Add to collection(s) Add to saved
  1. No category

Lattices

advertisement 
Lattice Salad
S.Safra
I.Dinur G.Kindler
Lattice Problems

Definition: Given a basis v1,..,vnRn,
The lattice L=L(v1,..,vk) = {aivi | integers ai}

SVP: Find the shortest non-zero vector in L.

CVP: Given a vector yRn, find a vL closest to y.
y
closest
shortest
What’s the
nearest lattice
point ?
Another basis
Lattice Approximation Problems
 g-Approximation version:
Find a vector y s.t. ||y|| < g  shortest(L)
 g-Gap version: Given L, and a number d, distinguish
between
– The ‘yes’ instances ( shortest(L)  d )
– The ‘no’ instances ( shortest(L) > gd )
shortest
If g-Gap problem is NP-hard, then having a g-approximation
polynomial algorithm --> P=NP.
Lattice Approximation Problems
 g-Approximation version:
Find a vector y s.t. ||y|| < g  shortest(L)
 g-Gap version: Given L, and a number d, distinguish
between
– The ‘yes’ instances ( shortest(L)  d )
– The ‘no’ instances ( shortest(L) > gd )
shortest
If g-Gap problem is NP-hard, then having a g-approximation
polynomial algorithm --> P=NP.
Lattice Problems - Brief History
[Dirichlet, Minkowsky] no CVP algorithms…
 [LLL] Approximation algorithm for SVP, factor 2n/2
 [Babai] Extension to CVP


[Schnorr] Improved factor, (1+)n for both CVP and SVP

[vEB]: CVP is NP-hard
 [ABSS]: Approximating CVP is
– NP hard to within any constant
– Almost NP hard to within an almost polynomial factor.
Lattice Problems - Recent History

[Ajtai96]: average-case/worst-case equiv. for SVP.
 [Ajtai-Dwork96]: Cryptosystem.
 [Ajtai97]: SVP is NP-hard (for randomized reductions).
 [Micc98]: SVP is NP-hard to approximate to within some
constant factor.

[DKRS]: NP hard to within an almost polynomial factor.
 [LLS]: Approximating CVP to within n1.5 is in coNP.
 [GG]: Approximating SVP and CVP to within n is in
coAMNP.
CVP/SVP - which is easier?

Definition: Given a basis v1,..,vnRn,
The lattice L=L(v1,..,vk) = {aivi | integers ai}

SVP: Find the shortest non-zero vector in L.

CVP: Given a vector yRn, find a vL closest to y.
y
closest
shortest
Reducing g-SVP to g-CVP
b2
[GMSS99]
shortest: b2-2b1
b1 The lattice L
Reducing g-SVP to g-CVP
[GMSS98]
CVP oracle:
apx. minimize
||c1b1+2c2b2-b2||
The lattice L’’ L
L’’=span (2b1,b2)
The lattice L’ L
L’=span (b1,2b2)
shortest vector in L = cibi
Note: at least one coef. ci of the shortest vector must be odd
The Reduction
Input: A pair (B,d), B=(b1,..,bn) and dR
for j=1 to n:
invoke the CVP oracle on(B(j),bj,d)
Output: The OR of all oracle replies.
Where B(j) = (b1,..,bj-1,2bj,bj+1,..,bn)
The Dual Lattice
L* = { y | x  L: yx  Z}
Give a basis {v1, .., vn} for L one can construct,
in poly-time, a basis {u1,…,un}:
ui  vj = 0
( i  j)
ui  vi = 1
In other words
U = u1,…,un
U = (Vt)-1
where
V = v1, .., vn
Shortest Vector - Hidden Hyperplane
s – shortest vector
H – hidden hyperplane
-s
distance = 1/||S||
H0 = {y| ys = 0}
H1 = {y| ys = 1}
Hk = {y| ys = k}
Public Key Cryptosystem
s – shortest vector
H – hidden hyperplane
Encoding 0
Encoding 1
s
s
Choose a
random point
(1) Choose a random
lattice point
(2) Perturb it
Public Key Cryptosystem
Decoding (using s):
Decoding 0
s
Decoding 1
s
Ajtai: SVP Instances Hard on Average
Approximating
SVP (factor= nc )
Approximating
On random instances
Shortest Basis
from a specific
constructible distribution
(factor= n10+c )
Approximating
SVP (factor= n10+c )
Finding
Unique-SVP
Average-Case Distribution

Pick an n*m matrix A, with
coefficients uniformly ranging over
[0,…,q-1]. (q= poly (n), n = O(m log q)

A = v 1 v 2 … vm
Def: (A) = {x  Zn | xA  0 mod q }
A mod-q lattice: (v1 v2 v3 v4)
2v1+v4
v2
(2,0,0,1)
v3
(1,1,1,0)
v1
q(a,b,c,d)
v4
1
q
Hardness of approx. CVP
[DKRS]
g-CVP is NP-hard for g=n1/loglog n
n - lattice dimension
Improving
– Hardness (NP-hardness instead of quasi-NPhardness)
– Non-approximation factor (from 2(logn)1-)

[ABSS] reduction: uses PCP to show
– NP-hard for g=O(1)
1-
– Quasi-NP-hard g=2(logn) by repeated blow-up.

Barrier -

SSAT: a new non-PCP characterization of NP.
NP-hard to approximate to within g=n1/loglogn .
2(logn)
1-
const >0
SAT
Input:
=f1,..,fn Boolean functions ‘tests’
x1,..,xn’ variables with range {0,1}
Problem: Is  satisfiable?
Thm (Cook-Levin): SAT is NP-complete
(even when depend()=3)
SAT as a consistency problem
Input
=f1,..,fn Boolean functions - ‘tests’
x1,..,xn’ variables with range R
for each test: a list of satisfying assignments
Problem
Is there an assignment to the tests that is consistent?
f(x,y,z)
g(w,x,z)
h(y,w,x)
(0,2,7)
(2,3,7)
(3,1,1)
(1,0,7)
(1,3,1)
(3,2,2)
(0,1,0)
(2,1,0)
(2,1,5)
Super-Assignments
A natural assignment for f(x,y,z)
1
0
A(f) = (3,1,1)
f(x,y,z)’s super-assignment
SA(f)=-2(3,1,1)+2(3,2,5)+3(5,1,2)
3
(1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2)
2
1
0
-1
(1,1,2) (3,1,1) (3,2,5) (3,3,1) (5,1,2)
-2
||SA(f)|| = |-2|+|2|+|3| = 7
Norm SA - Averagef||A(f)||
Consistency
In the SAT case:
A(f)
= (3,2,5)
A(f)|x := (3)
x  f,g that depend on x: A(f)|x = A(g)|x
Consistency
SA(f) = +3(1,1,2)

-2(3,2,5)

2(3,3,1)
-2+2=0
SA(f)|x := +3(1)

0(3)
(1,1,2)
3
(3,3,1)
2
1
0
-1
(1)
(2)
(3)
-2
(3,2,5)
Consistency: x  f,g that depend on x: SA(f)|x = SA(g)|x
g-SSAT - Definition
Input:
=f1,..,fn tests over variables x1,..,xn’ with range R
for each test fi - a list of sat. assign.
Problem: Distinguish between
[Yes] There is a natural assignment for 
[No] Any non-trivial consistent super-assignment is of
norm > g
Theorem: SSAT is NP-hard for g=n
(conjecture: g=n ,  = some constant)
1/loglog n
.
SSAT is NP-hard to approximate
to within g = n1/loglogn
Reducing SSAT to CVP
f,(1,2)
f,f’,x
*
1
2
3
w
w
0
w
0
0
w
0
I
f(w,x)
f’(z,x)
f’,(3,2)
w
w
w
w
w
w
w
w
0
0
0
0
0
0
0
0
Yes --> Yes:
dist(L,target) = n
No --> No:
dist(L,target) > gn
Choose w = gn + 1
A consistency gadget
*
1
2
3
w
w
0
w
0
0
w
0
w
w
w
w
A consistency gadget
*
1
2
3
a1
a2
a3
b1
b2
b3
www
000
www
www
www
00w
ww0
www
www
00w
www
ww0
ww0
00w
ww0
ww0
ww0
000
www
ww0
ww0
000
ww0
www
a1 + a2 + a3
a2 + a3
a1 +
a1 + a2
+ a3
w
w
w
w
= 1
+ b1
= 1
+ b2
= 1
+ b3
= 1
GG

Approximating SVP and CVP to within
n is in NP  coAM
Hence if these problem are shown
NP-hard the polynomial-time
hierarchy collapses
The World According
Ajtai- to Lattices
DKRS
GG
LLL
Miccianci
o
CVP
SVP
1+1/n
1
O(1)

O(logn)
2
NP-hardness
n1/loglogn
NPco-AM
nO(1)
2n
Poly-time
approximation
OPEN PROBLEMS Is g-SVP NP-
A class of its own?
hard to within n
Can LLL be
?
improved?
CVP
SVP
1+1/n
1
O(1)

O(logn)
2
NP-hardness
n1/loglogn
NPco-AM
nO(1)
2n
Poly-time
approximation
Open Problems
Is SVP NP-hard to approximate to
within n factor
 Can the LLL algorithm be improved?
 Maybe for factors between and these
problems are on a class of their own

Related documents
Ssat2
Ssat2
Cost Decisions - mbatools.co.uk
Cost Decisions - mbatools.co.uk
Constrained Rerouting in Networks: An Integer Programming
Constrained Rerouting in Networks: An Integer Programming
ELCT780 HW3 : Structure and X-ray Diffraction (will count as 2
ELCT780 HW3 : Structure and X-ray Diffraction (will count as 2
Director, Infrastructure
Director, Infrastructure
Position Title: Product Development Engineer Reports to: SVP
Position Title: Product Development Engineer Reports to: SVP
Lect17
Lect17
Index this cubic powder diffraction pattern
Index this cubic powder diffraction pattern
Word Study Contract - Effingham County Schools
Word Study Contract - Effingham County Schools
review of Chapter 3
review of Chapter 3
Download
advertisement