1

The Complexity of Lattice Problems

Oded Regev, Tel Aviv University

Amsterdam, May 2010

(for more details, see LLL+25 survey)

Lattice

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

• For vectors v1,…,vn in Rn we define the lattice generated by them as

L={a1v1+…+anvn | ai integers}

• We call v1,…,vn a basis of L

3

• Lattice problems are among the richest problems in complexity theory, exhibiting a wide range of behaviors:– Some problems are in P (as shown by LLL)– Some problems are NP-hard– Some problems are not known to be in P, but

believed not to be NP-hard• As a rule of thumb, ‘algebraic’ problems

are easy; ‘geometric’ problems are hard

Lattices from a Computational Complexity Point of View

4• GapSVP: Given a lattice, decide if the length of the shortest vector is:– YES: less than 1– NO: more than

Shortest Vector Problem (SVP)

0

v2

v1

5

• GapCVP: Given a lattice and a point v, decide if the distance of v from the lattice is:– YES: less than 1– NO: more than

• GapSVP is not harder than GapCVP [GoldreichMicciancioSafraSeifert99]

• Both problems are clearly in NP (for any )

Closest Vector Problem (CVP)

0

v2

v1

v

6

• Polytime algorithms for gap 2n loglogn/logn

[LLL82,Schnorr87,AjtaiKumarSivakumar02]• Hardness is known for:

– GapCVP: nc/loglogn [vanEmdeBoas81…,DinurKindlerRazSafra03]

– GapSVP: 1 in l1 [vanEmdeBoas81] 1 [Ajtai96]

2 [Micciancio98] 2^(log½-εn) [Khot04]

nc/loglogn [HavivR07]

Known Results

2n loglogn/logn

P

1

NP-hard

nc/loglogn?n

Cryptography[Ajtai96,AjtaiDwork97

…]

7

Known ResultsLimits on Inapproximability

• GapCVPn 2 NP∩coNP [LagariasLenstraSchnorr90,

Banaszczyk93]• GapCVPn/logn 2 NP∩coAM

[GoldreichGoldwasser98]• GapCVPn 2 NP∩coNP [AharonovRegev04]1 2n loglogn/logn

NP-hard P

nn

NP∩coNPNP∩coAMNP∩coNP

nc/loglogn

8

What’s ahead?

1. GapCVPn/logn 2 NP∩coAM [GoldreichGoldwasser98]

2. GapCVPn 2 NP∩coNP [AharonovRegev04]

9

What’s ahead?

1. GapCVPn/logn 2 coAM [GoldreichGoldwasser98]

2. GapCVPn 2 coNP [AharonovRegev04]

10

Chapter I

GapCVPn in coAM

[GoldreichGoldwasser98]

Chapter I

GapCVPn in coAM

[GoldreichGoldwasser98]

11

Given:

- Lattice L (specified by a basis) - Point v

We want to:

Be convinced that v is far from L by interacting with an (all powerful) prover (using a constant number of rounds)

Our Goal

12

The Idea

13

Basic High-dimensional Geometry

• How big is the intersection of two balls of radius 1 in n dimensions whose centers are at distance apart?– When 2, balls disjoint– When =0, balls exactly overlap – When =0.1, intersection is exponentially

small– When =1/n, intersection is constant

fraction

14

The Protocol

• Flip a fair coin– If heads, choose a random point in L+B– If tails, choose a random point in

L+B+v• Send the resulting point to the

prover• The prover is supposed to tell

whether the coin was heads of tails

(Can be implemented efficiently)

15

Demonstration of Protocol

16

Demonstration of Protocol

17

Analysis

• If dist(v,L)>2 then prover can always answer correctly

• If dist(v,L)<1/n then with some constant probability, the prover has no way to tell what the coin outcome was– Hence we catch the prover cheating with

some constant probability

• This completes the proof

18

Chapter II

GapCVPn in coNP

[AharonovR04]

Chapter II

GapCVPn in coNP

[AharonovR04]

19

Given:

- Lattice L (specified by a basis) - Point v

We want:

A witness for the fact that v is far from L

Our Goal

20

Overview

Step 1: Define fIts value depends on the distance from L:

– Almost zero if distance > n – More than zero if distance < log n

Step 2: Encode f Show that the function f has a short description

Step 3: Verifier Construct the NP verifier

21

Step 1:

Define f

Step 1:

Define f

22

The function fConsider the Gaussian:

Periodize over L:

Normalize by g(0):

Ly

yxexLxg2

)()(

2

)( xex

)0()()( gxgxf

23

The function f (pictorially)

24

f distinguishes between far and close vectors

(a) d(x,L)≥n f(x)≤2-Ω(n)

(b) d(x,L)≤logn f(x)>n-5

Proof: (a) [Banaszczyk93] (b) Not too difficult

25

Step 2:

Encode f

Step 2:

Encode f

26

The function f (again)

Ly

yxexg2

)(

)0()()( gxgxf

Let’s consider its Fourier transform !

27

f ̂ is a probability distribution

LxZxwwL ,|*

Claim: f ̂ : L*R+ is a probability distribution on L*

g is a convolution of a Gaussian and δL

Proof:

..

*

0ˆ)(ˆ

22

wo

Lweewgw

Lx

*

2

2

)0()(ˆ)(ˆ

Lz

z

w

e

egwgwf

28

f as an expectation

*

,2)(ˆ)(Lw

wxiewfxf

In fact, it is an expectation of a real variable between -1 and 1:

Chernoff

][ ,2ˆ

wxi

fweE

)],2[cos()( ˆ

wxExffw

29

Encoding f

(Chernoff) This is true even pointwise!

)],2[cos()( ˆ

wxExffw

Pick W=(w1,w2,…,wN) with N=poly(n)

according to the f ̂ distribution on L*

N

jjNW wxxf

1

1 ),2cos()(

)()( xfxf W

30

The Approximating Function

N

jjNW wxxf

1

1 ),2cos()(

(with N=1000 dual vectors)

31

Interlude: CVPP

GapCVPP Solve GapCVP on a preprocessed lattice

(allowed infinite computational power, but before seeing v)

(ideas led to [MicciancioVoulgaris10]’s recent deterministic 2n algorithm for lattice problems)

Algorithm for GapCVPP: Prepare the function fW in advance; When given v, calculate fW(v).

Algorithm for GapCVPP(n/logn) (best known!)

32

This concludes Step 2: Encode f

The encoding is a list W of vectors in L*fW(x) ≈ f(x)

This concludes Step 2: Encode f

The encoding is a list W of vectors in L*fW(x) ≈ f(x)

33

Step 3:

NP Verifier

Step 3:

NP Verifier

34

The Verifier (First Attempt)

Given input L,v, and witness W, accept iff 1. fW (v) < n-10, and

2. fW(x) > n-5 for all x within distance logn from L• This verifier is correct

• But: how to check (2) efficiently?

- First check that fW is periodic over L (true if W in L*)

- Then check that >n-5 around origin

• We don’t know how to do this for distance logn

• Instead, we do this for distance 0.01

0.01

35

The Verifier (Second Attempt)

Given input L,v, and witness W, accept iff

1. fW (v) < n-10, and

2. w1,…,wN L*, and

3. 100

)(,,

2

2

u

Wn

x

xfux

2 implies that fW is periodic on L:

N

jjNW

n wyxyxfLyx1

1 ),2cos()(,,

N

jjjN wywx

1

1 ),2,2cos( )(xfW

36

The Verifier (Second Attempt)

-0.2

0

0.2

0.4

0.6

0.8

1

1.2

f W(x

)

0 .01-.01

1)0( Wf

0)0(

u

W

x

f

Given input L,v, and witness W, accept iff

1. fW (v) < n-10, and

2. w1,…,wN L*, and

3. 100

)(,,

2

2

u

Wn

x

xfux

3 implies that fW is at least 0.8 within distance 0.01 of the origin:

37

The Final Verifier

NwwwW .......21

Given input L,v, and witness W, accept iff

1. fW (v) < n-10, and

2. w1,…,wN L*, and

3. ||WWT||<N where

N

jju

TTu

T wuuuWWWW1

211 ,maxmax

3 checks that in any direction the w’s are not too long:

38

The Final Verifier Given input L,v, and witness W, accept

iff 1. fW (v) < n-10, and

2. w1,…,wN L*, and

3. ||WWT||<N where

NwwwW .......21

),2cos(,4)(

1

22

2

2

xwuwNx

xfj

N

jj

u

W

10044

,4)( 22

1

22

2

2

TTTN

jj

u

W WWN

uuWWN

uwNx

xf

41

Conclusion and Open Questions

• Lattice problems with approximation factors >n are unlikely to be NP-hard– These are the problems used for crypto– Can we say anything about their

hardness?• Perhaps relate to hardness of other

problems, say factoring?• Extremely important question for crypto

• Can the containment in NP∩coNP be improved to (n/logn) or even below?

42

Thanks!