limits on the hardness of lattice problems in p norms
play

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert - PowerPoint PPT Presentation

May 29, 2023 •316 likes •902 views

Limits on the Hardness of Lattice Problems in p Norms Chris Peikert SRI International Complexity 2007 1 / 12 Lattices and Their Problems Let B = { b 1 , . . . , b n } R n be linearly independent. The n -dim lattice L having basis B is:

  1. Limits on the Hardness of Lattice Problems in ℓ p Norms Chris Peikert SRI International Complexity 2007 1 / 12

  2. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: b 1 b 2 n � L = ( Z · b i ) i = 1 2 / 12

  3. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) i = 1 b 1 b 2 2 / 12

  4. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: v n � L = ( Z · b i ) i = 1 b 1 b 2 Close Vector Problem (CVP γ ) Approximation factor γ = γ ( n ) , in some norm �·� . ◮ Given basis B and point v ∈ R n , distinguish dist ( v , L ) ≤ 1 from dist ( v , L ) > γ (otherwise, don’t care.) 2 / 12

  5. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) v i = 1 b 1 b 2 Close Vector Problem (CVP γ ) Approximation factor γ = γ ( n ) , in some norm �·� . ◮ Given basis B and point v ∈ R n , distinguish dist ( v , L ) ≤ 1 from dist ( v , L ) > γ (otherwise, don’t care.) 2 / 12

  6. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) λ i = 1 b 1 b 2 Short Vector Problem (SVP γ ) Define minimum distance λ = min � v � over all 0 � = v ∈ L . ◮ Given basis B , distinguish λ ≤ 1 from λ > γ (otherwise, don’t care.) 2 / 12

  7. Lattices and Their Problems Let B = { b 1 , . . . , b n } ⊂ R n be linearly independent. The n -dim lattice L having basis B is: n � L = ( Z · b i ) i = 1 b 1 b 2 Short Vector Problem (SVP γ ) Define minimum distance λ = min � v � over all 0 � = v ∈ L . ◮ Given basis B , distinguish λ ≤ 1 from λ > γ (otherwise, don’t care.) i = 1 | x i | p ) 1 / p . Usually use ℓ p norm: � x � p = ( � n 2 / 12

  8. Algorithms and Hardness Algorithms for SVP γ & CVP γ ◮ γ ( n ) ∼ 2 n approximation in poly-time [LLL,Babai,Schnorr] ◮ Time/approximation tradeoffs: γ ( n ) ∼ n c in time ∼ 2 n / c [AKS] 3 / 12

  9. Algorithms and Hardness Algorithms for SVP γ & CVP γ ◮ γ ( n ) ∼ 2 n approximation in poly-time [LLL,Babai,Schnorr] ◮ Time/approximation tradeoffs: γ ( n ) ∼ n c in time ∼ 2 n / c [AKS] NP-Hardness (some randomized reductions. . . ) ◮ In any ℓ p norm, SVP γ hard for any γ ( n ) = O ( 1 ) [Ajt,Micc,Khot,ReRo] ◮ In any ℓ p norm, CVP γ hard for any γ ( n ) = n O ( 1 / log log n ) [DKRS,Dinur] ◮ Many other problems (CVPP , SIVP) hard as well . . . 3 / 12

  10. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? 4 / 12

  11. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. 4 / 12

  12. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] 4 / 12

  13. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] 4 / 12

  14. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] 4 / 12

  15. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] 4 / 12

  16. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] 4 / 12

  17. ‘Positive’ Results (Limits on Hardness) Could problems be NP-hard for much larger γ ( n ) ? Probably not. ◮ In ℓ 2 norm, CVP γ ∈ coAM for γ ∼ � n / log n [GoldreichGoldwasser] ◮ In ℓ 2 norm, CVP γ ∈ coNP for γ ∼ √ n [AharonovRegev] ◮ CVP γ is as hard as many other lattice problems [GMSS,GMR] Neat. What else? ◮ In ℓ 2 norm, SVP γ ≤ avg-problems for γ ∼ n [Ajtai,. . . ,MR,Regev] ◮ For lattice problems, ℓ 2 norm is easiest [RegevRosen] ◮ Much, much more. . . [LLM,PR] (Can generalize to ℓ p norms, but lose up to √ n factors.) 4 / 12

  18. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . 5 / 12

  19. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

  20. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

  21. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

  22. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies 5 / 12

  23. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies Techniques ◮ New analysis of prior algorithms [AharRegev,MiccRegev,Regev,. . . ] ◮ General analysis of discrete Gaussians over lattices ◮ Introduce ideas from [Ban95] to complexity 5 / 12

  24. Our Results ◮ Extend positive results to ℓ p norms, p ≥ 2 , for same factors γ ( n ) . New Limits on Hardness ◮ In ℓ p norm, CVP γ ∈ coNP for γ = c p · √ n ◮ In ℓ p norm, SVP γ ≤ avg-problems for γ ∼ c p · n ◮ Generalize to norms defined by arbitrary convex bodies Techniques ◮ New analysis of prior algorithms [AharRegev,MiccRegev,Regev,. . . ] ◮ General analysis of discrete Gaussians over lattices ◮ Introduce ideas from [Ban95] to complexity A Bit Odd ◮ Can’t show anything new for 1 ≤ p < 2 . . . 5 / 12

  25. Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 6 / 12

  26. Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 6 / 12

  27. Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 3 What’s going on with p < 2 ? (Beating n 1 / p for even a single p has implications for codes.) 6 / 12

  28. Interpretation and Open Problems 1 Partial converse of [RegevRosen] (“ ℓ 2 is easiest”). 2 Weakens assumptions for lattice-based cryptography. 3 What’s going on with p < 2 ? (Beating n 1 / p for even a single p has implications for codes.) 4 Are all ℓ p norms ( p ≥ 2 ) equivalent? 6 / 12

  29. Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . 7 / 12

  30. Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . Define � v ∈L ρ ( x − v ) f ( x ) = � v ∈L ρ ( v ) ρ ( L − x ) = . ρ ( L ) 7 / 12

  31. Gauss meets Lattices Define Gaussian function ρ ( x ) = exp ( − π � x � 2 2 ) over R n . Define � v ∈L ρ ( x − v ) f ( x ) = � v ∈L ρ ( v ) ρ ( L − x ) = . ρ ( L ) Properties of f ◮ If dist 2 ( x , L ) ≤ 1 10 , then f ( x ) ≥ 1 2 . (Easy.) ◮ If dist 2 ( x , L ) > √ n , then f ( x ) < 2 − n . (Really hard. [Ban93]) 7 / 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP

Subsection 2 NP -hardness 36 / 109 NP -Hardness Do hard problems exist? Depends on P = NP Next best thing: define hardest problem in NP A problem P is NP -hard if Every problem Q in NP can be solved in this way: 1. given an instance

609 views • 14 slides
From CATS to SAT: Modeling Empirical Hardness to Understand and Solve Hard Computational Problems

From CATS to SAT: Modeling Empirical Hardness to Understand and Solve Hard Computational Problems

From CATS to SAT: Modeling Empirical Hardness to Understand and Solve Hard Computational Problems Kevin Leyton Brown Computer Science Department University of British Columbia CATS Empirical Hardness Models EHMs for SAT SATzilla Intro

1.15k views • 75 slides
Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness

Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness

Mechanical Properties of Paint Coatings Hardness Measurement Shore Hardness D Barcol Hardness ASTM D2583 Fiberglass Aluminum Aluminum Alloys Soft Metals Plastics Scratch Hardness- (IS 101 - Part 5/Sec 2) BS 3900 Hardness can

1.89k views • 30 slides
Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit

Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit

Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit Laekhanukit McGill University 1 This Talk Investigate the connection between 2-Prover-1-Round Game (2P1R) and Hardness of Approximating

540 views • 43 slides
Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical

Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical

Beyond NP [HMU06,Chp.11a] Tautology Problem NP-Hardness and co-NP Historical Comments Optimization Problems More Complexity Classes 1 Tautology Problem &amp; NP-Hardness &amp; co-NP 2 NP-Hardness Another

559 views • 23 slides
P and NP Tools for classifying problems according to relative hardness Inge Li Grtz Thank

P and NP Tools for classifying problems according to relative hardness Inge Li Grtz Thank

Overview Problem classification Tractable Intractable Reductions P and NP Tools for classifying problems according to relative hardness Inge Li Grtz Thank you to Kevin Wayne, Philip Bille and Paul Fischer for inspiration to

359 views • 14 slides
29: Limits and the real world A few loose ends Difficulty of problems Limits on computation

29: Limits and the real world A few loose ends Difficulty of problems Limits on computation

29: Limits and the real world A few loose ends Difficulty of problems Limits on computation Recursive Diagrams: Why use them? Modules: Why use them? Clarity: gather together related pieces of code Generosity: avoid name conflicts

731 views • 23 slides
CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

As no encryption scheme besides the OneTimePad is unconditionally secure, we need CS 4803 to find some building blocks - hard problems (assumptions about hardness of some Computer and Network Security problems) to base security of our new

553 views • 3 slides
NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial

NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial

NP-Hardness reductions Definition: P is the class of problems that can be solved in polynomial time, that is n c for a constant c Roughly, if a problem is in P then it's easy, and if it's not in P then it's hard. We'd like to show that

1.23k views • 107 slides
Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan

Phase Fluctuations and Sign Problems Michael Wagman MIT Lattice 2018 East Lansing, Michigan Lattice QCD and Nuclei Nuclear theory predictions are needed to extract or constrain new physics from intensity frontier experiments Lattice QCD can

359 views • 20 slides
Low-Degree Hardness of Random Optimization Problems Alex Wein Courant Institute, New York

Low-Degree Hardness of Random Optimization Problems Alex Wein Courant Institute, New York

Low-Degree Hardness of Random Optimization Problems Alex Wein Courant Institute, New York University Joint work with: David Gamarnik Aukosh Jagannath MIT Waterloo 1 / 18 Random Optimization Problems Examples: 2 / 18 Random Optimization

1.22k views • 98 slides
Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts

Algorithms for hard lattice problems Thijs Laarhoven ts ttts Tenerife PQCrypto Conference (January 31, 2018) Lattices What is a lattice? O Lattices What

1.59k views • 136 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
EMISSION NORMS - INDIA S.NO COMBUSTION PRODUCT AFFECTEDPART PROBLEMS OF THEBODY

EMISSION NORMS - INDIA S.NO COMBUSTION PRODUCT AFFECTEDPART PROBLEMS OF THEBODY

EMISSION NORMS - INDIA S.NO COMBUSTION PRODUCT AFFECTEDPART PROBLEMS OF THEBODY HYDROCARBON Eyes, Lungs Causes irritation, 1 lung Cancer CARBON MONOXIDE Reduces the oxygen Body carrying capacity of 2 The blood and readiness with

1.12k views • 76 slides
NP-Hardness Textbook Reading Chapter 34 Overview Computational (in)tractability Decision

NP-Hardness Textbook Reading Chapter 34 Overview Computational (in)tractability Decision

NP-Hardness Textbook Reading Chapter 34 Overview Computational (in)tractability Decision problems and optimization problems Decision problems and formal languages The class P Decision and verification The class NP NP

2.01k views • 188 slides
On some open questions related to transport equations with critical regularity F. Bouchut 1 1

On some open questions related to transport equations with critical regularity F. Bouchut 1 1

On some open questions related to transport equations with critical regularity F. Bouchut 1 1 LAMA, CNRS &amp; Universit e Paris-Est-Marne-la-Vall ee Basel, June 2017 Transport equations with critical regularity 1 Outline 1 A review of

757 views • 31 slides
Continuous Representations: What goes right and what goes wrong? Supplementary Slides Job Rock

Continuous Representations: What goes right and what goes wrong? Supplementary Slides Job Rock

Continuous Representations: What goes right and what goes wrong? Supplementary Slides Job Rock Department of Mathematics Brandeis University Joint with Kiyoshi Igusa and Gordana Todorov Representation Theory and Related Topics Seminar 3 May

325 views • 29 slides
Hopf orders in Hopf algebras with trivial Verschiebung Alan Koch Agnes Scott College June, 2015

Hopf orders in Hopf algebras with trivial Verschiebung Alan Koch Agnes Scott College June, 2015

Hopf orders in Hopf algebras with trivial Verschiebung Alan Koch Agnes Scott College June, 2015 Alan Koch (Agnes Scott College) 1 / 47 Overview, Assumptions Let R be a complete discrete valuation ring of (equal) characteristic p , K = Frac R

677 views • 48 slides
Big picture All languages Decidable Turing machines NP P Context-free

Big picture All languages Decidable Turing machines NP P Context-free

Big picture All languages Decidable Turing machines NP P Context-free Context-free grammars, push-down automata Regular Automata, non-deterministic automata, regular expressions Recall: Theorem: L := {0 n 1 n : n 0}

1.23k views • 108 slides
Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10

TU/e Algorithms (2IL15) Lecture 10 Algorithms (2IL15) Lecture 10 NP-Completeness, II 1 TU/e Algorithms (2IL15) Lecture 10 Summary of previous lecture P: class of decision problems that can be solved in polynomial time NP:

496 views • 34 slides
Cubical Type Theory favonia 1 2 t f 2 t f 2 t f 2

Cubical Type Theory favonia 1 2 t f 2 t f 2 t f 2

Cubical Type Theory favonia 1 2 t f 2 t f 2 t f 2 t f 4 0 7 3 8 1 5 2 6 2 t f 4 0 7 3 8 1 5 2 6 2 3 3 3 3

1.05k views • 62 slides
ACCOUNTABILITY &amp; PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste

ACCOUNTABILITY &amp; PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste

Carnegie Mellon University BALANCING ACCOUNTABILITY &amp; PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste ACCOUNTABILITY operators want to know who sends each packet so they can stop malicious senders VS PRIVACY users want

867 views • 42 slides
Acute Heart Failure Matthew Strehlow, MD, FACEP Epidemiology

Acute Heart Failure Matthew Strehlow, MD, FACEP Epidemiology

Acute Heart Failure Matthew Strehlow, MD, FACEP Epidemiology #1 cause of admission to the hospital in people &gt;65 yo 1 million admissions/year for

278 views • 9 slides

More recommend