Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss Definitions Lattice in R : All integer combinations of n m given linearly independent vectors: m ►A L xi bi : xi Z i 1 n ► The vectors b1 ,..., b n are called the Lattice Basis. ► The integer n is called the Lattice Rank. ► We will only discuss integer lattices, where all n bi Z . Matrix Representation of a Lattice ► We can put the lattice basis in a matrix: B b1 | b2 | ...| bn Z ► This mn way the lattice points are exactly: Bx : x Z n ► The Lattice generated by B is denoted L(B) . Examples ► This is the lattice generated by the set 1, 0 , 0,1: Examples – Cont. ► The very same lattice is generated by the set 1,1 , 2,1: More definitions ► The minimum distance of a lattice is: ( L) inf x y : x y L inf x : 0 x L ► Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. ► Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target. Reduction from SVP to CVP ( L) In order to find SVPwhere 1. 2. 3. 4. L L(b1 | ...|: bn ) Define L ' L 2b1 | ...| bn and solve the CVP problem CVP( L ', b1 ) , to get a vector v L ' . Remember s1 v b1 . Repeat 1-2 for b2 ,..., bn . Find the shortest among s1 ,..., s n . Why is CVP so hard? Consider the following algorithm for CVP: 1. 2. Given (B, y ) , solve the set of linear real n equations B y to find a solution R . Round the result to get the answer: z 1 b ► The rounding error = B Bz i i 2 ► This bound is very dependent of B. Why is CVP so hard – Cont. ► For instance, the two bases 1, 0 , 0,1 and 100,1 , 99,1 generate the same lattice. ► However, the expression b i i is 1.4 for the first base, and about 199 for the other. Why is SVP well-defined? ► Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? ► This isn’t necessarily true for general 3 ( x , y , z ) R : x y z 0 geometric shapes, e.g. Why is SVP well-defined – Cont. ► One can find a lower bound on ( L) : ► Proposition: every lattice basis B obeys ( L(B)) 0 . Integer lattices: ( L(B)) 1 . Real lattices: one can prove that ( L(B)) min i b*i , where B* is the corresponding G.S Orthogonalization of B. Why is SVP well-defined – Cont. ► The proposition implies that the distance between two lattice points has a lower bound. ► Therefore, the number of lattice points in the sphere B(0, ( L) 1) 0 is finite. Yet more definitions - distinguish between (B) d (YES) and (B) d (NO) . ► GAPSVP (B, d ) - distinguish between dist (y, L(B)) d and dist (y, L(B)) d . ► GAPCVP (B, y , d ) is easier than approximating SVP with a ratio of : if d ' , , then GAPSVP can be solved by checking whether d ' d or d ' d . ► GAPSVP Definitions – Cont. ► We define a new problem, GAPCVP ' (B, y, d ), as follows: (B, y, d ) is a YES instance if Bz y d for some z 0,1 . n (B, y, d ) is a NO instance if Bz wy d for all z Z n and w Z \ 0 . Types of reductions ► Deterministic reductions map NO instances to NO instances and YES instances to YES instances. ► Randomized reductions: Map NO instances to NO instances with probability 1. Map YES instances to YES instances with nonnegligible probability. Cannot be used to show proper NP-hardness. History – CVP is NP-hard. ► 1997 – GAPCVP and GAPCVP’ are NP-hard for any constant factor 1 . ► 1998 – SVP is NP-hard for randomized reductions [Ajtai]. ► 1981 ► 2004 – SVP is NP-hard to approximate with ratio 2 (log n )0.5 for randomized reductions [Khot] Hardness of approximating SVP ► Idea: Solving CVP’(B,y) is similar to solving SVP B | y : both minimize Bx wy , where w is an integer. ► Problem: what if w=0? we embed the lattice L(B | y ) in a higher dimensional space. ► Solution: The Geometric Lemma Lemma: for any [1, 2) , there exists a polynomial time algorithm that given k Z outputs: m , r Z two positive integers a lattice basis L Z ( m1)m a vector s Z m 1 k m a linear transformation T Z Such that: 1. (L) r k 2. With probability at least 1-1/poly(k), for all x 0,1 m z Z there exists s.t. Lz B (s, r ) and Tz x . The Geometric Lemma – Cont. ► The lemma doesn’t depend on input! ► It asserts the existence of a lattice and a sphere, such that: ( L) is bigger than times the sphere radius. With high probability the sphere contains exponentially many lattice vectors. ► Proof: Later. Theorem 1 any constant [1, 2) , GAPSVP is hard for NP under randomized reductions. ► For ► Proof: By reduction from GAPCVP’. 1 2 ' ( , 2) First, choose and . Assume w.l.o.g that / and '/ are rational. 2 2 Proof of Theorem 1 – Cont. ► Let (B, y, d ) be an instance of GAPCVP ' ' ( B Z nk , y Z n , d Z ). ► We define an instance ( V , t ) of GAPSVP , s.t: If (B, y, d ) is a NO instance then ( V , t ) is a NO instance. If (B, y, d ) is a YES instance then ( V , t ) is a YES instance with high probability. Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain L Z ( m1)m , s Z m \ 0, T Z km , r Z s.t: m Lz r z Z \ 0 . ► ► With probability at least 1-1/poly(k), for all k x 0,1 there exists z Z m s.t. Tz x and Lz s r . Proof of Theorem 1 – Cont. ► Definition of ( V , t ) : ' a r . Choose integers a,b s.t and ad b d ' a BT | a y V b L | b s ' t ad br Proof of Theorem 1 – Cont. z ► Fact: for every vector w : w a BT | a y z a (BTz wy ) Vw b L | b s w b (Lz ws) ► And therefore: Vw (a BTz wy ) 2 (b Lz ws ) 2 2 Proof of Theorem 1 – Cont. z ► If (B, y , d ) is a NO instance: Let w be a w generic non-zero vector. 2 2 We show that Vw ( t ) . If w 0 then by definition of GAPCVP’: a B(Tz) wy a ' d t If w 0 then z 0 and by the lemma: b Lz ws b Lz b r t Proof of Theorem 1 – End ► If (B, y, d ) is a YES instance: There exists k x 0,1 s.t. Bx y d. ► Provided the construction in the lemma succeeds: z Z m s.t. Lz s r and Tz x . z 2 2 ► We define w and get Vw t . 1 Proof of The Geometric Lemma ► The real lattice: Lemma 1: Let a1 ,..., am N be relatively prime odd integers. Then, for any real 0 , the real lattice defined by: ln a1 0 L 0 ln a1 0 0 R ( m 1)m ln am ln am 0 0 obeys ( L(L)) 2 ln . The real lattice – Cont. ► Lemma Set 2: 0 . s 0 ln b z For any , b 1 and z 0,1 , if i ai then Lz s ln b 2 . n i b , b (1 1 ) A connection between finding lattice vectors close to s and approximating b as a product of the ai ' s . The real lattice – Cont. ► If we take b 1 , we get: ( L(L)) 2ln 2(1 )ln b ► Also, there are many lattice points in B(s, ln b 2) 1 b , b (1 ) b , b b , provided that the interval contains many products of the form iS [ m ] ai . ► If a1 ,..., am are the first odd primes, these are the square-free (am ) - smooth numbers. The real lattice – Cont. ► Lemma 3: For every positive numbers [0,1) , H N and any finite integer set M , the following holds: If b is chosen uniformly at random from M, then: Prb M [ b , b b ) M H 1 H M (1 2 1 ) where max( M ) ► Applying this to the set of square-free smooth numbers gets the following proposition: The real lattice – Cont. 4: For all reals , 0 , there exists an integer c such that for all sufficiently large integer h the following holds: c Let m h , a1 ,..., am be the first m odd primes, and M iS ai : S h . If b is chosen uniformly at random from M, then: ► Proposition Prb M [ b , b b ) M h h 2 h The real lattice – Cont. ► Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all , 0 , there exists an integer c such that: c Let h N , m h , and a1 ,..., am be the first m odd primes. Let b be the product of a random subset of a1 ,..., am of size h. Set L , s as before, and r (1 )ln b 1 . Then: 1. 2. ( L(L)) 2(1 ) /(1 ) r For all sufficiently large h, with probability at least 1 2 h , the sphere B (s, r ) contains at least h h lattice points of the form Lz where z is a 0-1 vector with exactly h ones. Working over the integers Using rounding of L and s , a similar result can be achieved for integers: ► Theorem 8: for any [1, 2) , there exists a polynomial time algorithm that given an integer h outputs: two positive integers m, r Z a matrix L Z ( m1)m a vector s Z m 1 Such that: 1. ( L(L)) r 2. For all sufficiently large h, with probability at least 1 2 h , the sphere B(s, r ) contains at least h h lattice points of the form Lz where z is a 0-1 vector with exactly h ones. Reminder: The Geometric Lemma Lemma: for any [1, 2) , there exists a polynomial time algorithm that given k Z outputs: m , r Z two positive integers a lattice basis L Z ( m1)m a vector s Z m 1 k m a linear transformation T Z Such that: 1. (L) r k 2. With probability at least 1-1/poly(k), for all x 0,1 m z Z there exists s.t. Lz B (s, r ) and Tz x . Projecting lattice points to binary strings ► Theorem 9: Let Z 0,1 be a set of vectors containing exactly h ones, s.t. Z h !m . k m T 0,1 by setting each entry to 1 Choose 1 p independently at random with probability . 4 hk Then, with probability at least 1 6 , all binary k vectors 0,1 are contained in T(Z ) Tz : z Z . m 4 ► Using hk this theorem with appropriate constants completes the proof of the Geometric Lemma. Concluding Remarks ► We proved that approximating SVP is not in RP unless NP=RP. ► The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. ► With this assumption, we get that approximating SVP is not in P unless P=NP. Concluding Remarks – Cont. ► The theorem can be generalized for any l p p [1, 2) . norm ( x p xi ), with constant p ► 2000 p – SVP is NP-hard to approximate with (log n ) ratio 2 [Dinur] 0.5 Questions???