Closest Vector with Pre-Processing.

Download Report

Transcript Closest Vector with Pre-Processing. 

The Closest Vector is Hard to Approximate
and now, for unlimited time only
with Pre-Processing !!
Guy Kindler
Microsoft Research
Joint work with
Nisheeth
vishnoi
Subhash
Khot
Michael
Alekhnovich
In this talk:
Lattices
The closest vector problem: background
Our results: NP-hardness for CV-PP
Proving hardness with preprocessing
Something about our proof: new property of PCPs
A lattice, L:
A discrete additive subgroup of Rn.
A basis for L: b1,…,bn2Rn, s.t. L={iaibi : a1,..,an2Z}.
The Closest Vector Problem (CVP)
The Closest Vector Problem (CVP)
 CVP: Given a lattice L and a target vector t,
find the point in L closest to t in lp distance.
 [Regev Ronen 05] Hardness results in l2 carry for any lp.
 [Ajtai Kumar Sivakumar 01]: 2O(nloglog(n)/log n)=2o(n) approx.
 [Dinur Kindler Raz Safra 98]: nO(1/loglog n)=no(1) hardness.
 [Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich Goldwasser 00,
Aharonov Regev 04] NP-hardness of (n/log n)1/2 would
collapse the polynomial hierarchy.
Motivation for studying CVP
 [Ajtai 96]: Worst case to average case reductions for lattice
problems.
 [Ajtai Dwork 97] Based cryptosystems on lattice problems.
 [Goldreich Goldwasser Halevi 97] Cryptosystem based on CVP.
 [Micciancio Vadhan 03] Identification scheme based on
(n/log n)1/2 hardness for CVP.
t – message.
L – coding function: known in advance, and reused.
Is it safe to reuse L as key?
 CV-PP:
Preprocess L for unlimited time,
Given t, solve CVP on L,t.
 [Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ]
O(n1/2)-approx. for CV-PP.
 [Feige Micciancio 02] (5/3)1/p approx. hardness for CV-PP.
 [Regev 03] 31/p approx. hardness for CV-PP.
Our Results
 Thm: CV-PP in NP-hard(!) to approximate within
any
constant. Also applies to NC-PP.
 Unless NPµDTIME(2polylog n),
NC-PP is hard to approximate within (log n)1-
CV-PP is hard to approximate within (log n)(1/p)-
 1st Proof : By reduction from E-k-HVC [DGKR 03].
 2nd proof: Using PCP-PP constructions, plus smoothing
technique of [Khot 02].
Proving hardness with preprocessing
 Hardness of approximation within gap g:
I: Instance of
¦2NPC
Reduction
I2 ¦ )
dist(t,L)· d
I ¦ )
dist(t,L)¸ d¢g
L,t
Proving hardness with preprocessing
 Hardness of approximation within gap
g, with
g: preprocessing:
Size of I
I: Instance of
¦2NPC
Partial Input
Generator
Reduction
I2 ¦ )
dist(t,L)· d
I ¦ )
dist(t,L)¸ d¢g
Preprocessed
L
L
t ,t
CV-PP
PCP with
x2+2xy=7
x2+z2=5
preprocessing
.
.
(PCP-PP)
 PCP: Gap version of Quadratic equations.
Size of I
I: Instance of
¦2NPC
Partial Input
Generator
Preprocessed
LEFT
L
Reduction
t
RIGHT
I2 ¦ )
dist(t,L)· d
I ¦ )
dist(t,L)¸ d¢g
PCP-PP
CV-PP
PCP with
x2+2xy=7
x2+z2=5
preprocessing
.
.
(PCP-PP)
 PCP: Gap version of Quadratic equations.
Size of I
I: Instance of
¦2NPC
Partial Input
Generator
LEFT
Reduction
RIGHT
I2 ¦ ) opt(LEFT,RIGHT)=1
I ¦ ) opt(LEFT,RIGHT)·c<1
PCP-PP
PCP with preprocessing (PCP-PP)
 PCP: Gap version of Quadratic equations.
Size of I
I: Instance of
¦2NPC
Partial Input
Generator
LEFT
Reduction
RIGHT
PCP-PP
PCP with preprocessing (PCP-PP)
 PCP: Gap version of Quadratic equations.
Size of I
I: Instance of
¦2NPC
LEFT
Preprocessed
L
RIGHT
t
PCP-PP
CV-PP
PCP with preprocessing (PCP-PP)
 PCP: Gap version of Quadratic equations.
LEFT
RIGHT
PCP-PP
PCP-PP construction
 PCP: Gap version of Quadratic equations.
LEFT
RIGHT
PCP-PP
Open problems
 Get better hardness parameters for CV-PP (perhaps
using methods from [DKRS 98]).
 Get improved hardness results for lattice problems,
under stronger assumptions than NPP.
 Find more uses for PCP-PP constructions.