Presentation is loading. Please wait.

Presentation is loading. Please wait.

S.Safra I.Dinur G.Kindler

Published byGabriella Salazar Gonçalves Modified over 5 years ago

Similar presentations

Presentation on theme: "S.Safra I.Dinur G.Kindler"— Presentation transcript:

1 S.Safra I.Dinur G.Kindler
Lattice Salad S.Safra I.Dinur G.Kindler

2 Lattice Problems Definition: Given a basis v1,..,vnRn,
The lattice L=L(v1,..,vk) = {aivi | integers ai} SVP: Find the shortest non-zero vector in L. CVP: Given a vector yRn, find a vL closest to y. y shortest closest

3

4 What’s the nearest lattice point ?
Another basis

5 Lattice Approximation Problems
g-Approximation version: Find a vector y s.t. ||y|| < g  shortest(L) g-Gap version: Given L, and a number d, distinguish between The ‘yes’ instances ( shortest(L)  d ) The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

6 Lattice Approximation Problems
g-Approximation version: Find a vector y s.t. ||y|| < g  shortest(L) g-Gap version: Given L, and a number d, distinguish between The ‘yes’ instances ( shortest(L)  d ) The ‘no’ instances ( shortest(L) > gd ) shortest If g-Gap problem is NP-hard, then having a g-approximation polynomial algorithm --> P=NP.

7 Lattice Problems - Brief History
[Dirichlet, Minkowsky] no CVP algorithms… [LLL] Approximation algorithm for SVP, factor 2n/2 [Babai] Extension to CVP [Schnorr] Improved factor, (1+)n for both CVP and SVP [vEB]: CVP is NP-hard [ABSS]: Approximating CVP is NP hard to within any constant Almost NP hard to within an almost polynomial factor.

8 Lattice Problems - Recent History
[Ajtai96]: average-case/worst-case equiv. for SVP. [Ajtai-Dwork96]: Cryptosystem. [Ajtai97]: SVP is NP-hard (for randomized reductions). [Micc98]: SVP is NP-hard to approximate to within some constant factor. [DKRS]: NP hard to within an almost polynomial factor. [LLS]: Approximating CVP to within n1.5 is in coNP. [GG]: Approximating SVP and CVP to within n is in coAMNP.

9 CVP/SVP - which is easier?
Definition: Given a basis v1,..,vnRn, The lattice L=L(v1,..,vk) = {aivi | integers ai} SVP: Find the shortest non-zero vector in L. CVP: Given a vector yRn, find a vL closest to y. y shortest closest

10 Reducing g-SVP to g-CVP [GMSS99]
b1 b2 shortest: b2-2b1 The lattice L

11 Reducing g-SVP to g-CVP [GMSS98]
CVP oracle: apx. minimize ||c1b1+2c2b2-b2|| The lattice L’’ L L’’=span (2b1,b2) The lattice L’ L L’=span (b1,2b2) shortest vector in L = cibi Note: at least one coef. ci of the shortest vector must be odd

12 The Reduction Input: A pair (B,d), B=(b1,..,bn) and dR for j=1 to n:
invoke the CVP oracle on(B(j),bj,d) Output: The OR of all oracle replies. Where B(j) = (b1,..,bj-1,2bj,bj+1,..,bn)

13 The Dual Lattice L* = { y | x  L: yx  Z}
Give a basis {v1, .., vn} for L one can construct, in poly-time, a basis {u1,…,un}: ui  vj = 0 ( i  j) ui  vi = 1 In other words U = (Vt)-1 where U = u1,…,un V = v1, .., vn

14 Shortest Vector - Hidden Hyperplane
s – shortest vector H – hidden hyperplane distance = 1/||S|| -s H0 = {y| ys = 0} H1 = {y| ys = 1} Hk = {y| ys = k}

15 Public Key Cryptosystem
s – shortest vector H – hidden hyperplane s Encoding 0 Encoding 1 s (1) Choose a random lattice point (2) Perturb it Choose a random point

16 Public Key Cryptosystem
Decoding (using s): Decoding 0 Decoding 1 s s

17 Ajtai: SVP Instances Hard on Average
Approximating SVP (factor= nc ) On random instances from a specific constructible distribution Approximating Shortest Basis (factor= n10+c ) Approximating SVP (factor= n10+c ) Finding Unique-SVP

18 Average-Case Distribution
Pick an n*m matrix A, with coefficients uniformly ranging over [0,…,q-1]. (q= poly (n), n = O(m log q) A = v1 v2 … vm Def: (A) = {x  Zn | xA  0 mod q }

19 A mod-q lattice: (v1 v2 v3 v4)
(2,0,0,1) (1,1,1,0) q(a,b,c,d)

20

21

22 Hardness of approx. CVP [DKRS]
g-CVP is NP-hard for g=n1/loglog n n - lattice dimension Improving Hardness (NP-hardness instead of quasi-NP-hardness) Non-approximation factor (from 2(logn)1-)

23 [ABSS] reduction: uses PCP to show
NP-hard for g=O(1) Quasi-NP-hard g=2(logn)1- by repeated blow-up. Barrier - 2(logn)1- const >0 SSAT: a new non-PCP characterization of NP. NP-hard to approximate to within g=n1/loglogn .

24 SAT Input: =f1,..,fn Boolean functions ‘tests’
x1,..,xn’ variables with range {0,1} Problem: Is  satisfiable? Thm (Cook-Levin): SAT is NP-complete (even when depend()=3)

25 SAT as a consistency problem
Input =f1,..,fn Boolean functions - ‘tests’ x1,..,xn’ variables with range R for each test: a list of satisfying assignments Problem Is there an assignment to the tests that is consistent? f(x,y,z) g(w,x,z) h(y,w,x) (0,2,7) (2,3,7) (3,1,1) (1,0,7) (1,3,1) (3,2,2) (0,1,0) (2,1,0) (2,1,5)

26 ||SA(f)|| = |-2|+|2|+|3| = 7 Norm SA - Averagef||A(f)||
Super-Assignments f(x,y,z)’s super-assignment SA(f)=-2(3,1,1)+2(3,2,5)+3(5,1,2) 3 2 1 -1 -2 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2) A natural assignment for f(x,y,z) A(f) = (3,1,1) 1 (1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2) ||SA(f)|| = |-2|+|2|+|3| = Norm SA - Averagef||A(f)||

27 Consistency In the SAT case: A(f) = (3,2,5) A(f)|x := (3)
x  f,g that depend on x: A(f)|x = A(g)|x

28 Consistency SA(f) = +3(1,1,2)  -2(3,2,5)  2(3,3,1)
SA(f)|x := +3(1)  0(3) -2+2=0 3 2 1 -1 -2 (3,2,5) (3,3,1) (1) (2) (3) (1,1,2) Consistency: x  f,g that depend on x: SA(f)|x = SA(g)|x

29 g-SSAT - Definition Input:
=f1,..,fn tests over variables x1,..,xn’ with range R for each test fi - a list of sat. assign. Problem: Distinguish between [Yes] There is a natural assignment for  [No] Any non-trivial consistent super-assignment is of norm > g Theorem: SSAT is NP-hard for g=n1/loglog n. (conjecture: g=n ,  = some constant)

30 SSAT is NP-hard to approximate to within g = n1/loglogn
Can’t extend everything at once: recursion-composition paradigm

31 I Reducing SSAT to CVP Yes --> Yes: dist(L,target) = n
f,(1,2) f’,(3,2) Yes --> Yes: dist(L,target) = n No --> No: dist(L,target) > gn Choose w = gn + 1 I w w * 1 2 3 f,f’,x f(w,x) f’(z,x)

32 A consistency gadget w w w * 1 2 3

33 A consistency gadget w w w w w w w w * 1 2 3 a1 a2 a3 b1 b2 b3
w w w w w w w a1 + a2 + a3 = 1 * 1 2 3 + b1 a2 + a3 = 1 + b2 a a3 = 1 + b3 a1 + a2 = 1

34 GG Approximating SVP and CVP to within n is in NP  coAM Hence if these problem are shown NP-hard the polynomial-time hierarchy collapses

35 The World According to Lattices
Ajtai-Micciancio GG DKRS LLL CVP NPco-AM Poly-time approximation SVP 1+1/n 1 O(1) O(logn) 2 n1/loglogn nO(1) 2n NP-hardness

36 Is g-SVP NP-hard to within n ?
OPEN PROBLEMS Is g-SVP NP-hard to within n ? A class of its own? Can LLL be improved? CVP NPco-AM Poly-time approximation SVP 1+1/n 1 O(1) O(logn) 2 n1/loglogn nO(1) 2n NP-hardness

37 Open Problems Is SVP NP-hard to approximate to within n factor
Can the LLL algorithm be improved? Maybe for factors between and these problems are on a class of their own

Download ppt "S.Safra I.Dinur G.Kindler"

Similar presentations

Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Hardness of Robust Graph Isomorphism, Lasserre Gaps, and Asymmetry of Random Graphs Ryan O’Donnell (CMU) John Wright (CMU) Chenggang Wu (Tsinghua) Yuan.

Hardness of Robust Graph Isomorphism, Lasserre Gaps, and Asymmetry of Random Graphs Ryan O’Donnell (CMU) John Wright (CMU) Chenggang Wu (Tsinghua) Yuan.
Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.

Enumerative Lattice Algorithms in any Norm via M-Ellipsoid Coverings Daniel Dadush (CWI) Joint with Chris Peikert and Santosh Vempala.
Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.
 2004 SDU Lecture17-P,NP, NPC.  2004 SDU 2 1.Decision problem and language decision problem decision problem and language 2.P and NP Definitions of.

 2004 SDU Lecture17-P,NP, NPC.  2004 SDU 2 1.Decision problem and language decision problem decision problem and language 2.P and NP Definitions of.
Having Proofs for Incorrectness

Having Proofs for Incorrectness
1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)

1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)
The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.

The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.
Inapproximability from different hardness assumptions Prahladh Harsha TIFR 2011 School on Approximability.

Inapproximability from different hardness assumptions Prahladh Harsha TIFR 2011 School on Approximability.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
CSC5160 Topics in Algorithms Tutorial 2 Introduction to NP-Complete Problems Feb 8 2007 Jerry Le

CSC5160 Topics in Algorithms Tutorial 2 Introduction to NP-Complete Problems Feb Jerry Le
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
1 INTRODUCTION NP, NP-hardness Approximation PCP.

1 INTRODUCTION NP, NP-hardness Approximation PCP.
1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. In this lecture we’ll present the Quadratic Solvability.

1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. In this lecture we’ll present the Quadratic Solvability.
1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. We’ll see this problem is closely related to PCP.

1 The PCP starting point. 2 Overview In this lecture we’ll present the Quadratic Solvability problem. We’ll see this problem is closely related to PCP.
CS151 Complexity Theory Lecture 16 May 25, 2004. CS151 Lecture 162 Outline approximation algorithms Probabilistically Checkable Proofs elements of the.

CS151 Complexity Theory Lecture 16 May 25, CS151 Lecture 162 Outline approximation algorithms Probabilistically Checkable Proofs elements of the.
1 Slides by Asaf Shapira & Michael Lewin & Boaz Klartag & Oded Schwartz. Adapted from things beyond us.

1 Slides by Asaf Shapira & Michael Lewin & Boaz Klartag & Oded Schwartz. Adapted from things beyond us.
1 Joint work with Shmuel Safra. 2 Motivation 3 Motivation.

1 Joint work with Shmuel Safra. 2 Motivation 3 Motivation.

Similar presentations

Ads by Google