# The Complexity of Lattice Problems

AI and Robotics

Nov 21, 2013 (4 years and 6 months ago)

137 views

1

The Complexity of

Lattice Problems

Oded Regev, Tel Aviv University

Amsterdam, May 2010

(for more details, see LLL+25 survey)

Lattice

v
1

v
2

0

2v
1

v
1
+v
2

2v
2

2v
2
-
v
1

2v
2
-
2v
1

For vectors v
1
,…,
v
n

in
R
n

we define the
lattice

generated by them as

L
={a
1
v
1
+…+
a
n
v
n

|
a
i

integers}

We call v
1
,…,
v
n

a
basis

of L

3

Lattice problems are among the richest problems
in complexity theory, exhibiting a wide range of
behaviors:

Some problems are in P (as shown by LLL)

Some problems are NP
-
hard

Some problems are not known to be in P, but believed
not to be NP
-
hard

As a rule of thumb, ‘algebraic’ problems are easy;
‘geometric’ problems are hard

Lattices from a Computational Complexity
Point of View

4

GapSVP

: Given a lattice, decide if the length of the
shortest vector is:

YES: less than
1

NO: more than

Shortest Vector Problem (SVP)

0

v
2

v
1

5

GapCVP

: Given a lattice and a point v, decide if the distance of v
from the lattice is:

YES: less than 1

NO: more than

GapSVP

is not harder than
GapCVP

[
GoldreichMicciancioSafraSeifert99
]

Both problems are clearly in NP (for any

)

Closest Vector Problem (CVP)

0

v
2

v
1

v

Polytime

algorithms for gap 2
n
loglogn
/
logn

[
LLL82
,
Schnorr87,AjtaiKumarSivakumar02
]

Hardness is known for:

GapCVP
:
n
c
/
loglogn

[
vanEmdeBoas81
…,
DinurKindlerRazSafra03]

GapSVP
: 1 in
l
1

[
vanEmdeBoas81
]
1
[
Ajtai96
]

2
[
Micciancio98]
2^(log
½
-
ε
n)
[
Khot04]

n
c
/
loglogn

[
HavivR07]

Known Results

2
n loglogn/logn

P

1

NP
-
hard

n
c/loglogn

?

n

Cryptography

[Ajtai
96
,AjtaiDwork
97
…]

Known Results

Limits on
Inapproximability

GapCVP
n

2
NP

coNP

[
LagariasLenstraSchnorr
90
,
Banaszczyk
93
]

GapCVP

n
/
logn

2
NP

coAM

[
GoldreichGoldwasser
98
]

GapCVP

n

2

NP

coNP

[
AharonovRegev
04
]

1

2
n loglogn/logn

NP
-
hard

P

n

n

NP

coNP

NP

coAM

NP

coNP

n
c/loglogn

8

1.
GapCVP

n
/
logn

2
NP

coAM

[
GoldreichGoldwasser
98
]

2.
GapCVP

n

2

NP

coNP

[
AharonovRegev
04
]

9

1.
GapCVP

n
/
logn

2

coAM

[
GoldreichGoldwasser
98
]

2.
GapCVP

n

2

coNP

[
AharonovRegev
04
]

10

Chapter I

GapCVP

n

in coAM

[GoldreichGoldwasser98]

11

Given:

-

Lattice L (specified by a basis)

-

Point v

We want to:

Be convinced that v is
far

from L by interacting
with an (all powerful) prover (using a constant
number of rounds)

Our Goal

12

The Idea

13

Basic High
-
dimensional Geometry

How big is the intersection of two balls of radius
1
in n dimensions whose centers are at distance

apart?

When

2
, balls
disjoint

When

=
0
, balls exactly overlap

When

=
0.1
, intersection is exponentially small

When

=
1
/

n, intersection is constant fraction

14

The Protocol

Flip a fair coin

If heads, choose a random point in L+B

If tails, choose a random point in L+B+v

Send the resulting point to the prover

The prover is supposed to tell whether the

(Can be implemented efficiently)

15

Demonstration of Protocol

16

Demonstration of Protocol

17

Analysis

If dist(
v,L
)>
2
then
prover

correctly

If dist(
v,L
)<
1
/

n then with some constant
probability, the
prover

has no way to tell what
the coin outcome was

Hence we catch the
prover

cheating with some
constant probability

This completes the proof

18

Chapter II

GapCVP

n

in coNP

[AharonovR
04
]

19

Given:

-

Lattice L (specified by a basis)

-

Point v

We want:

A witness for the fact that v is
far

from L

Our Goal

20

Overview

Step
1
:

Define f

Its value depends on the distance from L:

Almost zero if distance >

n

More than zero if distance <

log n

Step
2
:

Encode f

Show that the function f has a short description

Step
3
:

Verifier

Construct the NP verifier

21

Step
1
:

Define f

22

The function f

Consider the Gaussian:

Periodize

over L:

Normalize by g(
0
):

L
y
y
x
e
x
L
x
g
2
)
(
)
(

2
)
(
x
e
x

)
0
(
)
(
)
(
g
x
g
x
f

23

The function f (pictorially)

24

f distinguishes between far and close
vectors

(a) d(
x,L
)≥

n

f(x)≤
2
-
Ω
(n)

(b) d(
x,L
)≤

logn

f(x)>n
-
5

Proof:

(a)
[Banaszczyk
93
]

(b)

Not too difficult

25

Step
2
:

Encode f

26

The function f (again)

L
y
y
x
e
x
g
2
)
(

)
0
(
)
(
)
(
g
x
g
x
f

Let’s consider its Fourier transform !

27

f
̂

is a probability distribution

L
x
Z
x
w
w
L

,
|
*
Claim:

f
̂

: L
*

R
+

is a probability
distribution on L
*

g is a convolution of a Gaussian and
δ
L

Proof:

.
.
*
0
ˆ
)
(
ˆ
2
2
w
o
L
w
e
e
w
g
w
L
x

*
2
2
)
0
(
)
(
ˆ
)
(
ˆ
L
z
z
w
e
e
g
w
g
w
f

28

f as an expectation

*
,
2
)
(
ˆ
)
(
L
w
w
x
i
e
w
f
x
f

In fact, it

is an expectation of

a
real

variable between
-
1
and
1
:

]
[
,
2
ˆ

w
x
i
f
w
e
E

)]
,
2
[cos(
)
(
ˆ

w
x
E
x
f
f
w

29

Encoding f

(
Chernoff
)

This is true even
pointwise
!

)]
,
2
[cos(
)
(
ˆ

w
x
E
x
f
f
w

Pick W=(w
1
,w
2
,…,
w
N
)

with N=poly(n)

according to the
f
̂

distribution on L*

N
j
j
N
W
w
x
x
f
1
1
)
,
2
cos(
)
(

)
(
)
(
x
f
x
f
W

30

The Approximating Function

N
j
j
N
W
w
x
x
f
1
1
)
,
2
cos(
)
(

(with N=
1000
dual vectors)

31

Interlude: CVPP

GapCVPP

Solve
GapCVP

on a
preprocessed

lattice (allowed infinite
computational power, but
before
seeing v
)

(ideas led to [MicciancioVoulgaris10]’s recent deterministic 2
n

algorithm for lattice problems)

Algorithm for
GapCVPP
:

Prepare the function
f
W

When given v, calculate
f
W
(v).

Algorithm for
GapCVPP

(n/
logn
)

(best known!)

32

This concludes
Step
2
:
Encode f

The encoding is a list W of vectors in L*

f
W
(x) ≈ f(x)

33

Step
3
:

NP Verifier

34

The Verifier (First Attempt)

Given input
L,v
, and witness W, accept
iff

1
.

f
W

(v) < n
-
10
, and

2
.

f
W
(x) > n
-
5

for
all

x within distance

logn

from L

This verifier is correct

But:

how to check (
2
) efficiently?

-

First check that
f
W

is
periodic

over L (true if W in L*)

-

Then check that >n
-
5

around

origin

We don’t know how to do this for distance

logn

Instead, we do this for distance
0.01

35

The Verifier (Second Attempt)

Given input
L,v
, and witness W, accept
iff

1
.

f
W

(v) < n
-
10
, and

2
.
w
1
,…,
w
N

L*, and

3
.

100
)
(
,
,
2
2

u
W
n
x
x
f
u
x
2
implies that f
W

is periodic on L:

N
j
j
N
W
n
w
y
x
y
x
f
L
y
x
1
1
)
,
2
cos(
)
(
,
,

N
j
j
j
N
w
y
w
x
1
1
)
,
2
,
2
cos(

)
(
x
f
W

36

The Verifier (Second Attempt)

-0.2
0
0.2
0.4
0.6
0.8
1
1.2
f
W
(x)

0

.
01

-
.
01

1
)
0
(

W
f
0
)
0
(

u
W
x
f

Given input
L,v
, and witness W, accept
iff

1
.

f
W

(v) < n
-
10
, and

2
.
w
1
,…,
w
N

L*, and

3
.

100
)
(
,
,
2
2

u
W
n
x
x
f
u
x
3
implies that f
W

is at least
0.8
within
distance
0.01
of the origin:

37

The Final Verifier

N
w
w
w
W
.......
2
1

Given input
L,v
, and witness W, accept
iff

1
.

f
W

(v) < n
-
10
, and

2
.
w
1
,…,
w
N

L*, and

3
.

||WW
T
||<N where

N
j
j
u
T
T
u
T
w
u
u
uWW
WW
1
2
1
1
,
max
max
3
checks that in any direction the w’s are not too long:

38

The Final Verifier

Given input
L,v
, and witness W, accept
iff

1
.

f
W

(v) < n
-
10
, and

2
.
w
1
,…,
w
N

L*, and

3
.

||WW
T
||<N where

N
w
w
w
W
.......
2
1
)
,
2
cos(
,
4
)
(
1
2
2
2
2

x
w
u
w
N
x
x
f
j
N
j
j
u
W

100
4
4
,
4
)
(
2
2
1
2
2
2
2

T
T
T
N
j
j
u
W
WW
N
u
uWW
N
u
w
N
x
x
f

41

Conclusion and Open Questions

Lattice problems with approximation factors
>

n are unlikely to be NP
-
hard

These are the problems used for crypto

Can we say anything about their hardness?

Perhaps relate to hardness of other problems, say
factoring?

Extremely important question for crypto

Can the containment in
NP

coNP

be
improved to

(n/
logn
) or even below?

42

Thanks!