► Using
hk
this theorem with appropriate constants
completes the proof of the Geometric Lemma.
Concluding Remarks
► We
proved that approximating SVP is not in RP
unless NP=RP.
► The
only place we used randomness is in the
Geometric Lemma. It can be avoided if we assume
a reasonable number theoretic conjecture about
square-free smooth numbers.
► With
this assumption, we get that approximating
SVP is not in P unless P=NP.
Concluding Remarks – Cont.
► The
theorem can be generalized for any l p
p


[1,
2) .
norm ( x p   xi ), with constant
p
► 2000
p
– SVP is NP-hard to approximate with
(log n )
ratio 2
[Dinur]
0.5
Questions???
Related documents
PDF
PDF
Diapositiva 1
Diapositiva 1
Unit Cell
Unit Cell
pptx - MPP Theory Group
pptx - MPP Theory Group
MathsReview
MathsReview
Postgraduate Seminar Series Small Angle Neutron scattering on the anisotropic superconductor CaC6.
Postgraduate Seminar Series Small Angle Neutron scattering on the anisotropic superconductor CaC6.
3 - NUS Physics
3 - NUS Physics
A Quantum Gas Microscope for Detecting Single Atoms in a
A Quantum Gas Microscope for Detecting Single Atoms in a
harmonic
harmonic
X - UNSW
X - UNSW
Sequence-Function Relationships
Sequence-Function Relationships
Time-Memory Trade-Off for Lattice Enumeration in a Ball
Time-Memory Trade-Off for Lattice Enumeration in a Ball
Annals of Pure and Applied Logic Commutative integral bounded
Annals of Pure and Applied Logic Commutative integral bounded
On Lattices, Learning with Errors, Random Linear Codes, and
On Lattices, Learning with Errors, Random Linear Codes, and