1
The Complexity of
Lattice Problems
Oded Regev, Tel Aviv University
Amsterdam, May 2010
(for more details, see LLL+25 survey)
Lattice
v
1
v
2
0
2v
1
v
1
+v
2
2v
2
2v
2

v
1
2v
2

2v
1
•
For vectors v
1
,…,
v
n
in
R
n
we define the
lattice
generated by them as
L
={a
1
v
1
+…+
a
n
v
n

a
i
integers}
•
We call v
1
,…,
v
n
a
basis
of L
3
•
Lattice problems are among the richest problems
in complexity theory, exhibiting a wide range of
behaviors:
–
Some problems are in P (as shown by LLL)
–
Some problems are NP

hard
–
Some problems are not known to be in P, but believed
not to be NP

hard
•
As a rule of thumb, ‘algebraic’ problems are easy;
‘geometric’ problems are hard
Lattices from a Computational Complexity
Point of View
4
•
GapSVP
: Given a lattice, decide if the length of the
shortest vector is:
–
YES: less than
1
–
NO: more than
Shortest Vector Problem (SVP)
0
v
2
v
1
5
•
GapCVP
: Given a lattice and a point v, decide if the distance of v
from the lattice is:
–
YES: less than 1
–
NO: more than
•
GapSVP
is not harder than
GapCVP
[
GoldreichMicciancioSafraSeifert99
]
•
Both problems are clearly in NP (for any
)
Closest Vector Problem (CVP)
0
v
2
v
1
v
•
Polytime
algorithms for gap 2
n
loglogn
/
logn
[
LLL82
,
Schnorr87,AjtaiKumarSivakumar02
]
•
Hardness is known for:
–
GapCVP
:
n
c
/
loglogn
[
vanEmdeBoas81
…,
DinurKindlerRazSafra03]
–
GapSVP
: 1 in
l
1
[
vanEmdeBoas81
]
1
[
Ajtai96
]
2
[
Micciancio98]
2^(log
½

ε
n)
[
Khot04]
n
c
/
loglogn
[
HavivR07]
Known Results
2
n loglogn/logn
P
1
NP

hard
n
c/loglogn
?
n
Cryptography
[Ajtai
96
,AjtaiDwork
97
…]
Known Results
Limits on
Inapproximability
•
GapCVP
n
2
NP
∩
coNP
[
LagariasLenstraSchnorr
90
,
Banaszczyk
93
]
•
GapCVP
n
/
logn
2
NP
∩
coAM
[
GoldreichGoldwasser
98
]
•
GapCVP
n
2
NP
∩
coNP
[
AharonovRegev
04
]
1
2
n loglogn/logn
NP

hard
P
n
n
NP
∩
coNP
NP
∩
coAM
NP
∩
coNP
n
c/loglogn
8
What’s ahead?
1.
GapCVP
n
/
logn
2
NP
∩
coAM
[
GoldreichGoldwasser
98
]
2.
GapCVP
n
2
NP
∩
coNP
[
AharonovRegev
04
]
9
What’s ahead?
1.
GapCVP
n
/
logn
2
coAM
[
GoldreichGoldwasser
98
]
2.
GapCVP
n
2
coNP
[
AharonovRegev
04
]
10
Chapter I
GapCVP
n
in coAM
[GoldreichGoldwasser98]
11
Given:

Lattice L (specified by a basis)

Point v
We want to:
Be convinced that v is
far
from L by interacting
with an (all powerful) prover (using a constant
number of rounds)
Our Goal
12
The Idea
13
Basic High

dimensional Geometry
•
How big is the intersection of two balls of radius
1
in n dimensions whose centers are at distance
apart?
–
When
2
, balls
disjoint
–
When
=
0
, balls exactly overlap
–
When
=
0.1
, intersection is exponentially small
–
When
=
1
/
n, intersection is constant fraction
14
The Protocol
•
Flip a fair coin
–
If heads, choose a random point in L+B
–
If tails, choose a random point in L+B+v
•
Send the resulting point to the prover
•
The prover is supposed to tell whether the
coin was heads of tails
(Can be implemented efficiently)
15
Demonstration of Protocol
16
Demonstration of Protocol
17
Analysis
•
If dist(
v,L
)>
2
then
prover
can always answer
correctly
•
If dist(
v,L
)<
1
/
n then with some constant
probability, the
prover
has no way to tell what
the coin outcome was
–
Hence we catch the
prover
cheating with some
constant probability
•
This completes the proof
18
Chapter II
GapCVP
n
in coNP
[AharonovR
04
]
19
Given:

Lattice L (specified by a basis)

Point v
We want:
A witness for the fact that v is
far
from L
Our Goal
20
Overview
Step
1
:
Define f
Its value depends on the distance from L:
–
Almost zero if distance >
n
–
More than zero if distance <
log n
Step
2
:
Encode f
Show that the function f has a short description
Step
3
:
Verifier
Construct the NP verifier
21
Step
1
:
Define f
22
The function f
Consider the Gaussian:
Periodize
over L:
Normalize by g(
0
):
L
y
y
x
e
x
L
x
g
2
)
(
)
(
2
)
(
x
e
x
)
0
(
)
(
)
(
g
x
g
x
f
23
The function f (pictorially)
24
f distinguishes between far and close
vectors
(a) d(
x,L
)≥
n
f(x)≤
2

Ω
(n)
(b) d(
x,L
)≤
logn
f(x)>n

5
Proof:
(a)
[Banaszczyk
93
]
(b)
Not too difficult
25
Step
2
:
Encode f
26
The function f (again)
L
y
y
x
e
x
g
2
)
(
)
0
(
)
(
)
(
g
x
g
x
f
Let’s consider its Fourier transform !
27
f
̂
is a probability distribution
L
x
Z
x
w
w
L
,

*
Claim:
f
̂
: L
*
R
+
is a probability
distribution on L
*
g is a convolution of a Gaussian and
δ
L
Proof:
.
.
*
0
ˆ
)
(
ˆ
2
2
w
o
L
w
e
e
w
g
w
L
x
*
2
2
)
0
(
)
(
ˆ
)
(
ˆ
L
z
z
w
e
e
g
w
g
w
f
28
f as an expectation
*
,
2
)
(
ˆ
)
(
L
w
w
x
i
e
w
f
x
f
In fact, it
is an expectation of
a
real
variable between

1
and
1
:
]
[
,
2
ˆ
w
x
i
f
w
e
E
)]
,
2
[cos(
)
(
ˆ
w
x
E
x
f
f
w
29
Encoding f
(
Chernoff
)
This is true even
pointwise
!
)]
,
2
[cos(
)
(
ˆ
w
x
E
x
f
f
w
Pick W=(w
1
,w
2
,…,
w
N
)
with N=poly(n)
according to the
f
̂
distribution on L*
N
j
j
N
W
w
x
x
f
1
1
)
,
2
cos(
)
(
)
(
)
(
x
f
x
f
W
30
The Approximating Function
N
j
j
N
W
w
x
x
f
1
1
)
,
2
cos(
)
(
(with N=
1000
dual vectors)
31
Interlude: CVPP
GapCVPP
Solve
GapCVP
on a
preprocessed
lattice (allowed infinite
computational power, but
before
seeing v
)
(ideas led to [MicciancioVoulgaris10]’s recent deterministic 2
n
algorithm for lattice problems)
Algorithm for
GapCVPP
:
Prepare the function
f
W
in advance;
When given v, calculate
f
W
(v).
Algorithm for
GapCVPP
(n/
logn
)
(best known!)
32
This concludes
Step
2
:
Encode f
The encoding is a list W of vectors in L*
f
W
(x) ≈ f(x)
33
Step
3
:
NP Verifier
34
The Verifier (First Attempt)
Given input
L,v
, and witness W, accept
iff
1
.
f
W
(v) < n

10
, and
2
.
f
W
(x) > n

5
for
all
x within distance
logn
from L
•
This verifier is correct
•
But:
how to check (
2
) efficiently?

First check that
f
W
is
periodic
over L (true if W in L*)

Then check that >n

5
around
origin
•
We don’t know how to do this for distance
logn
•
Instead, we do this for distance
0.01
35
The Verifier (Second Attempt)
Given input
L,v
, and witness W, accept
iff
1
.
f
W
(v) < n

10
, and
2
.
w
1
,…,
w
N
L*, and
3
.
100
)
(
,
,
2
2
u
W
n
x
x
f
u
x
2
implies that f
W
is periodic on L:
N
j
j
N
W
n
w
y
x
y
x
f
L
y
x
1
1
)
,
2
cos(
)
(
,
,
N
j
j
j
N
w
y
w
x
1
1
)
,
2
,
2
cos(
)
(
x
f
W
36
The Verifier (Second Attempt)
0.2
0
0.2
0.4
0.6
0.8
1
1.2
f
W
(x)
0
.
01

.
01
1
)
0
(
W
f
0
)
0
(
u
W
x
f
Given input
L,v
, and witness W, accept
iff
1
.
f
W
(v) < n

10
, and
2
.
w
1
,…,
w
N
L*, and
3
.
100
)
(
,
,
2
2
u
W
n
x
x
f
u
x
3
implies that f
W
is at least
0.8
within
distance
0.01
of the origin:
37
The Final Verifier
N
w
w
w
W
.......
2
1
Given input
L,v
, and witness W, accept
iff
1
.
f
W
(v) < n

10
, and
2
.
w
1
,…,
w
N
L*, and
3
.
WW
T
<N where
N
j
j
u
T
T
u
T
w
u
u
uWW
WW
1
2
1
1
,
max
max
3
checks that in any direction the w’s are not too long:
38
The Final Verifier
Given input
L,v
, and witness W, accept
iff
1
.
f
W
(v) < n

10
, and
2
.
w
1
,…,
w
N
L*, and
3
.
WW
T
<N where
N
w
w
w
W
.......
2
1
)
,
2
cos(
,
4
)
(
1
2
2
2
2
x
w
u
w
N
x
x
f
j
N
j
j
u
W
100
4
4
,
4
)
(
2
2
1
2
2
2
2
T
T
T
N
j
j
u
W
WW
N
u
uWW
N
u
w
N
x
x
f
41
Conclusion and Open Questions
•
Lattice problems with approximation factors
>
n are unlikely to be NP

hard
–
These are the problems used for crypto
–
Can we say anything about their hardness?
•
Perhaps relate to hardness of other problems, say
factoring?
•
Extremely important question for crypto
•
Can the containment in
NP
∩
coNP
be
improved to
(n/
logn
) or even below?
42
Thanks!
Comments 0
Log in to post a comment