Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

Published byDoreen Murphy Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)"— Presentation transcript:

1 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

2 Lattice v1v1 v2v2 0 2v 1 v 1 +v 2 2v 2 2v 2 -v 1 2v 2 -2v 1 For vectors v 1,…,v n in R n we define the lattice generated by them asFor vectors v 1,…,v n in R n we define the lattice generated by them as L={a 1 v 1 +…+a n v n | a i integers} L={a 1 v 1 +…+a n v n | a i integers} We call v 1,…,v n a basis of LWe call v 1,…,v n a basis of L

3 3 Lattice problems are among the richest problems in complexity theory, exhibiting a wide range of behaviors:Lattice problems are among the richest problems in complexity theory, exhibiting a wide range of behaviors: –Some problems are in P (as shown by LLL) –Some problems are NP-hard –Some problems are not known to be in P, but believed not to be NP-hard As a rule of thumb, ‘algebraic’ problems are easy; ‘geometric’ problems are hardAs a rule of thumb, ‘algebraic’ problems are easy; ‘geometric’ problems are hard Lattices from a Computational Complexity Point of View

4 4 GapSVP  : Given a lattice, decide if the length of the shortest vector is:GapSVP  : Given a lattice, decide if the length of the shortest vector is: –YES: less than 1 –NO: more than  Shortest Vector Problem (SVP) 0 v2v2 v1v1

5 5 GapCVP  : Given a lattice and a point v, decide if the distance of v from the lattice is:GapCVP  : Given a lattice and a point v, decide if the distance of v from the lattice is: –YES: less than 1 –NO: more than  GapSVP  is not harder than GapCVP  [ GoldreichMicciancioSafraSeifert99 ]GapSVP  is not harder than GapCVP  [ GoldreichMicciancioSafraSeifert99 ] Both problems are clearly in NP (for any  )Both problems are clearly in NP (for any  ) Closest Vector Problem (CVP) 0 v2v2 v1v1v

6 Polytime algorithms for gap 2 n loglogn/logn [ LLL82, Schnorr87,AjtaiKumarSivakumar02 ]Polytime algorithms for gap 2 n loglogn/logn [ LLL82, Schnorr87,AjtaiKumarSivakumar02 ] Hardness is known for:Hardness is known for: –GapCVP: n c/loglogn [ vanEmdeBoas81 …, DinurKindlerRazSafra03] –GapSVP: 1 in l 1 [ vanEmdeBoas81 ] 1 [ Ajtai96 ]  2 [ Micciancio98] 2^(log ½- ε n) [ Khot04]  2 [ Micciancio98] 2^(log ½- ε n) [ Khot04] n c/loglogn [ HavivR07] n c/loglogn [ HavivR07] Known Results 2 n loglogn/logn P 1 NP-hard n c/loglogn ? n Cryptography [Ajtai96,AjtaiDwork97…]

7 Known Results Limits on Inapproximability GapCVP n 2 NP ∩ coNP [ LagariasLenstraSchnorr90, Banaszczyk93 ]GapCVP n 2 NP ∩ coNP [ LagariasLenstraSchnorr90, Banaszczyk93 ] GapCVP  n/logn 2 NP ∩ coAM [ GoldreichGoldwasser98 ]GapCVP  n/logn 2 NP ∩ coAM [ GoldreichGoldwasser98 ] GapCVP  n 2 NP ∩ coNP [ AharonovRegev04 ]GapCVP  n 2 NP ∩ coNP [ AharonovRegev04 ] 1 2 n loglogn/logn NP-hard P n nn NP ∩ coNP NP ∩ coAM NP ∩ coNP n c/loglogn

8 8 What’s ahead? 1.GapCVP  n/logn 2 NP ∩ coAM [ GoldreichGoldwasser98 ] 2.GapCVP  n 2 NP ∩ coNP [ AharonovRegev04 ]

9 9 What’s ahead? 1.GapCVP  n/logn 2 coAM [ GoldreichGoldwasser98 ] 2.GapCVP  n 2 coNP [ AharonovRegev04 ]

10 10 Chapter I GapCVP  n in coAM [GoldreichGoldwasser98]

11 11 Given: - Lattice L (specified by a basis) - Lattice L (specified by a basis) - Point v - Point v We want to: Be convinced that v is far from L by interacting with an (all powerful) prover (using a constant number of rounds) Our Goal

12 12 The Idea

13 13 Basic High-dimensional Geometry How big is the intersection of two balls of radius 1 in n dimensions whose centers are at distance  apart?How big is the intersection of two balls of radius 1 in n dimensions whose centers are at distance  apart? –When  2, balls disjoint –When  =0, balls exactly overlap –When  =0.1, intersection is exponentially small –When  =1/  n, intersection is constant fraction

14 14 The Protocol Flip a fair coinFlip a fair coin –If heads, choose a random point in L+B –If tails, choose a random point in L+B+v Send the resulting point to the proverSend the resulting point to the prover The prover is supposed to tell whether the coin was heads of tailsThe prover is supposed to tell whether the coin was heads of tails (Can be implemented efficiently)

15 15 Demonstration of Protocol

16 16 Demonstration of Protocol

17 17 Analysis If dist(v,L)>2 then prover can always answer correctlyIf dist(v,L)>2 then prover can always answer correctly If dist(v,L)<1/  n then with some constant probability, the prover has no way to tell what the coin outcome wasIf dist(v,L)<1/  n then with some constant probability, the prover has no way to tell what the coin outcome was –Hence we catch the prover cheating with some constant probability This completes the proofThis completes the proof

18 18 Chapter II GapCVP  n in coNP [AharonovR04]

19 19 Given: - Lattice L (specified by a basis) - Lattice L (specified by a basis) - Point v - Point v We want: A witness for the fact that v is far from L A witness for the fact that v is far from L Our Goal

20 20 Overview Step 1: Define f Step 1: Define f Its value depends on the distance from L: –Almost zero if distance >  n –More than zero if distance <  log n Step 2: Encode f Step 2: Encode f Show that the function f has a short description Show that the function f has a short description Step 3: Verifier Step 3: Verifier Construct the NP verifier Construct the NP verifier

21 21 Step 1: Define f

22 22 The function f Consider the Gaussian: Periodize over L: Normalize by g(0):

23 23 The function f (pictorially)

24 24 f distinguishes between far and close vectors (a) d(x,L)≥  n  f(x)≤2 - Ω (n) (b) d(x,L)≤  logn  f(x)>n -5 Proof: (a) [Banaszczyk93] (b) Not too difficult (b) Not too difficult

25 25 Step 2: Encode f

26 26 The function f (again) Let’s consider its Fourier transform !

27 27 f ̂ is a probability distribution Claim: f ̂ : L *  R + is a probability distribution on L * g is a convolution of a Gaussian and δ L Proof:

28 28 f as an expectation f as an expectation In fact, it is an expectation of a real variable between -1 and 1: Chernoff

29 29 Encoding f (Chernoff) This is true even pointwise! Pick W=(w 1,w 2,…,w N ) with N=poly(n) according to the f ̂ distribution on L*

30 30 The Approximating Function (with N=1000 dual vectors)

31 31 Interlude: CVPP Interlude: CVPP GapCVPP Solve GapCVP on a preprocessed lattice (allowed infinite computational power, but before seeing v) Solve GapCVP on a preprocessed lattice (allowed infinite computational power, but before seeing v) (ideas led to [MicciancioVoulgaris10]’s recent deterministic 2 n algorithm for lattice problems) Algorithm for GapCVPP: Prepare the function f W in advance; Prepare the function f W in advance; When given v, calculate f W (v). When given v, calculate f W (v).  Algorithm for GapCVPP  (n/logn) (best known!)

32 32 This concludes Step 2: Encode f The encoding is a list W of vectors in L* f W (x) ≈ f(x)

33 33 Step 3: NP Verifier

34 34 The Verifier (First Attempt) Given input L,v, and witness W, accept iff Given input L,v, and witness W, accept iff 1. f W (v) < n -10, and 1. f W (v) < n -10, and 2. f W (x) > n -5 for all x within distance  logn from L 2. f W (x) > n -5 for all x within distance  logn from L This verifier is correct This verifier is correct But: how to check (2) efficiently? But: how to check (2) efficiently? - First check that f W is periodic over L (true if W in L*) - First check that f W is periodic over L (true if W in L*) - Then check that >n -5 around origin - Then check that >n -5 around origin We don’t know how to do this for distance  logn We don’t know how to do this for distance  logn Instead, we do this for distance 0.01 Instead, we do this for distance 0.01 0.01

35 35 The Verifier (Second Attempt) Given input L,v, and witness W, accept iff Given input L,v, and witness W, accept iff 1. f W (v) < n -10, and 2. w 1,…,w N  L*, and 3. 2 implies that f W is periodic on L:

36 36 The Verifier (Second Attempt) f W (x) 0.01 -.01 Given input L,v, and witness W, accept iff Given input L,v, and witness W, accept iff 1. f W (v) < n -10, and 2. w 1,…,w N  L*, and 3. 3 implies that f W is at least 0.8 within distance 0.01 of the origin:

37 37 The Final Verifier Given input L,v, and witness W, accept iff Given input L,v, and witness W, accept iff 1. f W (v) < n -10, and 2. w 1,…,w N  L*, and 3. ||WW T ||<N where 3 checks that in any direction the w’s are not too long:

38 38 The Final Verifier Given input L,v, and witness W, accept iff Given input L,v, and witness W, accept iff 1. f W (v) < n -10, and 2. w 1,…,w N  L*, and 3. ||WW T ||<N where

39 39 Case 1: v close to L If d(v,L)<0.01 then any W fails one of the tests: 1. f W (v) < n -10 2. w 1,…,w N 2 L* 3. ||WW T ||<N Proof: 2 & 3  not 1 ||WW T || 0.8 for |x| 0.8 for |x|<0.01

40 40 Case 2: v far from L If d(v,L)>  n there exists a witness W s.t.: 1. f W (v) < n -10 1. f W (v) < n -10 2. w 1,…,w N  L* 2. w 1,…,w N  L* 3. ||WW T ||<N 3. ||WW T ||<N Proof: Pick W=w 1,…,w n from L* according to the f ̂ distrib. Proof: Pick W=w 1,…,w n from L* according to the f ̂ distrib. 1,2 1,2 3 follows from: 3 follows from: [Banaszczyk93]

41 41 Conclusion and Open Questions Lattice problems with approximation factors >  n are unlikely to be NP-hardLattice problems with approximation factors >  n are unlikely to be NP-hard –These are the problems used for crypto –Can we say anything about their hardness? Perhaps relate to hardness of other problems, say factoring?Perhaps relate to hardness of other problems, say factoring? Extremely important question for cryptoExtremely important question for crypto Can the containment in NP ∩ coNP be improved to  (n/logn) or even below?Can the containment in NP ∩ coNP be improved to  (n/logn) or even below?

42 42 Thanks!

Download ppt "1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)"

Similar presentations

Problems and Their Classes

Problems and Their Classes
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.

1 Nondeterministic Space is Closed Under Complement Presented by Jing Zhang and Yingbo Wang Theory of Computation II Professor: Geoffrey Smith.
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.

The Unique Games Conjecture with Entangled Provers is False Julia Kempe Tel Aviv University Oded Regev Tel Aviv University Ben Toner CWI, Amsterdam.
The Theory of NP-Completeness

The Theory of NP-Completeness
Theory of Computing Lecture 16 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 16 MAS 714 Hartmut Klauck.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Probability theory and average-case complexity. Review of probability theory.

Probability theory and average-case complexity. Review of probability theory.
Introduction to PCP and Hardness of Approximation Dana Moshkovitz Princeton University and The Institute for Advanced Study 1.

Introduction to PCP and Hardness of Approximation Dana Moshkovitz Princeton University and The Institute for Advanced Study 1.
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Complexity and Cryptography

Complexity and Cryptography
1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.

1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.

Similar presentations

Ads by Google