Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Published byWyatt Daley Modified over 9 years ago

Similar presentations

Presentation on theme: "Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala."— Presentation transcript:

1 Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala

2 Outline 1)Introduction: Classic Lattice Problems. 2)Results: Algorithms for SVP / CVP / IP. 3)Analysis of SVP algorithm. 4)How to build M-ellipsoid. 5)Conclusions / Open Problems.

3 Lattices L b1b1 b2b2

4 Shortest Vector Problem (SVP): Given: lattice L, norm ||.|| in R n. Goal: Find y in L \ {0} minimizing ||y||. -y y 0 B

5 Given: lattice L, target x, norm ||.|| in R n. Goal: Find y in L minimizing ||y-x||. Closest Vector Problem (CVP): y x B

6 Integer Programming: K y

7 Applications / Motivation Algebra:  Factoring polynomials, solving integer linear systems, diophantine approximation, etc. Optimization:  IP models many discrete optimization problems. Cryptography:  Many cryptographic primitives based on variants of SVP & CVP (LWE, SIS, etc.). Geometry of Numbers:  Rich interaction between lattices and convexity.

8 Hardness IP: NP-Hard. SVP: hard to approximate for all l p norms within any constant factor [ Ajt98, CN98, Mic98, Kho03,…]. CVP: hard to approximated for all l p norms within factor n c/loglogn [ ABSS93, DKRS98]. Don’t expect to solve (or even closely approximate) any of these in polynomial time.

9 SVP / CVP Algorithms Basis Reduction: 1980’s starts with LLL ‘83 Use Local Search on Bases + Exhaustive Search (iteratively) to to solve (approx-) SVP / CVP under l 2. Randomized Sieve: 2000’s starts with AKS 01 Sample Exponentially many Lattice Points, Combine them to make shorter & shorter (closer & closer) lattice vectors. Voronoi cell based: 2010 - Micciancio Voulgaris (MV) Build Voronoi cell of Lattice and use it to perform very efficient Lattice Point Search under l 2.

10 Algorithms: SVP NormsApproxTimeSpaceRandomTypeAuthors l2l2 2 O(n/logn) poly(n) 0det.LLL 83, Sch 87 l2l2 1O(n) n/2e poly(n)0det.Kan 87, Hel 86, Blo 00, HS 08 all12 O(n) Monte Carlo AKS 01, BN 07, AJ 09, D11 l2l2 12 O(n) 0det.MV 10 all12 O(n) poly(n)Las Vegas this paper Basis Reduction Algorithms

11 Algorithms: SVP NormsApproxTimeSpaceRandomTypeAuthors l2l2 2 O(n/logn) poly(n) 0det.LLL 83, Sch 87 l2l2 1O(n) n/2e poly(n)0det.Kan 87, Hel 86, Blo 00, HS 08 all12 O(n) Monte Carlo AKS 01, BN 07, AJ 09, D11 l2l2 12 O(n) 0det.MV 10 all12 O(n) poly(n)Las Vegas this paper Randomized Sieving Algorithms

12 Algorithms: SVP NormsApproxTimeSpaceRandomTypeAuthors l2l2 2 O(n/logn) poly(n) 0det.LLL 83, Sch 87 l2l2 1O(n) n/2e poly(n)0det.Kan 87, Hel 86, Blo 00, HS 08 all12 O(n) Monte Carlo AKS 01, BN 07, AJ 09, D11 l2l2 12 O(n) 0det.MV 10 all12 O(n) poly(n)Las Vegas this paper Voronoi cell based

13 Algorithms: SVP NormsApproxTimeSpaceRandomTypeAuthors l2l2 2 O(n/logn) poly(n) 0det.LLL 83, Sch 87 l2l2 1O(n) n/2e poly(n)0det.Kan 87, Hel 86, Blo 00, HS 08 all12 O(n) Monte Carlo AKS 01, BN 07, AJ 09, D11 l2l2 12 O(n) 0det.MV 10 all12 O(n) poly(n)Las Vegas this paper Remarks: Output is guaranteed (Las Vegas). Randomness only used to preprocess norm. Deterministic for l p norms.

14 Algorithms: CVP NormsApproxTimeSpaceRandomTypeAuthors l2l2 2 O(n/logn) poly(n) 0det.LLL 83, Bab 86 Sch 87 l2l2 1O(n) n/2 poly(n)0det.Kan 87, Hel 86, Blo 00, HS 08 all1+  (1/  ) O( n) Monte Carlo AKS 01-02, BN 07, AJ 09, D11 “1* d O(n) d O(n) ““ l2l2 12 O(n) 0det.MV 10 all1* d O(n) 2 O(n) poly(n)Las Vegas this paper * assume distance to target ≤ d x (length of SVP)

15 Flatness Theorem and IP K L y t x=0 y t x=1y t x=2 y

16 Flatness Theorem and IP

17 Algorithms: IP Feasible Region TimeSpaceTypeAuthors LP2 O(n 3 ) poly(n)det.Lenstra 83 LPO(n) 2.5n poly(n)det.Kannan 87 Quasiconvex Polynomials O(n) 2n 2 O(n) det.Hildebrand Köppe 10 Separation Oracle Õ(n) 4/3n 2 O(n) Las Vegas this paper

18 Algorithms: IP Feasible Region TimeSpaceTypeAuthors LP2 O(n 3 ) poly(n)det.Lenstra 83 LPO(n) 2.5n poly(n)det.Kannan 87 Quasiconvex Polynomials O(n) 2n 2 O(n) det.Hildebrand Köppe 10 Separation Oracle Õ(n) 4/3n 2 O(n) Las Vegas this paper Lenstra: Any n dimensional IP can be reduced to bounded number of n-1 dimensional IPs by computing a “flatness” direction of the feasible region.

19 Algorithms: IP Feasible Region TimeSpaceTypeAuthors LP2 O(n 3 ) poly(n)det.Lenstra 83 LPO(n) 2.5n poly(n)det.Kannan 83 Quasiconvex Polynomials O(n) 2n 2 O(n) det.Hildebrand Köppe 10 Separation Oracle Õ(n) 4/3n 2 O(n) Las Vegas this paper Lenstra: Computing a “flatness” direction corresponds to solving a general norm SVP on the dual lattice with respect to width norm of feasible region.

20 Algorithms: IP Feasible Region TimeSpaceTypeAuthors LP2 O(n 3 ) poly(n)det.Lenstra 83 LPO(n) 2.5n poly(n)det.Kannan 83 Quasiconvex Polynomials O(n) 2n 2 O(n) det.Hildebrand Köppe 10 Separation Oracle Õ(n) 4/3n 2 O(n) Las Vegas this paper Improvement: Make reduction more efficient by directly solving general norm SVP problem. Avoids loss due the ellipsoidal approximation of the feasible region used in previous works.

21 Core Algorithm

22 -y y 0 SVP Algorithm Goal: Find y in L\{0} minimizing ||y|| B

23 0 SVP Algorithm B

24 4B 2B SVP Algorithm -y y B 0

25 SVP Algorithm x y 2 i-2 B

26 SVP Algorithm

27 Enumeration Algorithm: This is a slight tweak of the Micciancio- Voulgaris algorithm for CVP.

28 MV: Voronoi Cell -e 1 e1e1 -e 2 e2e2 0 V VR(Z 2,B 2 ) = {  e 1,  e 2 }

29 MV: Enumeration in an Ellipsoid E+t L t

30 MV: Enumeration in an Ellipsoid Alg: Solve CVP for L, t under norm of E. E+t L x t

31 MV: Enumeration in an Ellipsoid E+t L x t

32 MV: Enumeration in an Ellipsoid E+t t L x

33 Enumeration Algorithm:

34 Enumeration Algorithm L K

35 Alg: Compute Covering of K by E E+t i t1t1 t2t2 t6t6 t5t5 t4t4 t3t3 K L

36 Enumeration Algorithm E+t i t1t1 t2t2 t6t6 t5t5 t4t4 t3t3 K L

37 Enumeration Algorithm K L

38 Alg: Keep only the points in K. K L

39 Enumeration Algorithm

40 The M-Ellipsoid Need to bound N(K,E) x N(E,K). What ellipsoid do we use for E? An M-Ellipsoid of K is an ellipsoid E satisfying 1.N(K,E) = 2 O(n). 2.N(E,K) = 2 O(n). Existence first proven by Milman ‘86. How do we build it? Want Las Vegas algorithm.

41 Klartag’s Procedure [K06]

42

43 M-ellipsoid M-Ellipsoid Generator: Can generate an M-ellipsoid E for a convex body K in probabilistic polynomial time with high probability. Given candidate M-ellipsoid E of K, we need to verify that it satisfies the desired covering properties. M-Ellipsoid Verifier: There is a deterministic 2 O(n) -time algorithm which verifies that E is an M-ellipsoid of K and outputs a covering of K by E.

44 Idea: Replace E by C, the inscribed cuboid. E C Building an M-Ellipsoid covering

45 Alg: Tile K by C using a DFS of tiling graph. If the tiling grows too large abort. K t1t1 t2t2 t6t6 t5t5 t4t4 t3t3 C+t i Building an M-Ellipsoid covering

46 Alg: Replace C by E. K E+t i t1t1 t2t2 t6t6 t5t5 t4t4 t3t3 Building an M-Ellipsoid covering

47 Alg: Output the t i ’s K E+t i t1t1 t2t2 t6t6 t5t5 t4t4 t3t3 Building an M-Ellipsoid covering

48 How do we verify N(E,K) = 2 O(n) ? Don’t know how to do this directly. Idea: use duality of entropy N(E,K) ~= N((K-K)*,E*) Apply previous algorithm to get an existential proof. Building an M-Ellipsoid covering

49 Conclusions 1)Give new lattice point enumeration procedure (should be useful elsewhere). 2)Apply it to give first Las Vegas 2 O(n) -time algorithm for SVP under general norms. 3)Improve complexity of IP. 4)Introduce use of the M-ellipsoid into design of lattice algorithms.

50 Open Problems 1)Time vs Space Tradeoff: What can we do with 2 O(n  ) –space, for 0 <  < 1? (even for l 2 ) 2)Las Vegas algorithm for (1+eps)-CVP? 3)Compute N(E,K) directly (avoid duality of entropy)? 4)Solve IP in O(n) (1-  )n -time, for any fixed  > 0. (more powerful Flatness Theorem?)

51 THANK YOU!

Download ppt "Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala."

Similar presentations

1/15 Agnostically learning halfspaces FOCS 2005. 2/15 Set X, F class of functions f: X! {0,1}. Efficient Agnostic Learner w.h.p. h: X! {0,1} poly(1/ )

1/15 Agnostically learning halfspaces FOCS /15 Set X, F class of functions f: X! {0,1}. Efficient Agnostic Learner w.h.p. h: X! {0,1} poly(1/ )
Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.

Numerical Linear Algebra in the Streaming Model Ken Clarkson - IBM David Woodruff - IBM.
Iterative Rounding and Iterative Relaxation

Iterative Rounding and Iterative Relaxation
PRG for Low Degree Polynomials from AG-Codes Gil Cohen Joint work with Amnon Ta-Shma.

PRG for Low Degree Polynomials from AG-Codes Gil Cohen Joint work with Amnon Ta-Shma.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Statistical Machine Learning- The Basic Approach and Current Research Challenges Shai Ben-David CS497 February, 2007.

Statistical Machine Learning- The Basic Approach and Current Research Challenges Shai Ben-David CS497 February, 2007.
Primal Dual Combinatorial Algorithms Qihui Zhu May 11, 2009.

Primal Dual Combinatorial Algorithms Qihui Zhu May 11, 2009.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Optical Architecture for (Restricted) Exponential Time Hard Problems Nova Fandina Ben-Gurion University of the Negev, Israel Joint work with: Prof. Shlomi.

Optical Architecture for (Restricted) Exponential Time Hard Problems Nova Fandina Ben-Gurion University of the Negev, Israel Joint work with: Prof. Shlomi.
Approximations of points and polygonal chains

Approximations of points and polygonal chains
COMP 553: Algorithmic Game Theory Fall 2014 Yang Cai Lecture 21.

COMP 553: Algorithmic Game Theory Fall 2014 Yang Cai Lecture 21.
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
CS774. Markov Random Field : Theory and Application Lecture 04 Kyomin Jung KAIST Sep 15 2009.

CS774. Markov Random Field : Theory and Application Lecture 04 Kyomin Jung KAIST Sep
Infinite Horizon Problems

Infinite Horizon Problems
A Randomized Polynomial-Time Simplex Algorithm for Linear Programming Daniel A. Spielman, Yale Joint work with Jonathan Kelner, M.I.T.

A Randomized Polynomial-Time Simplex Algorithm for Linear Programming Daniel A. Spielman, Yale Joint work with Jonathan Kelner, M.I.T.
Discrete geometry Lecture 2 1 © Alexander & Michael Bronstein

Discrete geometry Lecture 2 1 © Alexander & Michael Bronstein
Overlapping Coalition Formation: Charting the Tractability Frontier Y. Zick, G. Chalkiadakis and E. Elkind (submitted to AAMAS 2012)

Overlapping Coalition Formation: Charting the Tractability Frontier Y. Zick, G. Chalkiadakis and E. Elkind (submitted to AAMAS 2012)
Linear Programming and Approximation

Linear Programming and Approximation

Similar presentations

Ads by Google