Presentation on theme: "Shortest Vector In A Lattice is NP-Hard to approximate"— Presentation transcript:
1Shortest Vector In A Lattice is NP-Hard to approximate Daniele MicciancioSpeaker: Asaf Weiss
2DefinitionsA Lattice in : All integer combinations of given linearly independent vectors:The vectors are called the Lattice Basis.The integer n is called the Lattice Rank.We will only discuss integer lattices, where all
3Matrix Representation of a Lattice We can put the lattice basis in a matrix:This way the lattice points are exactly:The Lattice generated by B is denoted .
4Examples This is the lattice generated by the set : להגיד: לאותו סריג יכולים להיות מס' בסיסים וכו'.
5Examples – Cont. The very same lattice is generated by the set : לציין שימושים?
6More definitions The minimum distance of a lattice is: Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length.Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.
7Reduction from SVP to CVP In order to find where :Define and solve the CVP problem , to get a vectorRememberRepeat 1-2 for .Find the shortest among .להכין
8Why is CVP so hard? Consider the following algorithm for CVP: Given , solve the set of linear real equations to find a solutionRound the result to get the answer:The rounding error =This bound is very dependent of B.להכין.
9Why is CVP so hard – Cont.For instance, the two bases and generate the same lattice.However, the expression is 1.4 for the first base, and about 199 for the other.להראות על הלוח שזה אכן אותו סריג + את החסמים.
10Why is SVP well-defined? Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal?This isn’t necessarily true for general geometric shapes, e.g.
11Why is SVP well-defined – Cont. One can find a lower bound on :Proposition: every lattice basis B obeysInteger lattices: .Real lattices: one can prove that , where B* is the corresponding G.S Orthogonalization of B.
12Why is SVP well-defined – Cont. The proposition implies that the distance between two lattice points has a lower bound.Therefore, the number of lattice points in the sphere is finite.
13Yet more definitions - distinguish between (YES) and (NO) . - distinguish between and .is easier than approximating SVP with a ratio of : if , then can be solved by checking whether orלדעת את הרדוקציה בשני הכיוונים.
14Definitions – Cont. We define a new problem, , as follows: is a YES instance if for someis a NO instance if for allלהדגיש את ההבדלים: z בוליאני וכו'.
15Types of reductionsDeterministic reductions map NO instances to NO instances and YES instances to YES instances.Randomized reductions:Map NO instances to NO instances with probability 1.Map YES instances to YES instances with non-negligible probability.Cannot be used to show proper NP-hardness.להגיד מה זה אומר אם יש רדוקציה אקראית לבעייה NP קשה.
16History 1981 – CVP is NP-hard. 1997 – GAPCVP and GAPCVP’ are NP-hard for any constant factor .1998 – SVP is NP-hard for randomized reductions [Ajtai].2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot]. ואנחנו נראה ש...
17Hardness of approximating SVP Idea: Solving CVP’(B,y) is similar to solving : both minimize , where w is an integer.Problem: what if w=0?Solution: we embed the lattice in a higher dimensional space.לדבר רבות. לחשוב.
18The Geometric LemmaLemma: for any , there exists a polynomial time algorithm that given outputs:two positive integersa lattice basisa vectora linear transformationSuch that:With probability at least 1-1/poly(k), for all there exists s.t. andלהגיד שההוכחה אח"כ. בשקף הבא – הסבר במילים.
19The Geometric Lemma – Cont. The lemma doesn’t depend on input!It asserts the existence of a lattice and a sphere, such that:is bigger than times the sphere radius.With high probability the sphere contains exponentially many lattice vectors.Proof: Later.אינטואיציה.
20Theorem 1For any constant , is hard for NP under randomized reductions.Proof: By reduction from GAPCVP’.First, choose and .Assume w.l.o.g that and are rational.להכין את כל המשפט
21Proof of Theorem 1 – Cont. Let be an instance of ( ). We define an instance of , s.t:If is a NO instance then is a NO instance.If is a YES instance then is a YES instance with high probability.
22Proof of Theorem 1 – Cont.Run the algorithm from the Geometric Lemma (on input k) to obtains.t:.With probability at least 1-1/poly(k), for all there exists s.t and .להזכיר מה זה כל דבר שהלמה נותנת.
23Proof of Theorem 1 – Cont. Definition of : Choose integers a,b s.t and .
24Proof of Theorem 1 – Cont. Fact: for every vector : And therefore: לרשום על הלוח את הביטוי לנורמה ולהשאיר אותו שם.
25Proof of Theorem 1 – Cont.If is a NO instance: Let be a generic non-zero vector. We show that .If then by definition of GAPCVP’:If then and by the lemma:
26Proof of Theorem 1 – End If is a YES instance: There exists . Provided the construction in the lemma succeeds:We define and getפיתוח – על הלוח.
27Proof of The Geometric Lemma The real lattice:Lemma 1: Let be relatively prime odd integers. Then, for any real , the real lattice defined by:obeysלהכין.
28The real lattice – Cont. Lemma 2: Set . For any and , if then . A connection between finding lattice vectors close to s and approximating b as a product of theלהגדיר את g. לציין שהדרישה לבדיוק h אפסים...
29The real lattice – Cont. If we take , we get: Also, there are many lattice points in , provided that the interval contains many products of the formIf are the first odd primes, these are the square-free smooth numbers.להכין.
30The real lattice – Cont.Lemma 3: For every positive numbers and any finite integer set , the following holds: If b is chosen uniformly at random from M, then:Applying this to the set of square-free smooth numbers gets the following proposition:להכין.
31The real lattice – Cont.Proposition 4: For all reals , there exists an integer c such that for all sufficiently large integer h the following holds: Let , be the first m odd primes, and If b is chosen uniformly at random from M, then:להכין. לזכור את המספר של השקף.
32The real lattice – Cont.Combining the previous lemmas and proposition we get the following theorem:Theorem 5: for all , there exists an integer c such that:Let , , and be the first m odd primes. Let b be the product of a random subset of of size h.Set as before, and Then:For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.להכין.
33Working over the integers Using rounding of and , a similar result can be achieved for integers:Theorem 8: for any , there exists a polynomial time algorithm that given an integer h outputs:two positive integersa matrixa vectorSuch that:For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.
34Reminder: The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs:two positive integersa lattice basisa vectora linear transformationSuch that:With probability at least 1-1/poly(k), for all there exists s.t. andלהראות מה ההבדלים מהשקף הקודם.
35Projecting lattice points to binary strings Theorem 9:Let be a set of vectors containing exactly h ones, s.t. . Choose by setting each entry to 1 independently at random with probability Then, with probability at least , all binary vectors are contained inUsing this theorem with appropriate constants completes the proof of the Geometric Lemma.
36Concluding RemarksWe proved that approximating SVP is not in RP unless NP=RP.The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers.With this assumption, we get that approximating SVP is not in P unless P=NP.להראות את השקף הנ"ל (ולזכור את המספר של זה).
37Concluding Remarks – Cont. The theorem can be generalized for any norm ( ), with constant .2000 – is NP-hard to approximate with ratio [Dinur]