![Page 1: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/1.jpg)
1
The Complexity of Lattice Problems
Oded Regev, Tel Aviv University
Amsterdam, May 2010
(for more details, see LLL+25 survey)
![Page 2: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/2.jpg)
Lattice
v1 v2
0
2v1v1+v2 2v2
2v2-v1
2v2-2v1
• For vectors v1,…,vn in Rn we define the lattice generated by them as
L={a1v1+…+anvn | ai integers}
• We call v1,…,vn a basis of L
![Page 3: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/3.jpg)
3
• Lattice problems are among the richest problems in complexity theory, exhibiting a wide range of behaviors:– Some problems are in P (as shown by LLL)– Some problems are NP-hard– Some problems are not known to be in P, but
believed not to be NP-hard• As a rule of thumb, ‘algebraic’ problems
are easy; ‘geometric’ problems are hard
Lattices from a Computational Complexity Point of View
![Page 4: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/4.jpg)
4• GapSVP: Given a lattice, decide if the length of the shortest vector is:– YES: less than 1– NO: more than
Shortest Vector Problem (SVP)
0
v2
v1
![Page 5: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/5.jpg)
5
• GapCVP: Given a lattice and a point v, decide if the distance of v from the lattice is:– YES: less than 1– NO: more than
• GapSVP is not harder than GapCVP [GoldreichMicciancioSafraSeifert99]
• Both problems are clearly in NP (for any )
Closest Vector Problem (CVP)
0
v2
v1
v
![Page 6: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/6.jpg)
6
• Polytime algorithms for gap 2n loglogn/logn
[LLL82,Schnorr87,AjtaiKumarSivakumar02]• Hardness is known for:
– GapCVP: nc/loglogn [vanEmdeBoas81…,DinurKindlerRazSafra03]
– GapSVP: 1 in l1 [vanEmdeBoas81] 1 [Ajtai96]
2 [Micciancio98] 2^(log½-εn) [Khot04]
nc/loglogn [HavivR07]
Known Results
2n loglogn/logn
P
1
NP-hard
nc/loglogn?n
Cryptography[Ajtai96,AjtaiDwork97
…]
![Page 7: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/7.jpg)
7
Known ResultsLimits on Inapproximability
• GapCVPn 2 NP∩coNP [LagariasLenstraSchnorr90,
Banaszczyk93]• GapCVPn/logn 2 NP∩coAM
[GoldreichGoldwasser98]• GapCVPn 2 NP∩coNP [AharonovRegev04]1 2n loglogn/logn
NP-hard P
nn
NP∩coNPNP∩coAMNP∩coNP
nc/loglogn
![Page 8: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/8.jpg)
8
What’s ahead?
1. GapCVPn/logn 2 NP∩coAM [GoldreichGoldwasser98]
2. GapCVPn 2 NP∩coNP [AharonovRegev04]
![Page 9: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/9.jpg)
9
What’s ahead?
1. GapCVPn/logn 2 coAM [GoldreichGoldwasser98]
2. GapCVPn 2 coNP [AharonovRegev04]
![Page 10: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/10.jpg)
10
Chapter I
GapCVPn in coAM
[GoldreichGoldwasser98]
Chapter I
GapCVPn in coAM
[GoldreichGoldwasser98]
![Page 11: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/11.jpg)
11
Given:
- Lattice L (specified by a basis) - Point v
We want to:
Be convinced that v is far from L by interacting with an (all powerful) prover (using a constant number of rounds)
Our Goal
![Page 12: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/12.jpg)
12
The Idea
![Page 13: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/13.jpg)
13
Basic High-dimensional Geometry
• How big is the intersection of two balls of radius 1 in n dimensions whose centers are at distance apart?– When 2, balls disjoint– When =0, balls exactly overlap – When =0.1, intersection is exponentially
small– When =1/n, intersection is constant
fraction
![Page 14: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/14.jpg)
14
The Protocol
• Flip a fair coin– If heads, choose a random point in L+B– If tails, choose a random point in
L+B+v• Send the resulting point to the
prover• The prover is supposed to tell
whether the coin was heads of tails
(Can be implemented efficiently)
![Page 15: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/15.jpg)
15
Demonstration of Protocol
![Page 16: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/16.jpg)
16
Demonstration of Protocol
![Page 17: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/17.jpg)
17
Analysis
• If dist(v,L)>2 then prover can always answer correctly
• If dist(v,L)<1/n then with some constant probability, the prover has no way to tell what the coin outcome was– Hence we catch the prover cheating with
some constant probability
• This completes the proof
![Page 18: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/18.jpg)
18
Chapter II
GapCVPn in coNP
[AharonovR04]
Chapter II
GapCVPn in coNP
[AharonovR04]
![Page 19: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/19.jpg)
19
Given:
- Lattice L (specified by a basis) - Point v
We want:
A witness for the fact that v is far from L
Our Goal
![Page 20: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/20.jpg)
20
Overview
Step 1: Define fIts value depends on the distance from L:
– Almost zero if distance > n – More than zero if distance < log n
Step 2: Encode f Show that the function f has a short description
Step 3: Verifier Construct the NP verifier
![Page 21: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/21.jpg)
21
Step 1:
Define f
Step 1:
Define f
![Page 22: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/22.jpg)
22
The function fConsider the Gaussian:
Periodize over L:
Normalize by g(0):
Ly
yxexLxg2
)()(
2
)( xex
)0()()( gxgxf
![Page 23: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/23.jpg)
23
The function f (pictorially)
![Page 24: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/24.jpg)
24
f distinguishes between far and close vectors
(a) d(x,L)≥n f(x)≤2-Ω(n)
(b) d(x,L)≤logn f(x)>n-5
Proof: (a) [Banaszczyk93] (b) Not too difficult
![Page 25: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/25.jpg)
25
Step 2:
Encode f
Step 2:
Encode f
![Page 26: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/26.jpg)
26
The function f (again)
Ly
yxexg2
)(
)0()()( gxgxf
Let’s consider its Fourier transform !
![Page 27: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/27.jpg)
27
f ̂ is a probability distribution
LxZxwwL ,|*
Claim: f ̂ : L*R+ is a probability distribution on L*
g is a convolution of a Gaussian and δL
Proof:
..
*
0ˆ)(ˆ
22
wo
Lweewgw
Lx
*
2
2
)0()(ˆ)(ˆ
Lz
z
w
e
egwgwf
![Page 28: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/28.jpg)
28
f as an expectation
*
,2)(ˆ)(Lw
wxiewfxf
In fact, it is an expectation of a real variable between -1 and 1:
Chernoff
][ ,2ˆ
wxi
fweE
)],2[cos()( ˆ
wxExffw
![Page 29: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/29.jpg)
29
Encoding f
(Chernoff) This is true even pointwise!
)],2[cos()( ˆ
wxExffw
Pick W=(w1,w2,…,wN) with N=poly(n)
according to the f ̂ distribution on L*
N
jjNW wxxf
1
1 ),2cos()(
)()( xfxf W
![Page 30: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/30.jpg)
30
The Approximating Function
N
jjNW wxxf
1
1 ),2cos()(
(with N=1000 dual vectors)
![Page 31: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/31.jpg)
31
Interlude: CVPP
GapCVPP Solve GapCVP on a preprocessed lattice
(allowed infinite computational power, but before seeing v)
(ideas led to [MicciancioVoulgaris10]’s recent deterministic 2n algorithm for lattice problems)
Algorithm for GapCVPP: Prepare the function fW in advance; When given v, calculate fW(v).
Algorithm for GapCVPP(n/logn) (best known!)
![Page 32: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/32.jpg)
32
This concludes Step 2: Encode f
The encoding is a list W of vectors in L*fW(x) ≈ f(x)
This concludes Step 2: Encode f
The encoding is a list W of vectors in L*fW(x) ≈ f(x)
![Page 33: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/33.jpg)
33
Step 3:
NP Verifier
Step 3:
NP Verifier
![Page 34: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/34.jpg)
34
The Verifier (First Attempt)
Given input L,v, and witness W, accept iff 1. fW (v) < n-10, and
2. fW(x) > n-5 for all x within distance logn from L• This verifier is correct
• But: how to check (2) efficiently?
- First check that fW is periodic over L (true if W in L*)
- Then check that >n-5 around origin
• We don’t know how to do this for distance logn
• Instead, we do this for distance 0.01
0.01
![Page 35: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/35.jpg)
35
The Verifier (Second Attempt)
Given input L,v, and witness W, accept iff
1. fW (v) < n-10, and
2. w1,…,wN L*, and
3. 100
)(,,
2
2
u
Wn
x
xfux
2 implies that fW is periodic on L:
N
jjNW
n wyxyxfLyx1
1 ),2cos()(,,
N
jjjN wywx
1
1 ),2,2cos( )(xfW
![Page 36: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/36.jpg)
36
The Verifier (Second Attempt)
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
f W(x
)
0 .01-.01
1)0( Wf
0)0(
u
W
x
f
Given input L,v, and witness W, accept iff
1. fW (v) < n-10, and
2. w1,…,wN L*, and
3. 100
)(,,
2
2
u
Wn
x
xfux
3 implies that fW is at least 0.8 within distance 0.01 of the origin:
![Page 37: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/37.jpg)
37
The Final Verifier
NwwwW .......21
Given input L,v, and witness W, accept iff
1. fW (v) < n-10, and
2. w1,…,wN L*, and
3. ||WWT||<N where
N
jju
TTu
T wuuuWWWW1
211 ,maxmax
3 checks that in any direction the w’s are not too long:
![Page 38: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/38.jpg)
38
The Final Verifier Given input L,v, and witness W, accept
iff 1. fW (v) < n-10, and
2. w1,…,wN L*, and
3. ||WWT||<N where
NwwwW .......21
),2cos(,4)(
1
22
2
2
xwuwNx
xfj
N
jj
u
W
10044
,4)( 22
1
22
2
2
TTTN
jj
u
W WWN
uuWWN
uwNx
xf
![Page 39: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/39.jpg)
41
Conclusion and Open Questions
• Lattice problems with approximation factors >n are unlikely to be NP-hard– These are the problems used for crypto– Can we say anything about their
hardness?• Perhaps relate to hardness of other
problems, say factoring?• Extremely important question for crypto
• Can the containment in NP∩coNP be improved to (n/logn) or even below?
![Page 40: 1 The Complexity of Lattice Problems Oded Regev, Tel Aviv University Amsterdam, May 2010 (for more details, see LLL+25 survey)](https://reader030.vdocuments.net/reader030/viewer/2022013004/56649d165503460f949ec336/html5/thumbnails/40.jpg)
42
Thanks!