1 / 35

GapSVP  n and GapCVP  n are in NP ∩ coNP

GapSVP  n and GapCVP  n are in NP ∩ coNP. Dorit Aharonov Oded Regev. Lattices. Basis: v 1 ,…,v n vectors in R n The lattice L is L={a 1 v 1 +…+a n v n | a i integers}. v 1 +v 2. 2v 2. 2v 1. 2v 2 -v 1. v 1. v 2. 2v 2 -2v 1. 0. Shortest Vector Problem (SVP).

leslieb
Download Presentation

GapSVP  n and GapCVP  n are in NP ∩ coNP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GapSVPnandGapCVPn are in NP ∩ coNP Dorit Aharonov Oded Regev

  2. Lattices • Basis: v1,…,vn vectors in Rn • The lattice L is L={a1v1+…+anvn| ai integers} v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  3. Shortest Vector Problem (SVP) • GapSVPb: Given a lattice, decide if the length of the shortest vector is: • YES: less than 1 • NO: more than b v2 v1 0

  4. v Closest Vector Problem (CVP) • GapCVPb: Given a lattice and a point v, decide if the distance of v from the lattice is: • YES: less than 1 • NO: more than b • GapSVPbis easier than GapCVPb [GoldreichMicciancioSafraSeifert99] v2 v1 0

  5. n Cryptography [Ajtai96,AjtaiDwork97…] Known Results • Polytime algorithms for gap 2n loglogn/logn [LLL82,Schnorr87,AjtaiKumarSivakumar02] • NP-hardness is known for: • GapCVP: 2^(log1-en) [DinurKindlerSafra03] • GapSVP: 2 [Micciancio98] ? 1 2^(log1-en) 2n loglogn/logn P NP-hard

  6. Known ResultsLimits on Inapproximability • GapCVPn 2 NP∩coNP [LagariasLenstraSchnorr90, Banaszczyk93] • GapCVPn 2 NP∩coAM [GoldreichGoldwasser98] • GapSVPn 2 NP∩coQMA [AharonovRegev03] 1 2^(log1-en) n n 2n loglogn/logn NP∩coNP NP∩coAM NP∩coQMA P NP-hard

  7. 2^(log1-en) n n 2n loglogn/logn P NP-hard Main Result Theorem: GapCVPn2 NP∩coNP NP∩coNP NP∩coAM NP∩coQMA NP∩coNP

  8. Proof ofGapCVPn in coNP

  9. Our Goal Given: - Lattice L (by v1,v2,…,vn) - Point v We want: A witness for the fact that v is far from L

  10. Overview Step 1:Define f • Its value depends on the distance from L: • Almost zero if distance > √n • More than zero if distance < √log Step 2:Encode f Show that the function f has a short description Step 3:Verifyf Verify that the function is non-negligible close to L Pointwise approximation lemma CVPP approximation algorithm

  11. Step 1: Define f

  12. The function f Consider the Gaussian: Periodize over L: Normalize by g(0):

  13. The function f (pictorially)

  14. f distinguishes between far and close vectors (a) d(x,L)≥√n  f(x)≤2-Ω(n) (b) d(x,L)≤√logn  f(x)>n-5 Proof:(a) Banaszczyk93 (simple for one Gaussian) (b)Suffices to show

  15. Step 2: Encode f

  16. The function f (again) Let’s consider its Fourier transform !

  17. Proof: g is a convolution of a Gaussian and δL is a probability measure Claim: f is a probability measure on L*

  18. f is an expectation In fact, itis an expectation of a real variable between -1 and 1: Chernoff

  19. Encoding f Pick W=(w1,w2,…,wN)with N=poly(n) according to the f distribution on L* (Chernoff) This is true even pointwise!

  20. A Pointwise Approximation Lemma Lemma: Let f be a function on an Abelian group. If f is a probability measure then In fact, it is enough that f¸0 and ∑f(w) < poly. Note the difference between this and truncating the small Fourier coefficients [KushilevitzMansour91]

  21. Back to Lattices:the Approximating Function (with N=1000 dual vectors)

  22. This concludes Step 2: Encode fThe encoding is a list W of vectors in L*fW(x) ≈ f(x)

  23. Interlude: An Immediate Corollary GapCVPP Solve GapCVP on a preprocessed lattice (allowed infinite computational power, but before seeing v) Algorithm for GapCVPP: Prepare the function fW in advance; When given v, calculate fW(v).  √(n/logn) approximation algorithm, improving the previous n-approximation [Regev03]

  24. Back to GapCVP√n in coNP The input is L and v The witness is a list of vectors W = (w1 , … ,wN) Verify that fWis non-negligible near L

  25. Step 3:Verify fW

  26. 0.01 The Verifier (First Attempt) Accepts iff 1. fW (v) < n-10, and 2. fW(x) > n-5 for all x within distance √logn from L • Completeness and soundness would follow • But: how to check (2) ? • - First check that fW is periodic over L (true if W in L*) • - Then check non-negligibility aroundorigin • We don’t know how to do this for distance √logn • We do this for distance 0.01

  27. The Verifier (Second Attempt) Accepts iff 1. fW (v) < n-10, and 2. w1,…,wN L*, and 3. 2 implies that fW is periodic on L:

  28. The Verifier (Second Attempt) Accepts iff 1. fW (v) < n-10, and 2. w1,…,wN L*, and 3. 3 implies that fW is at least .8 within distance .01 of the origin: fW(x) 0 .01 -.01

  29. The Final Verifier Accepts iff 1. fW (v) < n-10, and 2. w1,…,wN L*, and 3. ||WWT||<N where 3 checks that in any direction the w’s are not too long:

  30. The Final Verifier Accepts iff 1. fW (v) < n-10, and 2. w1,…,wN L*, and 3. ||WWT||<N where

  31. Soundness If d(v,L)<0.01 then any W fails one of the tests 1. fW (v) < n-10 2. w1,…,wN 2L* 3. ||WWT||<N Proof: 2 & 3  not 1 ||WWT||<N  fW(x) > 0.8 for |x|<0.01

  32. Completeness If d(v,L)>√n there exists a witness W s.t.: 1. fW (v) < n-10 2. w1,…,wN L* 3. ||WWT||<N Proof: Pick W=w1,…,wn from L* according to the f distrib. 1,2 3 follows from: [Banaszczyk93]

  33. Conclusion • Main result: GapCVPn2 NP ∩ coNP • An algorithm for GapCVPP√(n/logn) • An interesting lemma about point-wise approximation by Fourier Sparse functions

  34. Open Problems • Can the containment in NP∩coNP be improved to √(n/logn)? • Can it be improved beyond? (seems that this requires ‘looking into the lattice’) • Can we extend this method to other problems, like Graph Isomorphism ? • Other uses for the pointwise approximation lemma? • Other ‘quantum inspired’ results ?

  35. Thanks !!

More Related