Shortest Vector In A Lattice is NP-Hard to approximate Daniele Micciancio Speaker: Asaf Weiss

Definitions A Lattice in : All integer combinations of given linearly independent vectors: The vectors are called the Lattice Basis. The integer n is called the Lattice Rank. We will only discuss integer lattices, where all .

Matrix Representation of a Lattice We can put the lattice basis in a matrix: This way the lattice points are exactly: The Lattice generated by B is denoted .

Examples This is the lattice generated by the set : להגיד: לאותו סריג יכולים להיות מס' בסיסים וכו'.

Examples – Cont. The very same lattice is generated by the set : לציין שימושים?

More definitions The minimum distance of a lattice is: Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with minimal length. Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given target.

Reduction from SVP to CVP In order to find where : Define and solve the CVP problem , to get a vector . Remember . Repeat 1-2 for . Find the shortest among . להכין

Why is CVP so hard? Consider the following algorithm for CVP: Given , solve the set of linear real equations to find a solution . Round the result to get the answer: The rounding error = This bound is very dependent of B. להכין.

Why is CVP so hard – Cont. For instance, the two bases and generate the same lattice. However, the expression is 1.4 for the first base, and about 199 for the other. להראות על הלוח שזה אכן אותו סריג + את החסמים.

Why is SVP well-defined? Is the SVP problem well-defined? I.e., is there always a lattice vector whose norm is minimal? This isn’t necessarily true for general geometric shapes, e.g.

Why is SVP well-defined – Cont. One can find a lower bound on : Proposition: every lattice basis B obeys . Integer lattices: . Real lattices: one can prove that , where B* is the corresponding G.S Orthogonalization of B.

Why is SVP well-defined – Cont. The proposition implies that the distance between two lattice points has a lower bound. Therefore, the number of lattice points in the sphere is finite.

Yet more definitions - distinguish between (YES) and (NO) . - distinguish between and . is easier than approximating SVP with a ratio of : if , then can be solved by checking whether or . לדעת את הרדוקציה בשני הכיוונים.

Definitions – Cont. We define a new problem, , as follows: is a YES instance if for some . is a NO instance if for all . להדגיש את ההבדלים: z בוליאני וכו'.

Types of reductions Deterministic reductions map NO instances to NO instances and YES instances to YES instances. Randomized reductions: Map NO instances to NO instances with probability 1. Map YES instances to YES instances with non-negligible probability. Cannot be used to show proper NP-hardness. להגיד מה זה אומר אם יש רדוקציה אקראית לבעייה NP קשה.

History 1981 – CVP is NP-hard. 1997 – GAPCVP and GAPCVP’ are NP-hard for any constant factor . 1998 – SVP is NP-hard for randomized reductions [Ajtai]. 2004 – SVP is NP-hard to approximate with ratio for randomized reductions [Khot] . ואנחנו נראה ש...

Hardness of approximating SVP Idea: Solving CVP’(B,y) is similar to solving : both minimize , where w is an integer. Problem: what if w=0? Solution: we embed the lattice in a higher dimensional space. לדבר רבות. לחשוב.

The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: two positive integers a lattice basis a vector a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and . להגיד שההוכחה אח"כ. בשקף הבא – הסבר במילים.

The Geometric Lemma – Cont. The lemma doesn’t depend on input! It asserts the existence of a lattice and a sphere, such that: is bigger than times the sphere radius. With high probability the sphere contains exponentially many lattice vectors. Proof: Later. אינטואיציה.

Theorem 1 For any constant , is hard for NP under randomized reductions. Proof: By reduction from GAPCVP’. First, choose and . Assume w.l.o.g that and are rational. להכין את כל המשפט

Proof of Theorem 1 – Cont. Let be an instance of ( ). We define an instance of , s.t: If is a NO instance then is a NO instance. If is a YES instance then is a YES instance with high probability.

Proof of Theorem 1 – Cont. Run the algorithm from the Geometric Lemma (on input k) to obtain s.t: . With probability at least 1-1/poly(k), for all there exists s.t. and . להזכיר מה זה כל דבר שהלמה נותנת.

Proof of Theorem 1 – Cont. Definition of : Choose integers a,b s.t and .

Proof of Theorem 1 – Cont. Fact: for every vector : And therefore: לרשום על הלוח את הביטוי לנורמה ולהשאיר אותו שם.

Proof of Theorem 1 – Cont. If is a NO instance: Let be a generic non-zero vector. We show that . If then by definition of GAPCVP’: If then and by the lemma:

Proof of Theorem 1 – End If is a YES instance: There exists . Provided the construction in the lemma succeeds: . We define and get . פיתוח – על הלוח.

Proof of The Geometric Lemma The real lattice: Lemma 1: Let be relatively prime odd integers. Then, for any real , the real lattice defined by: obeys . להכין.

The real lattice – Cont. Lemma 2: Set . For any and , if then . A connection between finding lattice vectors close to s and approximating b as a product of the . להגדיר את g. לציין שהדרישה לבדיוק h אפסים...

The real lattice – Cont. If we take , we get: Also, there are many lattice points in , provided that the interval contains many products of the form . If are the first odd primes, these are the square-free - smooth numbers. להכין.

The real lattice – Cont. Lemma 3: For every positive numbers and any finite integer set , the following holds: If b is chosen uniformly at random from M, then: Applying this to the set of square-free smooth numbers gets the following proposition: להכין.

The real lattice – Cont. Proposition 4: For all reals , there exists an integer c such that for all sufficiently large integer h the following holds: Let , be the first m odd primes, and . If b is chosen uniformly at random from M, then: להכין. לזכור את המספר של השקף.

The real lattice – Cont. Combining the previous lemmas and proposition we get the following theorem: Theorem 5: for all , there exists an integer c such that: Let , , and be the first m odd primes. Let b be the product of a random subset of of size h. Set as before, and . Then: For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones. להכין.

Working over the integers Using rounding of and , a similar result can be achieved for integers: Theorem 8: for any , there exists a polynomial time algorithm that given an integer h outputs: two positive integers a matrix a vector Such that: For all sufficiently large h, with probability at least , the sphere contains at least lattice points of the form where z is a 0-1 vector with exactly h ones.

Reminder: The Geometric Lemma Lemma: for any , there exists a polynomial time algorithm that given outputs: two positive integers a lattice basis a vector a linear transformation Such that: With probability at least 1-1/poly(k), for all there exists s.t. and . להראות מה ההבדלים מהשקף הקודם.

Projecting lattice points to binary strings Theorem 9: Let be a set of vectors containing exactly h ones, s.t. . Choose by setting each entry to 1 independently at random with probability . Then, with probability at least , all binary vectors are contained in . Using this theorem with appropriate constants completes the proof of the Geometric Lemma.

Concluding Remarks We proved that approximating SVP is not in RP unless NP=RP. The only place we used randomness is in the Geometric Lemma. It can be avoided if we assume a reasonable number theoretic conjecture about square-free smooth numbers. With this assumption, we get that approximating SVP is not in P unless P=NP. להראות את השקף הנ"ל (ולזכור את המספר של זה).

Concluding Remarks – Cont. The theorem can be generalized for any norm ( ), with constant . 2000 – is NP-hard to approximate with ratio [Dinur]

Questions???