The Closest Vector is Hard to The Closest Vector is Hard to

ApproximateApproximateand now, for unlimited time onlyand now, for unlimited time only

with with PrePre--Processing !!Processing !!

The Closest Vector is Hard to The Closest Vector is Hard to

ApproximateApproximateand now, for unlimited time onlyand now, for unlimited time only

with with PrePre--Processing !!Processing !!

Nisheeth vishnoi

Subhash Khot

Michael Alekhnovich

Joint work with

Guy KindlerGuy KindlerMicrosoft ResearchMicrosoft Research

In this talk:In this talk:

LatticesLattices

The closest vector problem: backgroundThe closest vector problem: background

Our results: NP-hardness for Our results: NP-hardness for CV-PPCV-PP

Proving hardness with preprocessingProving hardness with preprocessing

Something about our proof: new property of Something about our proof: new property of

PCPsPCPs

A A lattice,lattice, LL: A discrete additive subgroup of : A discrete additive subgroup of RRnn..

A A basisbasis for for LL: : bb11,…,b,…,bnn22RRnn, s.t. , s.t. L={L={iiaaiibbii : :

aa11,..,a,..,ann22ZZ}}..

The Closest Vector Problem (The Closest Vector Problem (CVPCVP))The Closest Vector Problem (The Closest Vector Problem (CVPCVP))

The Closest Vector Problem (The Closest Vector Problem (CVPCVP))The Closest Vector Problem (The Closest Vector Problem (CVPCVP))

CVPCVP: Given a lattice : Given a lattice LL and a target vector and a target vector tt,,

find the point in find the point in LL closest to closest to tt in inllpp distance. distance.

[Regev Ronen 05][Regev Ronen 05] Hardness results in Hardness results in ll22 carry for any carry for any llpp..

[Ajtai Kumar Sivakumar 01]:[Ajtai Kumar Sivakumar 01]: 22O(nloglog(n)/log n)O(nloglog(n)/log n)=2=2o(n)o(n) approx. approx.

[Dinur Kindler Raz Safra 98]:[Dinur Kindler Raz Safra 98]: nnO(1/loglog n)O(1/loglog n)=n=no(1)o(1) hardness. hardness.

[Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich [Lagarias Lenstra Schnorr 90, Banaszczyk 93, Goldreich

Goldwasser 00, Aharonov Regev 04]Goldwasser 00, Aharonov Regev 04] NP-hardness of NP-hardness of (n/log (n/log

n)n)1/21/2 would collapse the polynomial hierarchy. would collapse the polynomial hierarchy.

Motivation for studying Motivation for studying CVPCVPMotivation for studying Motivation for studying CVPCVP

[Ajtai 96]:[Ajtai 96]: Worst case to average case reductions for Worst case to average case reductions for

lattice problems. lattice problems.

[Ajtai Dwork 97][Ajtai Dwork 97] Based cryptosystems on lattice Based cryptosystems on lattice

problems.problems.

[Goldreich Goldwasser Halevi 97][Goldreich Goldwasser Halevi 97] Cryptosystem based on Cryptosystem based on

CVPCVP..

[Micciancio Vadhan 03] [Micciancio Vadhan 03] Identification scheme based on Identification scheme based on

(n/log n)(n/log n)1/2 1/2 hardness for hardness for CVPCVP..tt – message.

LL – coding function: known in advance, and reused.

Is it safe to reuse Is it safe to reuse LL as key? as key?Is it safe to reuse Is it safe to reuse LL as key? as key?

CV-PPCV-PP: :

Preprocess Preprocess LL for unlimited time, for unlimited time,

Given Given tt, solve , solve CVPCVP on on LL,,tt..

[Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ] [Kannan 87, Lagarias Lenstra Schnorr 90, Aharonov Regev ]

O(nO(n1/21/2))-approx. for -approx. for CV-PPCV-PP..

[Feige Micciancio 02][Feige Micciancio 02] (5/3)(5/3)1/p1/p approx. hardness for approx. hardness for CV-PPCV-PP..

[Regev 03][Regev 03] 331/p1/p approx. hardness for approx. hardness for CV-PPCV-PP..

Our ResultsOur ResultsOur ResultsOur Results

Thm:Thm: CV-PPCV-PP in NP-hard(!) to approximate within in NP-hard(!) to approximate within any any

constantconstant. Also applies to . Also applies to NC-PPNC-PP..

Unless NPUnless NPµµDTIME(DTIME(22polylog npolylog n), ),

NC-PPNC-PP is hard to approximate within is hard to approximate within (log n)(log n)1-1-

CV-PPCV-PP is hard to approximate within is hard to approximate within (log n)(log n)(1/p)-(1/p)-

1st Proof :1st Proof : By reduction from By reduction from E-k-HVCE-k-HVC [DGKR 03][DGKR 03]..

2nd proof:2nd proof: Using PCP-PP constructions, plus Using PCP-PP constructions, plus

smoothing smoothing technique of technique of [Khot 02][Khot 02]..

Proving hardness with Proving hardness with preprocessingpreprocessing

Proving hardness with Proving hardness with preprocessingpreprocessing

Hardness of approximation within gap Hardness of approximation within gap gg::

II22 ¦¦ )) dist(t,L)dist(t,L)·· d d

II ¦ ¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg

I: Instance of

¦2NPC

I: Instance of

¦2NPCReductionReduction L , tL , t

Proving hardness with Proving hardness with preprocessingpreprocessing

Proving hardness with Proving hardness with preprocessingpreprocessing

I: Instance of

¦2NPC

I: Instance of

¦2NPCReductionReduction L , tL , t

Hardness of approximation within Hardness of approximation within gg, with preprocessing:, with preprocessing:

Size of ISize of I Partial Input Generator

Partial Input Generator

Preprocessed L

Preprocessed L

CV-PP

tt

II22 ¦ ¦ )) dist(t,L)dist(t,L)·· d d

II ¦¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg

Hardness of approximation within gap Hardness of approximation within gap gg::

Size of ISize of I Partial Input Generator

Partial Input Generator

I: Instance of

¦2NPC

I: Instance of

¦2NPCReductionReduction

PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))

Preprocessed L

Preprocessed L

tt

CV-PP

LEFTLEFT

RIGHTRIGHT

PCP-PPII22 ¦ ¦ )) dist(t,L)dist(t,L)·· d d

II ¦ ¦ )) dist(t,L)dist(t,L)¸̧ d d¢¢gg

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

xx22+2xy=7+2xy=7xx22+z+z22=5=5

..

..

Size of ISize of I Partial Input Generator

Partial Input Generator

I: Instance of

¦2NPC

I: Instance of

¦2NPCReductionReduction

PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))

LEFTLEFT

RIGHTRIGHT

PCP-PPII22 ¦ ¦ ) ) opt(LEFT,RIGHT)=1opt(LEFT,RIGHT)=1

II ¦ ¦ ) ) opt(LEFT,RIGHT)opt(LEFT,RIGHT)··c<1c<1

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

xx22+2xy=7+2xy=7xx22+z+z22=5=5

..

..

Size of ISize of I Partial Input Generator

Partial Input Generator

I: Instance of

¦2NPC

I: Instance of

¦2NPCReductionReduction

PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))

LEFTLEFT

RIGHTRIGHT

PCP-PP

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

Size of ISize of I

I: Instance of

¦2NPC

I: Instance of

¦2NPC

PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))

LEFTLEFT

RIGHTRIGHT

Preprocessed L

Preprocessed L

tt

CV-PP

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

PCP-PP

PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))PCP with preprocessing (PCP with preprocessing (PCP-PPPCP-PP))

LEFT

RIGHT

PCP-PP

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

PCP-PPPCP-PP construction constructionPCP-PPPCP-PP construction construction

LEFTLEFT

RIGHTRIGHT

PCP-PP

PCPPCP: Gap version of Q: Gap version of Quadratic equationsuadratic equations..

Just (carefully) apply usual

PCP construction!

Just (carefully) apply usual

PCP construction!

Open problemsOpen problemsOpen problemsOpen problems

Get better hardness parameters for CV-PP Get better hardness parameters for CV-PP

(perhaps using methods from (perhaps using methods from [DKRS 98][DKRS 98]).).

Get improved hardness results for lattice Get improved hardness results for lattice

problems, under stronger assumptions than NPproblems, under stronger assumptions than NPP.P.

Find more uses for Find more uses for PCP-PPPCP-PP constructions. constructions.