Presentation on theme: "Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss."— Presentation transcript:
Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss
Definitions ► A Lattice in : All integer combinations of given linearly independent vectors: ► The vectors are called the Lattice Basis. ► The integer n is called the Lattice Rank. ► We will only discuss integer lattices, where all.
Matrix Representation of a Lattice ► We can put the lattice basis in a matrix: ► This way the lattice points are exactly: ► The Lattice generated by B is denoted.
Examples ► This is the lattice generated by the set :
Examples – Cont. ► The very same lattice is generated by the set :
More definitions ► The minimum distance of a lattice is: ► Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. ► Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.
Reduction from SVP to CVP In order to find where : 1. Define and solve the CVP problem, to get a vector. 2. Remember. 3. Repeat 1-2 for. 4. Find the shortest among.
Why is CVP so hard? Consider the following algorithm for CVP: 1. Given, solve the set of linear real equations to find a solution. 2. Round the result to get the answer: ► The rounding error = ► This bound is very dependent of B.
Why is CVP so hard – Cont. ► For instance, the two bases and generate the same lattice. ► However, the expression is 1.4 for the first base, and about 199 for the other.
Why is SVP well-defined? ► Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? ► This isn ’ t necessarily true for general geometric shapes, e.g.
Why is SVP well-defined – Cont. ► One can find a lower bound on : ► Proposition: every lattice basis B obeys. Integer lattices:. Real lattices: one can prove that, where B* is the corresponding G.S Orthogonalization of B.
Why is SVP well-defined – Cont. ► The proposition implies that the distance between two lattice points has a lower bound. ► Therefore, the number of lattice points in the sphere is finite.
Yet more definitions ► - distinguish between (YES) and (NO). ► - distinguish between and. ► is easier than approximating SVP with a ratio of : if, then can be solved by checking whether or.
Definitions – Cont. ► We define a new problem,, as follows: is a YES instance if for some. is a NO instance if for all.
Types of reductions ► Deterministic reductions map NO instances to NO instances and YES instances to YES instances. ► Randomized reductions: Map NO instances to NO instances with probability 1. Map YES instances to YES instances with non- negligible probability. Cannot be used to show proper NP-hardness.
History ► 1981 – CVP is NP-hard. ► 1997 – GAPCVP and GAPCVP ’ are NP-hard for any constant factor. ► 1998 – SVP is NP-hard for randomized reductions [Ajtai]. ► 2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot]
Hardness of approximating SVP ► Idea: Solving CVP ’ (B,y) is similar to solving : both minimize, where w is an integer. ► Problem: what if w=0? ► Solution: we embed the lattice in a higher dimensional space.
The Geometric Lemma Lemma: for any, there exists a polynomial time algorithm that given outputs: two positive integers a lattice basis a vector a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and.
The Geometric Lemma – Cont. ► The lemma doesn ’ t depend on input! ► It asserts the existence of a lattice and a sphere, such that: is bigger than times the sphere radius. With high probability the sphere contains exponentially many lattice vectors. ► Proof: Later.
Theorem 1 ► For any constant,is hard for NP under randomized reductions. ► Proof: By reduction from GAPCVP ’. First, chooseand. Assume w.l.o.g that and are rational.
Proof of Theorem 1 – Cont. ► Let be an instance of ( ). ► We define an instanceof, s.t: Ifis a NO instance thenis a NO instance. Ifis a YES instance thenis a YES instance with high probability.
Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain s.t: ►. ► With probability at least 1-1/poly(k), for all there exists s.t. and.
► Fact: for every vector : ► And therefore: Proof of Theorem 1 – Cont.
► If is a NO instance: Let be a generic non-zero vector. We show that. If then by definition of GAPCVP ’ : If then and by the lemma:
Proof of Theorem 1 – End ► If is a YES instance: There exists. ► Provided the construction in the lemma succeeds:. ► We define and get.
Proof of The Geometric Lemma ► The real lattice: Lemma 1: Let be relatively prime odd integers. Then, for any real, the real lattice defined by: obeys.
The real lattice – Cont. ► Lemma 2: Set. For any and, if then. A connection between finding lattice vectors close to s and approximating as a product of the.
The real lattice – Cont. ► If we take, we get: ► Also, there are many lattice points in, provided that the interval contains many products of the form. ► If are the first odd primes, these are the square-free - smooth numbers.
The real lattice – Cont. ► Lemma 3: For every positive numbers and any finite integer set, the following holds: If is chosen uniformly at random from M, then: ► Applying this to the set of square-free smooth numbers gets the following proposition:
The real lattice – Cont. ► Proposition 4: For all reals, there exists an integer c such that for all sufficiently large integer h the following holds: Let, be the first m odd primes, and. If is chosen uniformly at random from M, then:
The real lattice – Cont. ► Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all, there exists an integer c such that: Let,, and be the first m odd primes. Let be the product of a random subset of of size h. Setas before, and. Then: For all sufficiently large h, with probability at least, the spherecontains at least lattice points of the form where z is a 0-1 vector with exactly h ones.
Working over the integers ► Using rounding of and, a similar result can be achieved for integers: Theorem 8: for any, there exists a polynomial time algorithm that given an integer h outputs: two positive integers a matrix a vector Such that: For all sufficiently large h, with probability at least, the spherecontains at least lattice points of the form where z is a 0-1 vector with exactly h ones.
Reminder: The Geometric Lemma Lemma: for any, there exists a polynomial time algorithm that given outputs: two positive integers a lattice basis a vector a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and.
Projecting lattice points to binary strings ► Theorem 9: Letbe a set of vectors containing exactly h ones, s.t.. Choose by setting each entry to 1 independently at random with probability. Then, with probability at least, all binary vectorsare contained in. ► Using this theorem with appropriate constants completes the proof of the Geometric Lemma.
Concluding Remarks ► We proved that approximating SVP is not in RP unless NP=RP. ► The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. ► With this assumption, we get that approximating SVP is not in P unless P=NP.
Concluding Remarks – Cont. ► The theorem can be generalized for any norm ( ), with constant. ► 2000 – is NP-hard to approximate with ratio [Dinur]