Embed Size (px)
Citation preview
Shortest Vector In A Shortest Vector In A Lattice is NP-Hard to Lattice is NP-Hard to
approximate approximate
Daniele MicciancioDaniele Micciancio
Speaker: Asaf Speaker: Asaf WeissWeiss
DefinitionsDefinitions
► A A LatticeLattice in in : All integer combinations of : All integer combinations of given linearly independent vectors: given linearly independent vectors:
► The vectorsThe vectors are called the are called the Lattice Lattice BasisBasis..
► The integer n is called the The integer n is called the Lattice RankLattice Rank..►We will only discuss integer lattices, where We will only discuss integer lattices, where
allall . .
mR
1
L :n
i i ii
x x Z
b
n m
1,..., nb b
ni Zb
Matrix Representation of a Matrix Representation of a LatticeLattice
►We can put the lattice basis in a matrix:We can put the lattice basis in a matrix:
►This way the lattice points are exactly:This way the lattice points are exactly:
►The Lattice generated by The Lattice generated by BB is denoted is denoted . .
1 2| | ... | m nn Z B b b b
: nZBx x
( )L B
ExamplesExamples
► This is the lattice generated by the setThis is the lattice generated by the set : :
1,0 , 0,1
Examples – Cont.Examples – Cont.
►The very same lattice is generated by The very same lattice is generated by the setthe set : : 1,1 , 2,1
More definitionsMore definitions
►The The minimum distanceminimum distance of a lattice is: of a lattice is:
►Shortest Vector in a Lattice (SVP) Shortest Vector in a Lattice (SVP) problem: Find a lattice vector with problem: Find a lattice vector with minimal length.minimal length.
►Closest Vector in a Lattice (CVP) problem: Closest Vector in a Lattice (CVP) problem: Find a lattice point closest to a given Find a lattice point closest to a given target.target.
( ) inf : inf : 0L L L x y x y x x
Reduction from SVP to CVPReduction from SVP to CVP
In order to findIn order to find where where : :
1.1. Define Define and solve the CVP and solve the CVP problemproblem , to get a vector , to get a vector ..
2.2. RememberRemember . .
3.3. Repeat 1-2 forRepeat 1-2 for . .
4.4. Find the shortest amongFind the shortest among ..
( )SVP L
'Lv
1,..., ns s
1( | ... | )nL L b b
1' 2 | ... | nL L b b
1( ', )CVP L b
1 1 s v b
2 ,..., nb b
Why is CVP so hard?Why is CVP so hard?
Consider the following algorithm for CVP: Consider the following algorithm for CVP:
1.1. GivenGiven , solve the set of linear , solve the set of linear real equationsreal equations to find a to find a solutionsolution . .
2.2. Round the result to get the answer:Round the result to get the answer:
► The rounding error = The rounding error = ► This bound is very dependent of This bound is very dependent of BB..
( , )B y B y
znR
1
2 ii B Bz b
Why is CVP so hard – Cont.Why is CVP so hard – Cont.
► For instance, the two bases For instance, the two bases and and generate the same lattice. generate the same lattice.
► However, the expressionHowever, the expression is 1.4 for is 1.4 for
the first base, and about 199 for the other.the first base, and about 199 for the other.
1,0 , 0,1
100,1 , 99,1
ii b
Why is SVP well-definedWhy is SVP well-defined??
► Is the SVP problem well-defined? I.e., Is the SVP problem well-defined? I.e., is there always a lattice vector whose is there always a lattice vector whose norm is minimal?norm is minimal?
►This isn’t necessarily true for general This isn’t necessarily true for general geometric shapes, e.g. geometric shapes, e.g. 3( , , ) : 0x y z R x y z
Why is SVP well-defined – Why is SVP well-defined – Cont.Cont.
►One can find a lower bound on One can find a lower bound on : :
►Proposition:Proposition:every lattice basis B obeysevery lattice basis B obeys . .
Integer lattices: Integer lattices: . . Real lattices: one can prove that Real lattices: one can prove that
, where B* is the corresponding G.S , where B* is the corresponding G.S Orthogonalization of B.Orthogonalization of B.
( )L
*( ( )) min i iL B b
( ( )) 0L B
( ( )) 1L B
Why is SVP well-defined – Why is SVP well-defined – Cont.Cont.
►The proposition implies that the The proposition implies that the distance between two lattice points distance between two lattice points has a lower bound.has a lower bound.
►Therefore, the number of lattice points Therefore, the number of lattice points in the spherein the sphere is finite. is finite.( , ( ) 1) 0B L 0
Yet more definitionsYet more definitions► - distinguish between - distinguish between
(YES) and (YES) and (NO) . (NO) .
► - distinguish between - distinguish between and and
. .
► is easier than approximating is easier than approximating SVP with a ratio of : if SVP with a ratio of : if , then , then
can be solved by checking can be solved by checking whetherwhether or or . .
( , )GAPSVP d B ( ) d B( ) d B
( , , )GAPCVP d B y( , ( ))dist L dy B ( , ( ))dist L d y B
GAPSVP GAPSVP ' ,d 'd d
'd d
Definitions – ContDefinitions – Cont..►We define a new problem, We define a new problem, , ,
as follows:as follows:
is a YES instance if is a YES instance if for for
some some . .
is a NO instance if is a NO instance if
for allfor all . .
( , , )dB y
' ( , , )GAPCVP d B y
0,1n
z
( , , )dB y
d Bz y
w d Bz y
\ 0nz Z and w Z
Types of reductionsTypes of reductions►Deterministic reductions map NO Deterministic reductions map NO
instances to NO instances and YES instances to NO instances and YES instances to YES instances.instances to YES instances.
►Randomized reductions:Randomized reductions: Map NO instances to NO instances with Map NO instances to NO instances with
probability 1.probability 1. Map YES instances to YES instances with Map YES instances to YES instances with
non-negligible probability.non-negligible probability. Cannot be used to show proper NP-Cannot be used to show proper NP-
hardness.hardness.
HistoryHistory
►1981 – CVP is NP-hard.1981 – CVP is NP-hard.►1997 – GAPCVP and GAPCVP’ are NP-1997 – GAPCVP and GAPCVP’ are NP-
hard for any constant factorhard for any constant factor ..►1998 – SVP is NP-hard for randomized 1998 – SVP is NP-hard for randomized
reductions [Ajtai].reductions [Ajtai].
►2004 – SVP is NP-hard to approximate 2004 – SVP is NP-hard to approximate with ratiowith ratio for randomized for randomized reductions [Khot]reductions [Khot]
1
0.5(log )2 n
Hardness of approximating Hardness of approximating SVPSVP
► Idea: Solving CVP’(Idea: Solving CVP’(BB,,yy) is similar to ) is similar to solving solving : both minimize : both minimize
, where w is an integer. , where w is an integer.
►Problem: what if w=0?Problem: what if w=0?
►Solution: we embed the lattice Solution: we embed the lattice in in a higher dimensional space.a higher dimensional space.
|SVP B y wBx y
( | )L B y
The Geometric LemmaThe Geometric LemmaLemma: for any Lemma: for any , there exists a , there exists a
polynomial time algorithm that given polynomial time algorithm that given outputs:outputs:
two positive integerstwo positive integers a lattice basisa lattice basis a vectora vector a linear transformationa linear transformation
Such that:Such that:1.1. 2.2. With probability at least 1-1/poly(k), for allWith probability at least 1-1/poly(k), for all
there exists there exists s.t. s.t. and and . .
[1, 2)k Z
,m r Z
0,1kx
mZz ( , )B rLz s Tz x
( 1)m mZ L1mZ s
k mZ T
( ) r L
The Geometric Lemma – The Geometric Lemma – Cont.Cont.
►The lemma doesn’t depend on input!The lemma doesn’t depend on input!► It asserts the existence of a lattice and It asserts the existence of a lattice and
a sphere, such that:a sphere, such that: is bigger than times the sphere is bigger than times the sphere
radius.radius. With high probability the sphere contains With high probability the sphere contains
exponentially many lattice vectors.exponentially many lattice vectors.
►Proof: Later.Proof: Later.
( )L
Theorem 1Theorem 1
►For any constantFor any constant , , is hard for is hard for NP under randomized reductions.NP under randomized reductions.
►Proof: By reduction from GAPCVP’.Proof: By reduction from GAPCVP’.
First, chooseFirst, choose andand .. Assume w.l.o.g that Assume w.l.o.g that and and are rational. are rational.
[1, 2) GAPSVP
( , 2) 1
2 2 2'
/ '/
Proof of Theorem 1 – Cont.Proof of Theorem 1 – Cont.
►Let Let be an instance ofbe an instance of (( ). ).
►We define an instanceWe define an instance of of , , s.t:s.t: IfIf is a NO instance thenis a NO instance then is is
a NO instance.a NO instance. IfIf is a YES instance thenis a YES instance then is is
a YES instance with high probability.a YES instance with high probability.
GAPSVP
( , , )dB y''GAPCVP
( , )tV
, ,n k nZ Z d Z B y
( , , )dB y ( , )tV
( , , )dB y ( , )tV
Proof of Theorem 1 – Cont.Proof of Theorem 1 – Cont.
Run the algorithm from the Geometric Run the algorithm from the Geometric Lemma (on input k) to obtainLemma (on input k) to obtain
s.t:s.t:► ..►With probability at least 1-1/poly(k), With probability at least 1-1/poly(k),
for allfor all there exists there exists s.t. s.t. and and . .
0,1kx
( 1) , \ 0 , ,m m m k mZ Z Z r Z L s T
mZz
\ 0mr Z Lz z
r Lz sTz x
Proof of Theorem 1 – Cont.Proof of Theorem 1 – Cont.
►Definition ofDefinition of :: Choose integers a,b s.t Choose integers a,b s.t and and ..
'ad
|
|
a a
b b
BT yV
L s
( , )tV
'
a r
b d
't ad br
►Fact: for every vectorFact: for every vector : :
►And therefore:And therefore:
Proof of Theorem 1 – Cont.Proof of Theorem 1 – Cont.
w
zw
| ( )
| ( )
a a a w
b b w b w
BT y z BTz yVw
L s Lz s
2 2 2( ) ( )a w b w Vw BTz y Lz s
Proof of Theorem 1 – Cont.Proof of Theorem 1 – Cont.
► If If is a NO instance: Let is a NO instance: Let be a generic non-zero vector. be a generic non-zero vector.We show that We show that ..
If If then by definition of GAPCVP’: then by definition of GAPCVP’:
If If then then and by the lemma: and by the lemma:
( , , )dB yw
zw
2 2( )tVw
0w ( ) 'a w a d t B Tz y
0w 0zb w b b r t Lz s Lz
Proof of Theorem 1 – EndProof of Theorem 1 – End
► If If is a YES instance: There is a YES instance: There exists exists . .
►Provided the construction in the lemma Provided the construction in the lemma succeeds:succeeds: . .
►We defineWe define and get and get . .
( , , )dB y
0,1 . .k
s t d x Bx y
2 2tVw1
zw
. .mZ s t r and z Lz s Tz x
Proof of The Geometric Proof of The Geometric LemmaLemma
►The real lattice:The real lattice: Lemma 1:Lemma 1: Let Let be relatively prime be relatively prime
odd integers. Then, for any realodd integers. Then, for any real , , the real lattice defined by:the real lattice defined by:
obeysobeys . .
0
( ( )) 2 lnL L
1
( 1)
1
ln 0 0
0 0
0 0 ln
ln ln
m m
m
m
a
Ra
a a
L
1,..., ma a N
The real lattice – ContThe real lattice – Cont..
►Lemma 2:Lemma 2:
Set Set . .
For anyFor any and and , if , if
thenthen . .
A connection between finding lattice vectors A connection between finding lattice vectors close to close to ss and approximating and approximating as a product as a product of the .of the .
ln 2 Lz s
0
0
ln
s
, 1 0,1nz 1, (1 )iz
iia
'ia s
The real lattice – ContThe real lattice – Cont..
► If we takeIf we take , we get:, we get:
►Also, there are many lattice points in Also, there are many lattice points in , provided that the interval , provided that the interval
contains many products of the form contains many products of the form . .
► If If are the first odd primes, these are the first odd primes, these are the square-free - smooth are the square-free - smooth numbers.numbers.
1, (1 ) ,
1,..., ma a
1
( ( )) 2 ln 2(1 ) lnL L
( , ln 2)B s
[ ] ii S ma
( )ma
The real lattice – ContThe real lattice – Cont..►Lemma 3:Lemma 3: For every positive numbers For every positive numbers
and any finite integer setand any finite integer set , the following holds: If , the following holds: If is chosen is chosen
uniformly at random from M, then:uniformly at random from M, then:
►Applying this to the set of square-free Applying this to the set of square-free smooth numbers gets the following smooth numbers gets the following proposition:proposition:
[0,1) , H N M
1
1Pr [ , )
(1 2 )
max( )
M
HM H
M
where M
The real lattice – ContThe real lattice – Cont..
►Proposition 4:Proposition 4: For all reals For all reals , there , there exists an integer c such that for all exists an integer c such that for all sufficiently large integer h the following sufficiently large integer h the following holds:holds:Let Let , , be the first m odd be the first m odd primes, andprimes, and . If . If is chosen is chosen uniformly at random from M, then:uniformly at random from M, then:
, 0
1,..., ma a :ii S
M a S h
Pr [ , ) 2h hM M h
cm h
The real lattice – Cont.The real lattice – Cont.► Combining the previous lemmas and proposition Combining the previous lemmas and proposition
we get the following theorem:we get the following theorem:
Theorem 5:Theorem 5: for all for all , there exists an integer c , there exists an integer c such that:such that:Let Let , , , and , and be the first m odd primes. be the first m odd primes. Let Let be the product of a random subset of be the product of a random subset of of size h.of size h.SetSet as before, andas before, and . Then: . Then:
1.1. 2.2. For all sufficiently large h, with probability at leastFor all sufficiently large h, with probability at least , the , the
spheresphere contains at least lattice points of contains at least lattice points of the formthe form where where z z is a 0-1 vector with exactly h ones. is a 0-1 vector with exactly h ones.
, 0
( , )rB s hh
Lz
,L s
( ( )) 2(1 ) /(1 )L r L 1 2 h
(1 ) ln 1r
h N 1,..., ma acm h 1,..., ma a
Working over the integersWorking over the integers► Using rounding of and , a similar result can be Using rounding of and , a similar result can be
achieved for integers:achieved for integers:
Theorem 8:Theorem 8: for any for any , there exists a polynomial , there exists a polynomial time algorithm that given an integer h outputs:time algorithm that given an integer h outputs:
two positive integerstwo positive integers a matrixa matrix a vectora vector
Such that:Such that:1.1. 2.2. For all sufficiently large h, with probability at leastFor all sufficiently large h, with probability at least , the , the
spheresphere contains at least lattice points of contains at least lattice points of the formthe form where where z z is a 0-1 vector with exactly h ones. is a 0-1 vector with exactly h ones.
[1, 2)
,m r Z
( , )rB s hh
Lz
( 1)m mZ L1mZ s
( ( ))L r L
L s
1 2 h
Reminder: The Geometric Reminder: The Geometric LemmaLemma
Lemma: for any Lemma: for any , there exists a , there exists a polynomial time algorithm that given polynomial time algorithm that given outputs:outputs:
two positive integerstwo positive integers a lattice basisa lattice basis a vectora vector a linear transformationa linear transformation
Such that:Such that:1.1. 2.2. With probability at least 1-1/poly(k), for allWith probability at least 1-1/poly(k), for all
there exists there exists s.t. s.t. and and . .
[1, 2)k Z
,m r Z
0,1kx
mZz ( , )B rLz s Tz x
( 1)m mZ L1mZ s
k mZ T
( ) r L
Projecting lattice points to Projecting lattice points to binary stringsbinary strings
► Theorem 9:Theorem 9:
LetLet be a set of vectors containing be a set of vectors containing exactly h ones, s.t.exactly h ones, s.t. ..ChooseChoose by setting each entry to 1 by setting each entry to 1 independently at random with probabilityindependently at random with probability . Then, with probability at least . Then, with probability at least , all , all binary vectorsbinary vectors are contained inare contained in . .
► Using this theorem with appropriate constants Using this theorem with appropriate constants completes the proof of the Geometric Lemma.completes the proof of the Geometric Lemma.
0,1m
Z 4
!hk
Z h m
0,1k mT
1
4p
hk
1 6 0,1
k ( ) :Z Z T Tz z
Concluding RemarksConcluding Remarks►We proved that approximating SVP is not in We proved that approximating SVP is not in
RP unless NP=RP.RP unless NP=RP.
► The only place we used randomness is in the The only place we used randomness is in the Geometric Lemma. It can be avoided if we Geometric Lemma. It can be avoided if we assume a reasonable number theoretic assume a reasonable number theoretic conjecture about square-free smooth conjecture about square-free smooth numbers.numbers.
►With this assumption, we get that With this assumption, we get that approximating SVP is not in P unless P=NP.approximating SVP is not in P unless P=NP.
Concluding Remarks – Cont.Concluding Remarks – Cont.
►The theorem can be generalized for any The theorem can be generalized for any
norm (norm ( ), with constant ), with constant..
►2000 – 2000 – is NP-hard to approximate is NP-hard to approximate with ratiowith ratio [Dinur] [Dinur]
pl
ppip
x x [1, 2)p
SVP0.5(log )2 n
Questions???Questions???
