S.Safra I.Dinur G.Kindler Lattice Salad S.Safra I.Dinur G.Kindler

Lattice Problems Definition: Given a basis v1,..,vnRn, The lattice L=L(v1,..,vk) = {aivi | integers ai} SVP: Find the shortest non-zero vector in L. CVP: Given a vector yRn, find a vL closest to y. y shortest closest

What’s the nearest lattice point ? Another basis

Lattice Approximation Problems g-Approximation version: Find a vector y s.t. ||y|| < g  shortest(L) g-Gap version: Given L, and a number d, distinguish between The ‘yes’ instances ( shortest(L)  d ) The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

Lattice Approximation Problems g-Approximation version: Find a vector y s.t. ||y|| < g  shortest(L) g-Gap version: Given L, and a number d, distinguish between The ‘yes’ instances ( shortest(L)  d ) The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

Lattice Problems - Brief History [Dirichlet, Minkowsky] no CVP algorithms… [LLL] Approximation algorithm for SVP, factor 2n/2 [Babai] Extension to CVP [Schnorr] Improved factor, (1+)n for both CVP and SVP [vEB]: CVP is NP-hard [ABSS]: Approximating CVP is NP hard to within any constant Almost NP hard to within an almost polynomial factor.

Lattice Problems - Recent History [Ajtai96]: average-case/worst-case equiv. for SVP. [Ajtai-Dwork96]: Cryptosystem. [Ajtai97]: SVP is NP-hard (for randomized reductions). [Micc98]: SVP is NP-hard to approximate to within some constant factor. [DKRS]: NP hard to within an almost polynomial factor. [LLS]: Approximating CVP to within n1.5 is in coNP. [GG]: Approximating SVP and CVP to within n is in coAMNP.

CVP/SVP - which is easier? Definition: Given a basis v1,..,vnRn, The lattice L=L(v1,..,vk) = {aivi | integers ai} SVP: Find the shortest non-zero vector in L. CVP: Given a vector yRn, find a vL closest to y. y shortest closest

Reducing g-SVP to g-CVP [GMSS99] b1 b2 shortest: b2-2b1 The lattice L

Reducing g-SVP to g-CVP [GMSS98] CVP oracle: apx. minimize ||c1b1+2c2b2-b2|| The lattice L’’ L L’’=span (2b1,b2) The lattice L’ L L’=span (b1,2b2) shortest vector in L = cibi Note: at least one coef. ci of the shortest vector must be odd

The Reduction Input: A pair (B,d), B=(b1,..,bn) and dR for j=1 to n: invoke the CVP oracle on(B(j),bj,d) Output: The OR of all oracle replies. Where B(j) = (b1,..,bj-1,2bj,bj+1,..,bn)

The Dual Lattice L* = { y | x  L: yx  Z} Give a basis {v1, .., vn} for L one can construct, in poly-time, a basis {u1,…,un}: ui  vj = 0 ( i  j) ui  vi = 1 In other words U = (Vt)-1 where U = u1,…,un V = v1, .., vn

Shortest Vector - Hidden Hyperplane s – shortest vector H – hidden hyperplane distance = 1/||S|| -s H0 = {y| ys = 0} H1 = {y| ys = 1} Hk = {y| ys = k}

Public Key Cryptosystem s – shortest vector H – hidden hyperplane s Encoding 0 Encoding 1 s (1) Choose a random lattice point (2) Perturb it Choose a random point

Public Key Cryptosystem Decoding (using s): Decoding 0 Decoding 1 s s

Ajtai: SVP Instances Hard on Average Approximating SVP (factor= nc ) On random instances from a specific constructible distribution Approximating Shortest Basis (factor= n10+c ) Approximating SVP (factor= n10+c ) Finding Unique-SVP

Average-Case Distribution Pick an n*m matrix A, with coefficients uniformly ranging over [0,…,q-1]. (q= poly (n), n = O(m log q) A = v1 v2 … vm Def: (A) = {x  Zn | xA  0 mod q }

A mod-q lattice: (v1 v2 v3 v4) (2,0,0,1) (1,1,1,0) q(a,b,c,d)

Hardness of approx. CVP [DKRS] g-CVP is NP-hard for g=n1/loglog n n - lattice dimension Improving Hardness (NP-hardness instead of quasi-NP-hardness) Non-approximation factor (from 2(logn)1-)

[ABSS] reduction: uses PCP to show NP-hard for g=O(1) Quasi-NP-hard g=2(logn)1- by repeated blow-up. Barrier - 2(logn)1- const >0 SSAT: a new non-PCP characterization of NP. NP-hard to approximate to within g=n1/loglogn .

SAT Input: =f1,..,fn Boolean functions ‘tests’ x1,..,xn’ variables with range {0,1} Problem: Is  satisfiable? Thm (Cook-Levin): SAT is NP-complete (even when depend()=3)

SAT as a consistency problem Input =f1,..,fn Boolean functions - ‘tests’ x1,..,xn’ variables with range R for each test: a list of satisfying assignments Problem Is there an assignment to the tests that is consistent? f(x,y,z) g(w,x,z) h(y,w,x) (0,2,7) (2,3,7) (3,1,1) (1,0,7) (1,3,1) (3,2,2) (0,1,0) (2,1,0) (2,1,5)

||SA(f)|| = |-2|+|2|+|3| = 7 Norm SA - Averagef||A(f)|| Super-Assignments f(x,y,z)’s super-assignment SA(f)=-2(3,1,1)+2(3,2,5)+3(5,1,2) 3 2 1 -1 -2 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2) A natural assignment for f(x,y,z) A(f) = (3,1,1) 1 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2) ||SA(f)|| = |-2|+|2|+|3| = 7 Norm SA - Averagef||A(f)||

Consistency In the SAT case: A(f) = (3,2,5) A(f)|x := (3) x  f,g that depend on x: A(f)|x = A(g)|x

Consistency SA(f) = +3(1,1,2)  -2(3,2,5)  2(3,3,1) SA(f)|x := +3(1)  0(3) -2+2=0 3 2 1 -1 -2 (3,2,5) (3,3,1) (1) (2) (3) (1,1,2) Consistency: x  f,g that depend on x: SA(f)|x = SA(g)|x

g-SSAT - Definition Input: =f1,..,fn tests over variables x1,..,xn’ with range R for each test fi - a list of sat. assign. Problem: Distinguish between [Yes] There is a natural assignment for  [No] Any non-trivial consistent super-assignment is of norm > g Theorem: SSAT is NP-hard for g=n1/loglog n. (conjecture: g=n ,  = some constant)

SSAT is NP-hard to approximate to within g = n1/loglogn Can’t extend everything at once: recursion-composition paradigm

I Reducing SSAT to CVP Yes --> Yes: dist(L,target) = n f,(1,2) f’,(3,2) Yes --> Yes: dist(L,target) = n No --> No: dist(L,target) > gn Choose w = gn + 1 I w w * 1 2 3 f,f’,x f(w,x) f’(z,x)

A consistency gadget w w w * 1 2 3

A consistency gadget w w w w w w w w * 1 2 3 a1 a2 a3 b1 b2 b3 w w w w w w w a1 + a2 + a3 = 1 * 1 2 3 + b1 a2 + a3 = 1 + b2 a1 + + a3 = 1 + b3 a1 + a2 = 1

GG Approximating SVP and CVP to within n is in NP  coAM Hence if these problem are shown NP-hard the polynomial-time hierarchy collapses

The World According to Lattices Ajtai-Micciancio GG DKRS LLL CVP NPco-AM Poly-time approximation SVP 1+1/n 1 O(1) O(logn)  2 n1/loglogn nO(1) 2n NP-hardness

Is g-SVP NP-hard to within n ? OPEN PROBLEMS Is g-SVP NP-hard to within n ? A class of its own? Can LLL be improved? CVP NPco-AM Poly-time approximation SVP 1+1/n 1 O(1) O(logn)  2 n1/loglogn nO(1) 2n NP-hardness

Open Problems Is SVP NP-hard to approximate to within n factor Can the LLL algorithm be improved? Maybe for factors between and these problems are on a class of their own