The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !!...
-
Upload
beverley-jacobs -
Category
Documents
-
view
212 -
download
0
Transcript of The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !!...
The Closest Vector is Hard to The Closest Vector is Hard to
ApproximateApproximateand now, for unlimited time onlyand now, for unlimited time only
with with PrePre--Processing !!Processing !!
The Closest Vector is Hard to The Closest Vector is Hard to
ApproximateApproximateand now, for unlimited time onlyand now, for unlimited time only
with with PrePre--Processing !!Processing !!
Nisheeth vishnoi
Subhash Khot
Michael Alekhnovich
Joint work with
Guy KindlerGuy KindlerMicrosoft ResearchMicrosoft Research
In this talk:In this talk:
LatticesLattices
The closest vector problem: backgroundThe closest vector problem: background
Our results: NP-hardness for Our results: NP-hardness for CV-PPCV-PP
Proving hardness with preprocessingProving hardness with preprocessing
Something about our proof: new property of Something about our proof: new property of
PCPsPCPs
A A lattice,lattice, LL: A discrete additive subgroup of : A discrete additive subgroup of RRnn..
A A basisbasis for for LL: : bb11,…,b,…,bnn22RRnn, s.t. , s.t. L={L={iiaaiibbii : :
aa11,..,a,..,ann22ZZ}}..
The Closest Vector Problem (The Closest Vector Problem (CVPCVP))The Closest Vector Problem (The Closest Vector Problem (CVPCVP))
The Closest Vector Problem (The Closest Vector Problem (CVPCVP))The Closest Vector Problem (The Closest Vector Problem (CVPCVP))
CVPCVP: Given a lattice : Given a lattice LL and a target vector and a target vector tt,,
find the point in find the point in LL closest to closest to tt in inllpp distance. distance.
[Regev Ronen 05][Regev Ronen 05] Hardness results in Hardness results in ll22 carry for any carry for any llpp..
[Ajtai Kumar Sivakumar 01]:[Ajtai Kumar Sivakumar 01]: 22O(nloglog(n)/log n)O(nloglog(n)/log n)=2=2o(n)o(n) approx. approx.
[Dinur Kindler Raz Safra 98]:[Dinur Kindler Raz Safra 98]: nnO(1/loglog n)O(1/loglog n)=n=no(1)o(1) hardness. hardness.
[Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich [Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich
Goldwasser 00, Aharonov Regev 04]Goldwasser 00, Aharonov Regev 04] NP-hardness of NP-hardness of (n/log (n/log
n)n)1/21/2 would collapse the polynomial hierarchy. would collapse the polynomial hierarchy.
Motivation for studying Motivation for studying CVPCVPMotivation for studying Motivation for studying CVPCVP
[Ajtai 96]:[Ajtai 96]: Worst case to average case reductions for Worst case to average case reductions for
lattice problems. lattice problems.
[Ajtai Dwork 97][Ajtai Dwork 97] Based cryptosystems on lattice Based cryptosystems on lattice
problems.problems.
[Goldreich Goldwasser Halevi 97][Goldreich Goldwasser Halevi 97] Cryptosystem based on Cryptosystem based on
CVPCVP..
[Micciancio Vadhan 03] [Micciancio Vadhan 03] Identification scheme based on Identification scheme based on
(n/log n)(n/log n)1/2 1/2 hardness for hardness for CVPCVP..tt – message.
LL – coding function: known in advance, and reused.
Is it safe to reuse Is it safe to reuse LL as key? as key?Is it safe to reuse Is it safe to reuse LL as key? as key?
CV-PPCV-PP: :
Preprocess Preprocess LL for unlimited time, for unlimited time,
Given Given tt, solve , solve CVPCVP on on LL,,tt..
[Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ] [Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ]
O(nO(n1/21/2))-approx. for -approx. for CV-PPCV-PP..
[Feige Micciancio 02][Feige Micciancio 02] (5/3)(5/3)1/p1/p approx. hardness for approx. hardness for CV-PPCV-PP..
[Regev 03][Regev 03] 331/p1/p approx. hardness for approx. hardness for CV-PPCV-PP..
Our ResultsOur ResultsOur ResultsOur Results
Thm:Thm: CV-PPCV-PP in NP-hard(!) to approximate within in NP-hard(!) to approximate within any any
constantconstant. Also applies to . Also applies to NC-PPNC-PP..
Unless NPUnless NPµµDTIME(DTIME(22polylog npolylog n), ),
NC-PPNC-PP is hard to approximate within is hard to approximate within (log n)(log n)1-1-
CV-PPCV-PP is hard to approximate within is hard to approximate within (log n)(log n)(1/p)-(1/p)-
1st Proof :1st Proof : By reduction from By reduction from E-k-HVCE-k-HVC [DGKR 03][DGKR 03]..
2nd proof:2nd proof: Using PCP-PP constructions, plus Using PCP-PP constructions, plus
smoothing smoothing technique of technique of [Khot 02][Khot 02]..
Proving hardness with Proving hardness with preprocessingpreprocessing
Proving hardness with Proving hardness with preprocessingpreprocessing
Hardness of approximation within gap Hardness of approximation within gap gg::
II22 ¦¦ )) dist(t,L)dist(t,L)·· d d
II ¦ ¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg
I: Instance of
¦2NPC
I: Instance of
¦2NPCReductionReduction L , tL , t
Proving hardness with Proving hardness with preprocessingpreprocessing
Proving hardness with Proving hardness with preprocessingpreprocessing
I: Instance of
¦2NPC
I: Instance of
¦2NPCReductionReduction L , tL , t
Hardness of approximation within Hardness of approximation within gg, with preprocessing:, with preprocessing:
Size of ISize of I Partial Input Generator
Partial Input Generator
Preprocessed L
Preprocessed L
CV-PP
tt
II22 ¦ ¦ )) dist(t,L)dist(t,L)·· d d
II ¦¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg
Hardness of approximation within gap Hardness of approximation within gap gg::
Size of ISize of I Partial Input Generator
Partial Input Generator
I: Instance of
¦2NPC
I: Instance of
¦2NPCReductionReduction
PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))
Preprocessed L
Preprocessed L
tt
CV-PP
LEFTLEFT
RIGHTRIGHT
PCP-PPII22 ¦ ¦ )) dist(t,L)dist(t,L)·· d d
II ¦ ¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
xx22+2xy=7+2xy=7xx22+z+z22=5=5
..
..
Size of ISize of I Partial Input Generator
Partial Input Generator
I: Instance of
¦2NPC
I: Instance of
¦2NPCReductionReduction
PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))
LEFTLEFT
RIGHTRIGHT
PCP-PPII22 ¦ ¦ ) ) opt(LEFT,RIGHT)=1opt(LEFT,RIGHT)=1
II ¦ ¦ ) ) opt(LEFT,RIGHT)opt(LEFT,RIGHT)··c<1c<1
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
xx22+2xy=7+2xy=7xx22+z+z22=5=5
..
..
Size of ISize of I Partial Input Generator
Partial Input Generator
I: Instance of
¦2NPC
I: Instance of
¦2NPCReductionReduction
PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))
LEFTLEFT
RIGHTRIGHT
PCP-PP
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
Size of ISize of I
I: Instance of
¦2NPC
I: Instance of
¦2NPC
PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))
LEFTLEFT
RIGHTRIGHT
Preprocessed L
Preprocessed L
tt
CV-PP
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
PCP-PP
PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))
LEFT
RIGHT
PCP-PP
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
PCP-PPPCP-PP construction constructionPCP-PPPCP-PP construction construction
LEFTLEFT
RIGHTRIGHT
PCP-PP
PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..
Just (carefully) apply usual
PCP construction!
Just (carefully) apply usual
PCP construction!
Open problemsOpen problemsOpen problemsOpen problems
Get better hardness parameters for CV-PP Get better hardness parameters for CV-PP
(perhaps using methods from (perhaps using methods from [DKRS 98][DKRS 98]).).
Get improved hardness results for lattice Get improved hardness results for lattice
problems, under stronger assumptions than NPproblems, under stronger assumptions than NPP.P.
Find more uses for Find more uses for PCP-PPPCP-PP constructions. constructions.