Limits on the Hardness of Lattice Problems in p Norms Chris Peikert - PowerPoint PPT Presentation

Limits on the Hardness of Lattice Problems in ℓ p Norms Chris Peikert SRI International Complexity 2007 1 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: b 1 b 2 n � L = ( Z · b i ) i = 1 2 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) i = 1 b 1 b 2 2 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: v n � L = ( Z · b i ) i = 1 b 1 b 2 Close Vector Problem (CVP γ ) Approximation factor γ = γ ( n ) , in some norm �·� . ◮ Given basis B and point v ∈ R n , distinguish dist ( v , L ) ≤ 1 from dist ( v , L ) > γ (otherwise, don’t care.) 2 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) v i = 1 b 1 b 2 Close Vector Problem (CVP γ ) Approximation factor γ = γ ( n ) , in some norm �·� . ◮ Given basis B and point v ∈ R n , distinguish dist ( v , L ) ≤ 1 from dist ( v , L ) > γ (otherwise, don’t care.) 2 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) λ i = 1 b 1 b 2 Short Vector Problem (SVP γ ) Define minimum distance λ = min � v � over all 0 � = v ∈ L . ◮ Given basis B , distinguish λ ≤ 1 from λ > γ (otherwise, don’t care.) 2 / 12

Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) i = 1 b 1 b 2 Short Vector Problem (SVP γ ) Define minimum distance λ = min � v � over all 0 � = v ∈ L . ◮ Given basis B , distinguish λ ≤ 1 from λ > γ (otherwise, don’t care.) i = 1 | x i | p ) 1 / p . Usually use ℓ p norm: � x � p = ( � n 2 / 12

Algorithms and Hardness Algorithms for SVP γ & CVP γ ◮ γ ( n ) ∼ 2 n approximation in poly-time [LLL,Babai,Schnorr] ◮ Time/approximation tradeoffs: γ ( n ) ∼ n c in time ∼ 2 n / c [AKS] 3 / 12

Algorithms and Hardness Algorithms for SVP γ & CVP γ ◮ γ ( n ) ∼ 2 n approximation in poly-time [LLL,Babai,Schnorr] ◮ Time/approximation tradeoffs: γ ( n ) ∼ n c in time ∼ 2 n / c [AKS] NP-Hardness (some randomized reductions. . . ) ◮ In any ℓ p norm, SVP γ hard for any γ ( n ) = O ( 1 ) [Ajt,Micc,Khot,ReRo] ◮ In any ℓ p norm, CVP γ hard for any γ ( n ) = n O ( 1 / log log n ) [DKRS,Dinur] ◮ Many other problems (CVPP , SIVP) hard as well . . . 3 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] 4 / 12

‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] (Can generalize to ℓ p norms, but lose up to √ n factors.) 4 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies Techniques ◮ New analysis of prior algorithms [AharRegev,MiccRegev,Regev,. . . ] ◮ General analysis of discrete Gaussians over lattices ◮ Introduce ideas from [Ban95] to complexity 5 / 12

Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies Techniques ◮ New analysis of prior algorithms [AharRegev,MiccRegev,Regev,. . . ] ◮ General analysis of discrete Gaussians over lattices ◮ Introduce ideas from [Ban95] to complexity A Bit Odd ◮ Can’t show anything new for 1 ≤ p < 2 . . . 5 / 12

Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 6 / 12

Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 6 / 12

Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 3 What’s going on with p < 2 ? (Beating n 1 / p for even a single p has implications for codes.) 6 / 12

Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 3 What’s going on with p < 2 ? (Beating n 1 / p for even a single p has implications for codes.) 4 Are all ℓ p norms ( p ≥ 2 ) equivalent? 6 / 12

Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . 7 / 12

Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . Define � v ∈L ρ ( x − v ) f ( x ) = � v ∈L ρ ( v ) ρ ( L − x ) = . ρ ( L ) 7 / 12

Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . Define � v ∈L ρ ( x − v ) f ( x ) = � v ∈L ρ ( v ) ρ ( L − x ) = . ρ ( L ) Properties of f ◮ If dist 2 ( x , L ) ≤ 1 10 , then f ( x ) ≥ 1 2 . (Easy.) ◮ If dist 2 ( x , L ) > √ n , then f ( x ) < 2 − n . (Really hard. [Ban93]) 7 / 12