Transcript Recent Progress on Integer Programming and Lattice Problems

Short Paths on the Voronoi Graph
and the
Closest Vector Problem with Preprocessing
Daniel Dadush
Centrum Wiskunde en Informatica
Joint work with Nicolas Bonifas (École Polytechnique & IBM)
Lattices
A lattice ℒ ⊆ ℝ𝑛 is all integral
combinations of some basis
B = 𝑏1 , … , 𝑏𝑛 .
ℒ(𝐵) denotes lattice
generated by 𝐵.
Note: a lattice has many
equivalent bases.
𝑏2
𝑏1
𝑏1
𝑏2
𝑏2
ℒ
Closest Vector Problem (CVP)
Given: Lattice basis 𝐵 𝜖 ℚ𝑛×𝑛 , target 𝑡 𝜖 ℚ𝑛 .
Goal: Compute 𝑦 𝜖 ℒ(𝐵) minimizing 𝑡 − 𝑦
𝑦
𝑡
ℒ
2.
CVP with Preprocessing (CVPP)
Given: Lattice basis 𝐵 𝜖 ℚ𝑛×𝑛 , Preprocess(𝐵),
target 𝑡 𝜖 ℚ𝑛 .
Goal: Compute 𝑦 𝜖 ℒ(𝐵) minimizing 𝑡 − 𝑦 2 .
Preprocess can be any function of the lattice basis 𝐵,
and need not be computationally bounded.
Limit Preprocess by the size of the generated advice
(i.e. polynomial, exponential, etc. in enc-size(B)).
CVP with Preprocessing (CVPP)
Given: Lattice basis 𝐵 𝜖 ℚ𝑛×𝑛 , Preprocess(𝐵),
target 𝑡 𝜖 ℚ𝑛 .
Goal: Compute 𝑦 𝜖 ℒ(𝐵) minimizing 𝑡 − 𝑦 2 .
Remark: Most solvers for CVP can be decoupled into a
preprocessing phase and a search phase.
Applications
1. Lattice based Cryptography:
Encrypt messages as perturbed lattice points.
2. Error Correcting Codes:
Lattice points are codewords, want to correct against
Gaussian perturbations.
Basic model in wireless communications.
3. Discretizing / Compressing continuous data:
Round continuous source to ``low distortion’’ lattice.
Used for speech, image, video data.
Hardness
𝛾 − CVP / CVPP: compute 𝛾 approximate solution.
Lattice dimension is 𝑛.
𝛾 − CVP:
NP-hard for 𝛾 = 𝑛𝑐/ log log 𝑛 [DKRS 03, ABSS 93].
𝛾 − CVPP with polynomial advice:
a) NP-hard any constant 𝛾 [AKKV 05, Reg. 04, FM 04].
log1−𝜖 𝑛
b) Hard for 𝛾 = 2
𝑂(1
log
𝐷𝑇𝐼𝑀𝐸(2
, fixed 𝜖 > 0, assuming 𝑁𝑃 ⊈
𝜖) 𝑛
). [KPV 12, AKKV 05].
Algorithms for CVP
Method
Basis
Reduction
Apx
𝑛
𝑂 𝑘
𝑘
Time
Space
22𝑘 poly 𝑛 2𝑘 poly(𝑛)
Authors
LLL 83, Sch. 85,
Bab. 86, MV 10
1
𝑛𝑛/2
poly(𝑛)
LLL 83, Kan. 87,
…, HS 08
Randomized
Sieve
1+𝜖
1 2𝑛
𝜖
1 𝑛
𝜖
AKS 01, AKS 02,
BN 07
Voronoi Cell
1
22𝑛
2𝑛
SFS 09, MV 10
Algorithms for CVP
Method
Basis
Reduction
Apx
𝑛
𝑂 𝑘
𝑘
Time
Space
22𝑘 poly 𝑛 2𝑘 poly(𝑛)
Authors
LLL 83, Sch. 85,
Bab. 86, MV 10
1
𝑛𝑛/2
poly(𝑛)
LLL 83, Kan. 87,
…, HS 08
Randomized
Sieve
1+𝜖
1 2𝑛
𝜖
1 𝑛
𝜖
AKS 01, AKS 02,
BN 07
Voronoi Cell
1
22𝑛
2𝑛
SFS 09, MV 10
Preprocessing: Short lattice basis 𝐵.
Search Phase: Compute coefficients of closest
vector with respect to 𝐵 using search tree.
Algorithms for CVP
Method
Basis
Reduction
Apx
𝑛
𝑂 𝑘
𝑘
Time
Space
22𝑘 poly 𝑛 2𝑘 poly(𝑛)
Authors
LLL 83, Sch. 85,
Bab. 86, MV 10
1
𝑛𝑛/2
poly(𝑛)
LLL 83, Kan. 87,
…, HS 08
Randomized
Sieve
1+𝜖
1 2𝑛
𝜖
1 𝑛
𝜖
AKS 01, AKS 02,
BN 07
Voronoi Cell
1
22𝑛
2𝑛
SFS 09, MV 10
Iterivately clusters exponentially many “random” lattice points to
construct closer & closer vectors.
Only gives probabilistic guarantee output (Monte Carlo).
Algorithms for CVP
Method
Basis
Reduction
Apx
𝑛
𝑂 𝑘
𝑘
Time
Space
22𝑘 poly 𝑛 2𝑘 poly(𝑛)
Authors
LLL 83, Sch. 85,
Bab. 86, MV 10
1
𝑛𝑛/2
poly(𝑛)
LLL 83, Kan. 87,
…, HS 08
Randomized
Sieve
1+𝜖
1 2𝑛
𝜖
1 𝑛
𝜖
AKS 01, AKS 02,
BN 07
Voronoi Cell
1
22𝑛
2𝑛
SFS 09, MV 10
Preprocessing: Compute facets of Voronoi cell.
Search Phase: Directed search over Voronoi
graph to find closest vector.
Main Result
CVP with 2𝑛 Preprocessing [D.-Bonifas 14]:
Using the Voronoi cell as preprocessing, can
compute closest vectors in expected Θ(2𝑛 ) time.
Speeds up the search phase of the
Micciancio-Voulgaris algorithm by a Θ(2𝑛 ) factor.
𝒱
0
ℒ
Main Result
Theorem [D.-Bonifas 14]:
CVP is polynomial time equivalent to separation
over the Voronoi cell.
Micciancio-Voulgaris algorithm requires Θ(2𝑛 ) calls
to a Voronoi cell separator.
𝑡
𝒱
0
ℒ
Main Result
Theorem [D.-Bonifas 14]:
CVP is polynomial time equivalent to separation
over the Voronoi cell.
Will assume facet separator.
Can be derived from weaker separator*.
𝑦
𝒱
𝑡
0
ℒ
Outline
1. Voronoi Cell based Algorithms:
Micciancio-Voulgaris CVPP algorithm.
2. Faster navigation of the Voronoi graph:
Randomized path finding algorithm.
3. Summary and Open Problems.
Voronoi Cell
The Voronoi of a lattice ℒ is
𝒱 ℒ = {𝑥 𝜖 ℝ𝑛 : 𝑥 2 ≤ 𝑥 − 𝑦
𝒱
2 , ∀𝑦
𝜖ℒ∖ 0 }
0
ℒ
Voronoi Cell
The Voronoi of a lattice ℒ is
𝒱 ℒ = {𝑥 𝜖 ℝ𝑛 : 𝑥, 𝑦 ≤ 𝑦, 𝑦 2 , ∀𝑦 𝜖 ℒ ∖ 0 }
𝒱
0
ℒ
Voronoi Cell
𝒱 tiles spaces with respect to ℒ.
𝒱
0
ℒ
Voronoi relevant vectors
Define halfspace 𝐻𝑦 = {𝑥 𝜖 ℝ𝑛 : 𝑥 2 ≤ 𝑥 − 𝑦 2 }.
The Voronoi relevant vectors are the minimal subset
𝑉𝑅 ⊆ ℒ ∖ {0} such that 𝒱 ℒ = 𝑦𝜖𝑉𝑅 𝐻𝑦 .
𝑉𝑅 ≤ 2(2𝑛 − 1)
Theorem [Voronoi]:
𝑣1
𝑣2
𝑣3
𝑣6
0
𝑣4
𝑣5
ℒ
Voronoi relevant vectors
For 𝑣 𝜖 𝑉𝑅, ∃ 𝑐 = 𝐵 0,1 𝑛 /{0} such that
𝑣 = ±(𝑦 − 𝑐)
where 𝑦 is a closest vector to 𝑐 in 2ℒ.
Can compute 𝑉𝑅 by solving 2𝑛 CVPs!
𝑣1
𝑣2
𝑣3
𝑣6
0
𝑣4
𝑣5
ℒ
CVP and Voronoi Cells
CVP: Compute center of Voronoi cell containing 𝑡.
𝑦
𝑡
ℒ
CVP and Voronoi Cells
𝑦 𝜖 ℒ closest vector to 𝑡 ⇔ 𝑡 − 𝑦 𝜖 𝒱.
𝑦
𝑡
ℒ
CVP and Voronoi Cells
𝑡 − 𝑦 𝜖 𝒱 ⇔ 𝑡 − 𝑦 2 ≤ 𝑡 − 𝑦 − 𝑣 2 , ∀𝑣 𝜖 𝑉𝑅.
Can perform check in 𝑂(𝑛 𝑉𝑅 ) time.
𝑦
𝑡
ℒ
Voronoi Graph
Graph 𝒢 on ℒ.
𝑥~𝑦 if and only if 𝑥 − 𝑦 𝜖 𝑉𝑅.
ℒ
Voronoi based CVP algorithms
Idea: Build path along Voronoi graph 𝒢
from 0 to 𝑦 using 𝑡.
𝑦
𝑡
0
ℒ
Voronoi based CVP algorithms
Question: What is the most efficient way to
traverse the Voronoi graph 𝒢?
𝑦
𝑡
0
ℒ
Sommer, Feder, Shalvi 09: Iterative Slicer
While 𝑡 − 𝑥 ∉ 𝒱
Find 𝑣 𝜖 𝑉𝑅 such that 𝑡 − 𝑥 − 𝑣
Update 𝑥 ← 𝑥 + 𝑣.
2
< 𝑡−𝑥
𝑡
𝑥
0
ℒ
2.
Sommer, Feder, Shalvi 09: Iterative Slicer
Showed only finite termination.
𝑥
𝑡
0
ℒ
Voronoi Norm
Norm with respect to 𝒱
𝑥
𝒱
= min{𝑠 ≥ 0: 𝑥 𝜖 𝑠𝒱}
𝑥
𝑠𝒱
𝒱 = {𝑥 𝜖
𝒱
0
𝑥
𝒱
ℝ𝑛 : 2
𝑥, 𝑣
≤ 1, ∀𝑣 𝜖 𝑉𝑅}
𝑣, 𝑣
𝑥, 𝑣
= max 2
𝑣 𝜖 VR
𝑣, 𝑣
Computable in 𝑂(𝑛 |𝑉𝑅|) time.
Micciancio, Voulgaris 10
While 𝑡 − 𝑥 ∉ 𝒱
Find 𝑣 𝜖 𝑉𝑅 such that 𝑡 − 𝑥
Update 𝑥 ← 𝑥 + 𝑣.
𝒱
= 2 𝑥, 𝑣
𝑣, 𝑣 .
𝑡
𝑥
0
ℒ
Micciancio, Voulgaris 10
Theorem: If 𝑡 − 𝑥 𝒱 ≤ 2, then the
MV path from 𝑥 𝜖 ℒ to the closest vector 𝑦 𝜖 ℒ to
𝑡 on 𝒢 has length at most 2𝑛 .
Why is this enough?
1. Can assure 𝑡 − 𝑥 𝒱 ≤ n by rounding
coordinates of 𝑡 w.r.t. a basis of VR vectors.
2. Use MV path iteratively to find closest vector
to 𝑡 − 𝑥 in 2𝑖 ℒ, for 𝑖 = log 𝑛 down to 0.
Total runtime: 𝑂(4𝑛 ).
Micciancio, Voulgaris 10
MV subgraph on (𝑡 + 4𝒱) ∩ ℒ.
𝑡
4𝒱
ℒ
Micciancio, Voulgaris 10
CVP: Want to compute 𝑥0 .
0
𝑡 𝑥
0
ℒ
Micciancio, Voulgaris 10
0 is a closest
vector in 8ℒ.
0
𝑡
8ℒ
8𝒱
Micciancio, Voulgaris 10
Move to closest
vector in 4ℒ.
0
𝑡
𝑥2
4𝒱
4ℒ
8𝒱
Micciancio, Voulgaris 10
Move to closest
vector in 2ℒ.
0
𝑥1
𝑡
2𝒱
𝑥2
4𝒱
2ℒ
Micciancio, Voulgaris 10
Move to closest
vector in ℒ.
0
𝑥1
𝑡 𝑥
0
𝒱
2𝒱
𝑥2
ℒ
Navigating the Voronoi Graph
Question: Is there a polynomial sized path from
the origin to the target Voronoi cell?
If so, can each step of the path be computed in
𝑂(2𝑛 ) time?
Implies 𝑂(2𝑛 ) time algorithm for CVPP.
Answer: Yes! *
* path length depends polynomially on bit size of
basis 𝐵 of ℒ and target 𝑡.
Straight Line Algorithm
How many cells does this cross?
𝑡
𝑥
0
ℒ
Straight Line Algorithm
Initial analysis in [MV 10].
Gives worse bounds…
𝑥
𝑡
0
ℒ
Straight Line Algorithm
Initial analysis in [MV 10].
Don’t have any bad examples!
𝑥
𝑡
0
ℒ
Randomized Straight Line
What if we add randomness to
the process?
𝑡
𝑥
0
ℒ
Randomized Straight Line
Sample a “random” 𝑍.
Path: 0 → 𝑍, 𝑍 → 𝑍 + 𝑡, 𝑍 + 𝑡 → 𝑡.
𝑡
𝑥
𝑍+𝑡
0
𝑍
ℒ
Randomized Straight Line
How long is path when going between lattice points?
Let’s restrict to the case 𝑡 𝜖 ℒ.
Path Lengths on the Voronoi Graph
Path from 0 to 𝑦 𝜖 ℒ:
a. 0 → 𝑍 b. 𝑍 → 𝑍 + 𝑦 c. 𝑍 + 𝑦 → 𝑦
where 𝑍 ~ Uniform(𝒱).
Theorem: Expected path length bounded by 𝑛 𝑦
Corollary: For 𝑥, 𝑦 𝜖 ℒ,
𝑦 − 𝑥 𝒱 2 ≤ 𝑑𝒢 𝑥, 𝑦 ≤ 𝑛 𝑦 − 𝑥
𝒱 /2.
𝒱 /2.
Proof: Write 𝑦 − 𝑥 = 𝑘𝑖=1 𝑣𝑖 , 𝑣𝑖 𝜖 𝑉𝑅, 𝑘 = 𝑑𝒢 𝑥, 𝑦 .
𝑦 − 𝑥 𝒱 ≤ 𝑘𝑖=1 𝑣𝑖 𝒱 = 2𝑘.
Randomized Straight Line
a. 0 → 𝑍 b. 𝑍 → 𝑍 + 𝑦 c. 𝑍 + 𝑦 → 𝑦
where 𝑍 ~ Uniform(𝒱).
𝑍
𝑥 𝑎
0
𝑏
𝑍+𝑦
𝑐
𝑦
ℒ
Bounding the number of crossings
Phase a+c: 0 crossings
Phase b: ???
𝑍
0
𝑎
𝑏
𝑍+𝑦
𝑥 𝑐
𝑦
ℒ
Bounding the number of crossings
E # crossings from 𝑍 to 𝑍 + 𝑦 =
(𝑖−1)𝑦
𝑖𝑦
E lim
in 𝑍 + 𝑘 to 𝑍 + 𝑘 ]
2
2
𝑘→∞
(𝑖−1)𝑦
𝑖𝑦
2𝑘
lim 𝑖=1 Pr[crossing in 𝑍 + 𝑘 to 𝑍 + 𝑘 ]
2
2
𝑘→∞
2𝑘
𝑖=1 I[crossing
𝑍+𝑦
𝑍
0
𝑏
𝑦
ℒ
=
Bounding the number of crossings
Pr[crossing in 𝑍 +
(𝑖−1)𝑦
to
𝑘
2
𝑍+
𝑖𝑦
2𝑘
]
depends only on distribution of 𝑍 +
𝑍 𝑚𝑜𝑑 ℒ is uniform ⇒ 𝑍 +
(𝑖−1)𝑦
2𝑘
(𝑖−1)𝑦
2𝑘
𝑚𝑜𝑑 ℒ .
𝑚𝑜𝑑 ℒ is uniform!
𝑍+𝑦
𝑍
0
𝑏
𝑦
ℒ
Bounding the number of crossings
Pr crossing in 𝑍 +
Pr crossing in 𝑍 to
𝑖−1 𝑦
to
𝑘
2
𝑦
𝑍+ 𝑘
2
𝑍
𝑖𝑦
+ 𝑘
2
=
𝑍+𝑦
𝑍
0
𝑏
𝑦
ℒ
Bounding the number of crossings
Pr crossing in 𝑍 to 𝑍 + 𝜖𝑦 = Pr 𝑍 + 𝜖𝑦 ∉ 𝒱
𝑍+𝜖𝑦
𝑍
0
𝒱
Bounding the number of crossings
Pr 𝑍 + 𝜖𝑦 ∉ 𝒱 ≤ 1 − Pr 𝑍 ∈ 1 − 𝜖 𝑦
= 1 − 1 − 𝜖 𝑦 𝒱 𝑛 ≤ 𝑛𝜖 𝑦 𝒱
𝒱
𝒱
𝑍+𝜖𝑦
𝑍
0
𝑠 = (1 − 𝜖 𝑦
𝑠𝒱
𝒱
𝒱)
Bounding the number of crossings
lim
2𝑘
𝑖=1 Pr[crossing in 𝑍
lim
2𝑘
𝑖=1 𝑛
𝑘→∞
𝑘→∞
𝑦
𝒱
+
2𝑘 ≤ 𝑛 𝑦
(𝑖−1)𝑦
2𝑘
𝒱
to 𝑍 +
𝑖𝑦
2𝑘
]≤
.
Can save a factor of 2 with a more careful analysis.
𝑍+𝑦
𝑍
0
𝑏
𝑦
ℒ
Path for General Targets
a. 0 → 𝑍 b. 𝑍 → 𝑍 + 𝑡 c. 𝑍 + 𝑡 → 𝑦
where 𝑍 ~ Uniform(𝒱).
𝑍+𝑡
𝑍
𝑏
𝑐
𝑡 𝑦
𝑎 0𝑥
ℒ
Bounding the number of crossings
Phase a: 0
Phase b: n 𝑡
𝒱 /2
Phase c: ???
𝑍+𝑡
𝑍
𝑏
𝑐
𝑥
𝑡 𝑦
𝑎0
ℒ
Bounding the number of crossings
Don’t know how to bound Phase c…
𝑍+𝑡
𝑐
𝑥
𝑡 𝑦
0
ℒ
Truncating the Path
Follow phase c line until we reach
𝑤 such that 𝑡 − 𝑤 𝒱 = 𝜖.
𝑥
𝑍+𝑡
𝑐
𝑤𝑡
𝑦
0
ℒ
Truncating the Path
𝑡−𝑥
𝒱
≤ 𝑤−𝑥
≤1+𝜖
𝒱
+ 𝑡−𝑤
𝒱
𝑥
𝑍+𝑡
𝑐
𝑤𝑡
𝑦
0
ℒ
Truncating the Path
Need to bound number of intersections
from 𝑍 + 𝑡 to 𝑤.
𝑥
𝑍+𝑡
𝑐
𝑤𝑡
𝑦
0
ℒ
Bounds for General Targets
Path from 0 to 𝑡 𝜖 ℝ𝑛 :
a. 0 → 𝑍 b. 𝑍 → 𝑍 + 𝑡 c. 𝑍 + 𝑡 → 𝑡
where 𝑍 ~ Uniform(𝒱).
Theorem: Path traverses 𝑥 ∈ ℒ, 𝑡 − 𝑥 𝒱 ≤ 1 + 𝜖 after at
most 𝑛 𝑡 𝒱 /2 + 𝑂(𝑛) log 1 𝜖 steps on expectation.
Lemma: Assume 𝑡 ∈ ℤ𝑛 and ℒ ⊆ ℤ𝑛 and that 𝒱 ⊆ 𝑅𝐵2𝑛 .
If 𝑦 ∈ ℒ and 𝑡 − 𝑦 𝒱 > 1, then
𝑡 − 𝑦 𝒱 ≥ 1 + 1 (2𝑅2 ).
Gives poly dependence on bit description of ℒ and 𝑡.
The Last Mile
𝑍~Uniform 𝒱
Density 𝑓 𝑥 = I[x 𝜖 𝒱]/vol(𝒱)
𝑍
𝒱
0
ℒ−𝑡
The Last Mile
Total number of intersections:
Int = E[𝑐𝑟𝑜𝑠𝑠𝑖𝑛𝑔𝑠 𝑍 𝑤𝑖𝑡ℎ ℒ − 𝑡 + 𝜕𝒱]
𝑍
0
ℒ−𝑡
The Last Mile
Total number of intersections:
1
Int =
𝑦𝜖ℒ−𝑡 E[𝑐𝑟𝑜𝑠𝑠𝑖𝑛𝑔𝑠 𝑍 𝑤𝑖𝑡ℎ 𝑦 + 𝜕𝒱]
2
𝑍
0
ℒ−𝑡
The Last Mile
Total number of intersections:
1
Int =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍 crosses 𝑦 + 𝐹𝑣
2
𝜕𝒱 =
𝑣𝜖𝑉𝑅 𝐹𝑣
𝑍
0
ℒ−𝑡
The Last Mile
Total number of intersections:
1
Int =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍 𝜖 𝑠≥1 𝑠(𝑦 + 𝐹𝑣 ) ]
2
𝜕𝒱 =
𝑣𝜖𝑉𝑅 𝐹𝑣
𝑍
0
ℒ−𝑡
Bounding the Truncated Path
Int 𝜖 = expected # of intersections with
boundaries at distance ≥ 𝜖.
𝑍
𝜖𝒱
0
ℒ−𝑡
Bounding the Truncated Path
Only need to control Int 𝜖 !
𝑍
𝜖𝒱
0
ℒ−𝑡
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
1≤𝑠≤𝑟 𝑠(𝑦
𝜕𝒱 =
+ 𝐹𝑣 )
𝑣𝜖𝑉𝑅 𝐹𝑣
𝑍
0
ℒ−𝑡
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
𝑦
0
𝑦 + 𝐹𝑣
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
1≤𝑠≤𝑟 𝑠(𝑦
𝑦
0
𝑠≥1 𝑠(𝑦
+ 𝐹𝑣 )
+ 𝐹𝑣 )
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
𝑟(𝑦 + 𝐹𝑣 )
𝑦
0
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
𝑟(𝑦 + 𝐹𝑣 )
𝑦
0 𝑣
Pr 𝑍𝜖
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
𝑟
=
𝑣
0
𝑠(𝑦+𝐹𝑣 )
𝑣
2,𝑦
− 𝑣/2 𝑓 𝑥 dx ds
Bounding the Truncated Path
For 𝑟 ≥ 1, define
1
Int r =
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 Pr 𝑍𝜖
2
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
𝑟(𝑦 + 𝐹𝑣 )
𝑦
0 𝑣
Pr 𝑍𝜖
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
1≤𝑠≤𝑟 𝑠(𝑦
+ 𝐹𝑣 )
𝑟
=
𝑣
0
𝑠(𝑦+𝐹𝑣 )
𝑣
2 , 𝑥/𝑠
𝑓 𝑥 dx ds
Bounding the Truncated Path
Lemma: Int 𝜖 ≤ Int(1 𝜖), 0 < 𝜖 < 1.
1 𝜖 scaling of 𝜖-boundaries falls out of 𝒱.
𝜖𝒱
0
ℒ−𝑡
Bounding Int(1/𝜖)
Strategy: Show that Int(1 𝜖) grows slowly as
a function of 𝜖 by bounding its derivative.
Problem: Uniform measure on 𝒱 not smooth
enough.
Trick: Replace uniform distribution on 𝒱
by 𝑒 −𝑛 𝑥 𝒱 on ℝ𝑛 .
Equivalent to sampling
scaling 𝑐~ 𝑡 𝑛 𝑒 −𝑡𝑛 and 𝑋 ~ uniform(𝒱)
and returning 𝑍 ← 𝑐𝑋.
Bounding Int(1/𝜖)
Trick: Replace uniform distribution on 𝒱
by 𝑒 −𝑛 𝑥 𝒱 on ℝ𝑛 .
Equivalent to sampling
scaling 𝑐~ 𝑡 𝑛 𝑒 −𝑡𝑛 and 𝑋 ~ uniform(𝒱)
and returning 𝑍 ← 𝑐𝑋.
𝑐 𝜖 [1,1 +
1
] with constant probability.
𝑛
Expected number of crossings can only
decrease by a constant factor.
Bounding Int(1/𝜖)
Trick: Replace uniform distribution on 𝒱
by 𝑒 −𝑛 𝑥 𝒱 on ℝ𝑛 .
Equivalent to sampling
scaling 𝑐~ 𝑡 𝑛 𝑒 −𝑡𝑛 and 𝑋 ~ uniform(𝒱)
and returning 𝑍 ← 𝑐𝑋.
Smoothness: For Δ 𝒱 ≤ 1/𝑛,
𝑒 −𝑛 𝑥 𝒱 −1 ≤ 𝑒 −𝑛 𝑥+Δ 𝒱 ≤ 𝑒 −𝑛
𝑥 𝒱 +1 .
Bounding Int(1/𝜖)
For 𝑥 ∈ ℒ − 𝑡 + 𝜕𝒱,
let 𝜂 𝑥 = 𝑣 𝑣 2 denote the outer unit normal.
𝑣
𝑥
0
ℒ−𝑡
Bounding Int(1/𝜖)
𝑍~𝑓 𝑥 =
𝑛𝑛
𝑛!vol(𝒱)
𝑒 −𝑛
𝑥 𝒱.
Int 1 𝜖
=
1 𝜖1
1
2
=
1 𝜖
𝑓
1
𝑠(ℒ−𝑡+𝜕𝒱)
𝑦𝜖ℒ−𝑡,𝑣𝜖𝑉𝑅 𝑠(𝑦+𝐹𝑣 ) 𝑓
𝑥 | 𝜂 𝑥 𝑠 , 𝑥 𝑠 |dx ds
𝑥 | 𝜂 𝑥 𝑠 , 𝑥 𝑠 | dx ds
Bounding Int(1/𝜖)
1 𝜖
𝑓 𝑥 | 𝜂 𝑥 𝑠 , 𝑥 𝑠 | dx ds
1
𝑠(ℒ−𝑡+𝜕𝒱)
Idea: use smoothness of 𝑓(𝑥) + tiling property
to relate surface integral to integral over ℝ𝑛 .
0
𝑠(ℒ − 𝑡)
Bounding Int(1/𝜖)
1 𝜖
𝑓 𝑥 | 𝜂 𝑥 𝑠 , 𝑥 𝑠 | dx ds
1
𝑠(ℒ−𝑡+𝜕𝒱)
Idea: use smoothness of 𝑓(𝑥) + tiling property
to relate surface integral to integral over ℝ𝑛 .
0
𝑠(ℒ − 𝑡)
Bounding Int(1/𝜖)
1 𝜖
≤ 𝑂(𝑛)
1
1
𝑠
ℝ𝑛
𝑥
𝒱𝑓
𝑥 dx ds
Idea: use smoothness of 𝑓(𝑥) + tiling property
to relate surface integral to integral over ℝ𝑛 .
0
𝑠(ℒ − 𝑡)
Bounding Int(1/𝜖)
1 𝜖
≤𝑂 𝑛
1
1
ds = 𝑂 𝑛 log 1/𝜖
𝑠
Idea: use smoothness of 𝑓(𝑥) + tiling property
to relate surface integral to integral over ℝ𝑛 .
0
𝑠(ℒ − 𝑡)
Total Path Length
Phase a: 0
Phase b: n 𝑡
𝑍
𝑏
𝒱 /2
Phase c: O(𝑛) log 1/𝜖
𝑥
𝑍+𝑡
𝑐
𝑤𝑡
𝑦
𝑎0
ℒ
Conclusions
1.
Θ(2𝑛 ) speedup of Micciancio and Voulgaris CVPP
algorithm.
2. Tight relationship between geometric and path
distance on the Voronoi graph.
Open Problems
1. Can we get speedup for full MV CVP algorithm?
(need to solve 2𝑛 CVPs in 2𝑛 time!)
2. Are there any bad examples for the straight line
algorithm? Is randomness needed?
3. Can we make the path length strongly polynomial?
4. Can we compress the description of the Voronoi cell?
(know: {0, ±1} combinations of 𝑂(𝑛 log 𝑛) vectors!)
5. Does anything hold for general norms?
THANK YOU!