Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss.

Similar presentations


Presentation on theme: "Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss."— Presentation transcript:

1 Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss

2 Definitions ► A Lattice in : All integer combinations of given linearly independent vectors: ► The vectors are called the Lattice Basis. ► The integer n is called the Lattice Rank. ► We will only discuss integer lattices, where all.

3 Matrix Representation of a Lattice ► We can put the lattice basis in a matrix: ► This way the lattice points are exactly: ► The Lattice generated by B is denoted.

4 Examples ► This is the lattice generated by the set :

5 Examples – Cont. ► The very same lattice is generated by the set :

6 More definitions ► The minimum distance of a lattice is: ► Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. ► Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.

7 Reduction from SVP to CVP In order to find where : 1. Define and solve the CVP problem, to get a vector. 2. Remember. 3. Repeat 1-2 for. 4. Find the shortest among.

8 Why is CVP so hard? Consider the following algorithm for CVP: 1. Given, solve the set of linear real equations to find a solution. 2. Round the result to get the answer: ► The rounding error = ► This bound is very dependent of B.

9 Why is CVP so hard – Cont. ► For instance, the two bases and generate the same lattice. ► However, the expression is 1.4 for the first base, and about 199 for the other.

10 Why is SVP well-defined? ► Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? ► This isn ’ t necessarily true for general geometric shapes, e.g.

11 Why is SVP well-defined – Cont. ► One can find a lower bound on : ► Proposition: every lattice basis B obeys.  Integer lattices:.  Real lattices: one can prove that, where B* is the corresponding G.S Orthogonalization of B.

12 Why is SVP well-defined – Cont. ► The proposition implies that the distance between two lattice points has a lower bound. ► Therefore, the number of lattice points in the sphere is finite.

13 Yet more definitions ► - distinguish between (YES) and (NO). ► - distinguish between and. ► is easier than approximating SVP with a ratio of : if, then can be solved by checking whether or.

14 Definitions – Cont. ► We define a new problem,, as follows:  is a YES instance if for some.  is a NO instance if for all.

15 Types of reductions ► Deterministic reductions map NO instances to NO instances and YES instances to YES instances. ► Randomized reductions:  Map NO instances to NO instances with probability 1.  Map YES instances to YES instances with non- negligible probability.  Cannot be used to show proper NP-hardness.

16 History ► 1981 – CVP is NP-hard. ► 1997 – GAPCVP and GAPCVP ’ are NP-hard for any constant factor. ► 1998 – SVP is NP-hard for randomized reductions [Ajtai]. ► 2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot]

17 Hardness of approximating SVP ► Idea: Solving CVP ’ (B,y) is similar to solving : both minimize, where w is an integer. ► Problem: what if w=0? ► Solution: we embed the lattice in a higher dimensional space.

18 The Geometric Lemma Lemma: for any, there exists a polynomial time algorithm that given outputs:  two positive integers  a lattice basis  a vector  a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and.

19 The Geometric Lemma – Cont. ► The lemma doesn ’ t depend on input! ► It asserts the existence of a lattice and a sphere, such that:  is bigger than times the sphere radius.  With high probability the sphere contains exponentially many lattice vectors. ► Proof: Later.

20 Theorem 1 ► For any constant,is hard for NP under randomized reductions. ► Proof: By reduction from GAPCVP ’.  First, chooseand.  Assume w.l.o.g that and are rational.

21 Proof of Theorem 1 – Cont. ► Let be an instance of ( ). ► We define an instanceof, s.t:  Ifis a NO instance thenis a NO instance.  Ifis a YES instance thenis a YES instance with high probability.

22 Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain s.t: ►. ► With probability at least 1-1/poly(k), for all there exists s.t. and.

23 Proof of Theorem 1 – Cont. ► Definition of:  Choose integers a,b s.t and.  

24 ► Fact: for every vector : ► And therefore: Proof of Theorem 1 – Cont.

25 ► If is a NO instance: Let be a generic non-zero vector. We show that.  If then by definition of GAPCVP ’ :  If then and by the lemma:

26 Proof of Theorem 1 – End ► If is a YES instance: There exists. ► Provided the construction in the lemma succeeds:. ► We define and get.

27 Proof of The Geometric Lemma ► The real lattice:  Lemma 1: Let be relatively prime odd integers. Then, for any real, the real lattice defined by: obeys.

28 The real lattice – Cont. ► Lemma 2:  Set.  For any and, if then.  A connection between finding lattice vectors close to s and approximating  as a product of the.

29 The real lattice – Cont. ► If we take, we get: ► Also, there are many lattice points in, provided that the interval contains many products of the form. ► If are the first odd primes, these are the square-free - smooth numbers.

30 The real lattice – Cont. ► Lemma 3: For every positive numbers and any finite integer set, the following holds: If  is chosen uniformly at random from M, then: ► Applying this to the set of square-free smooth numbers gets the following proposition:

31 The real lattice – Cont. ► Proposition 4: For all reals, there exists an integer c such that for all sufficiently large integer h the following holds: Let, be the first m odd primes, and. If  is chosen uniformly at random from M, then:

32 The real lattice – Cont. ► Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all, there exists an integer c such that: Let,, and be the first m odd primes. Let  be the product of a random subset of of size h. Setas before, and. Then: For all sufficiently large h, with probability at least, the spherecontains at least lattice points of the form where z is a 0-1 vector with exactly h ones.

33 Working over the integers ► Using rounding of and, a similar result can be achieved for integers: Theorem 8: for any, there exists a polynomial time algorithm that given an integer h outputs:  two positive integers  a matrix  a vector Such that: For all sufficiently large h, with probability at least, the spherecontains at least lattice points of the form where z is a 0-1 vector with exactly h ones.

34 Reminder: The Geometric Lemma Lemma: for any, there exists a polynomial time algorithm that given outputs:  two positive integers  a lattice basis  a vector  a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and.

35 Projecting lattice points to binary strings ► Theorem 9: Letbe a set of vectors containing exactly h ones, s.t.. Choose by setting each entry to 1 independently at random with probability. Then, with probability at least, all binary vectorsare contained in. ► Using this theorem with appropriate constants completes the proof of the Geometric Lemma.

36 Concluding Remarks ► We proved that approximating SVP is not in RP unless NP=RP. ► The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. ► With this assumption, we get that approximating SVP is not in P unless P=NP.

37 Concluding Remarks – Cont. ► The theorem can be generalized for any norm ( ), with constant. ► 2000 – is NP-hard to approximate with ratio [Dinur]

38 Questions???


Download ppt "Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss."

Similar presentations


Ads by Google