Lattice problem

Lattice problem

In computer science, lattice problems are a class of optimization problems on lattices. The conjectured intractability of such problems is central to construction of secure lattice-based cryptosystems. For applications in such cryptosystems, lattices over vector spaces (often \mathbb{Q}^n) or free modules (often \mathbb{Z}^n) are generally considered.

For all the problems below, assume that we are given (in addition to other more specific inputs) a basis for the vector space V and a norm N. The norms usually considered are L2. However, other norms (such as Lp) are also considered and show up in variety of results.[1] Let λ(L) denote the length of the shortest non-zero vector in the lattice L:  \lambda(L)=\mathbf{min} \{ \|v\|_N | v \in \mathbf{L}, v \neq 0  \}
.

Contents

Shortest vector problem (SVP)

In SVP, a basis of a vector space V and a norm N (often L2) are given for a lattice L and one must find the shortest non-zero vector in V, as measured by N, in L. In other words, the algorithm should output a non-zero vector v such that N(v) = λ(L).

In the γ-approximation version SVPγ, one must find a non-zero lattice vector of length at most γλ(L).

Known results

The exact version of the problem is NP-hard.[2] Approach techniques: Lenstra–Lenstra–Lovász lattice basis reduction algorithm produces a "relatively short vector" in polynomial time, but does not solve the problem. Kannan's HKZ basis reduction algorithm solves the problem in n^{\frac{n}{2 e} + o(n)} time where n is the dimension. Lastly, Schnorr presented a technique that interpolates between LLL and HKZ called Block Reduction. Block reduction works with HKZ bases and if the number of blocks is chosen to be larger than the dimension, the resulting algorithm Kannan's full HKZ basis reduction.

GapSVP

The problem GapSVPβ consists of differentiating between the instances of SVP in which the answer is at most 1 or larger than β, where β can be a fixed function of n, the number of vectors. Given a basis for the lattice, the algorithm must decide whether \lambda(L) \leq 1 or λ(L) > β. Like other promise problems, the algorithm is allowed to err on all other cases.

Yet another version of the problem is GapSVPζ,γ for some functions ζ,γ. The input to the algorithm is a basis B and a number d. It is assured that all the vectors in the Gram–Schmidt orthogonalization are of length at least 1, and that \lambda(L(B)) \leq \zeta(n) and that 1 \leq d \leq \zeta(n)/\gamma(n) where n is the dimension. The algorithm must accept if \lambda(L(B)) \leq d, and reject if \lambda(L(B)) \geq \gamma(n).d. For large ζ (ζ(n) > 2n / 2), the problem is equivalent to GapSVPγ because[3] a preprocessing done using the LLL algorithm makes the second condition (and hence, ζ) redundant.

Closest vector problem (CVP)

In CVP, a basis of a vector space V and a metric M (often L2) are given for a lattice L, as well as a vector v in V but not necessarily in L. It is desired to find the vector in L closest to v (as measured by M). In the γ-approximation version CVPγ, one must find a lattice vector at distance at most γ.

Relationship with SVP

It is a more general case of the shortest vector problem. It is easy[4] to show that given an oracle for CVPγ (defined below), one can solve SVPγ by making some queries to the oracle. The naive method to find the shortest vector by calling the CVPγ oracle to find the closest vector to 0 does not work because 0 is itself a lattice vector and the algorithm could potentially output 0.

The reduction from SVPγ to CVPγ is as follows: Suppose that the input to the SVPγ problem is the basis for lattice B=[b_1,b_2,\ldots,b_n]. Consider the basis B^i=[b_1,\ldots,2b_i,\ldots,b_n] and let xi be the vector returned by CVPγ(Bi,bi). The claim is that the shortest vector in the set {xibi} is the shortest vector in the given lattice.

Known results

Goldreich et al.[5] showed that any hardness of SVP implies the same hardness for CVP. Using PCP tools, Arora et al.[6] showed that CVP is hard to approximate within factor 2^{\log^{1-\epsilon}(n)} unless NP \subseteq DTIME(2^{poly(\log n)}). Dinur et al.[7] strengthened this by giving a NP-hardness result with \epsilon=(\log \log n)^c for c < 1 / 2.

Sphere decoding

The algorithm for CVP, especially the Fincke and Pohst variant[8], have been used, for example, for data detection in multiple-input multiple-output (MIMO) wireless communication systems (for coded and uncoded signals).[9] [10]

The Fincke-Pohst algorithm was applied in the field of the integer ambiguity resolution of carrier-phase GNSS (GPS). [11]

GapCVP

This problem is similar to the GapSVP problem. For GapCVPβ, the input consists of a lattice basis and a vector v and the algorithm must answer whether

  • there is a lattice vector such that the distance between it and v is at most 1.
  • every lattice vector is at a distance greater than β away from v.

Known results

The problem is trivially contained in NP for any approximation factor.

Schnorr[12], in 1987, showed that deterministic polynomial time algorithms can solve the problem for \beta=2^{O(n(\log \log n)^2/\log n)}. Ajtai et al.[13] showed that probabilistic algorithms can achieve a slightly better approximation factor of β = 2O(nlog log n / log n)

In 1993, Banaszczyk[14] showed that GapCVPn is in NP \cap coNP. In 2000, Goldreich and Goldwasser[15] showed that \beta=\sqrt{n/\log n} puts the problem in both NP and coAM. In 2005, Ahoronov and Regev[16] showed that for some constant c, the problem with \beta=c\sqrt{n} is in NP \cap coNP.

For lower bounds, Dinur et al.[17] showed in 1998 that the problem is NP-hard for β = no(1 / log log n).

Shortest independent vector problem (SIVP)

Given a lattice L of dimension n, the algorithm must output n linearly independent v_1, v_2, \ldots, v_n so that \max \|v_i\| < \max_{B} \|b_i\| where the right hand side considers all basis B=\{b_1,\ldots,b_n\} of the lattice.

In the γ-approximate version, given a lattice L with dimension n, find n linearly independent vectors v_1, v_2,\ldots, v_n of length max ||vi|| ≤ γλ(L)

Bounded distance decoding

This problem is similar to CVP. Given a vector such that its distance from the lattice is at most λ(L) / 2, the algorithm must output the closest lattice vector to it.

Covering radius problem

Given a basis for the lattice, the algorithm must find the largest distance (or in some versions, its approximation) from any vector to the lattice.

Shortest basis problem

Many problems become easier if the input basis consists of short vectors. An algorithm that solves the Shortest Basis Problem (SBP) must, given an lattice basisB, output an equivalent basis B' such that the length of the longest vector in B' is as short as possible.

The approximation version SBPγ problem consist of finding a basis whose longest vector is at most γ times longer than the longest vector in the shortest basis.

Use in cryptography

Average case hardness of problems forms a basis for proofs-of-security for most cryptographic schemes. However, experimental evidence suggests that most NP-hard problems lack this property: they are probably only worst case hard. Many lattice problems have been conjectured or proven to be average-case hard, making them an attractive class of problems to base cryptographic schemes on. Moreover, worst-case hardness of some lattice problems have been used to create secure cryptographic schemes. The use of worst-case hardness in such schemes makes them among the very few schemes that are very likely secure even against Quantum computers.

The above lattice problems are easy to solve if the algorithm is provided with a "good" basis. Lattice reduction algorithms aim, given a basis for a lattice, to output a new basis consisting of relatively short, nearly orthogonal vectors. The LLL algorithm[18] was an early efficient algorithm for this problem which could output a almost reduced lattice basis in polynomial time. This algorithm and its further refinements were used to break several cryptographic schemes, establishing its status as a very important tool in cryptanalysis. The success of LLL on experimental data led to a belief that lattice reduction might be an easy problem in practice. However, this belief was challenged when in the late 1990s, several new results on the hardness of lattice problems were obtained, starting with the result of Ajtai.[19]

In his seminal papers[19][20], Ajtai showed that the SVP problem was NP-hard and discovered some connections between the worst-case complexity and average-case complexity of some lattice problems. Building on these results, Ajtai and Dwork[21] created a public-key cryptosystem whose security could be proven using only the worst case hardness of a certain version of SVP, thus making it the first[22] result to have used worst-case hardness to create secure systems.

See also

  • Lattice-based cryptography
  • Learning with errors

References

  1. ^ Subhash Khot, "Hardness of approximating the shortest vector problem in lattices," J. ACM 52, no. 5 (2005): 789–808.
  2. ^ van Emde Boas, P. 1981. Another NP-complete problem and the complexity of computing short vectors in a lattice. Tech. rep., University of Amsterdam, Department of Mathematics, Netherlands. Technical Report 8104
  3. ^ Chris Peikert, "Public-key cryptosystems from the worst-case shortest vector problem: extended abstract," in Proceedings of the 41st annual ACM symposium on Theory of computing (Bethesda, MD, USA: ACM, 2009), 333–342, http://portal.acm.org/citation.cfm?id=1536414.1536461.
  4. ^ Daniele Micciancio and Shafi Goldwasser, Complexity of lattice problems (Springer, 2002)
  5. ^ O. Goldreich et al., "Approximating shortest lattice vectors is not harder than approximating closet lattice vectors," Inf. Process. Lett. 71, no. 2 (1999): 55–61.
  6. ^ Sanjeev Arora et al., "The hardness of approximate optima in lattices, codes, and systems of linear equations," J. Comput. Syst. Sci. 54, no. 2 (1997): 317–331.
  7. ^ I. Dinur et al., "Approximating CVP to Within Almost-Polynomial Factors is NP-Hard," Combinatorica 23, no. 2 (2003): 205–243.
  8. ^ Fincke, U. and Pohst, M., "Improved Methods for Calculating Vectors of Short Length in a Lattice, Including a Complexity Analysis," Math. Comp., vol. 44, no. 170, pp. 463–471, 1985.
  9. ^ Biglieri, E. and Calderbank, R. and Constantinides, A. and Goldsmith, A. and Paulraj, A. and Poor, H. V., MIMO Wireless Communications, Cambridge U. P., Cambridge, 2007.
  10. ^ Agrell, E. and Eriksson, T. and Vardy, A. and Zeger, K., "Closest Point Search in Lattices," IEEE Trans. Inform. Theory, vol. 48, no. 8, pp. 2201–2214, 2002. http://dx.doi.org/10.1109/TIT.2002.800499.
  11. ^ Hassibi, A. and Boyd, S., Integer Parameter Estimation in Linear Models with Applications to GPS, IEEE Trans. Sig. Proc., 46, 11, 2938--2952, 1998.
  12. ^ C. P. Schnorr, Factoring integers and computing discrete logarithms via diophantine approximation, Advances in Cryptology: Proceedings of Eurocrypt '91
  13. ^ Miklós Ajtai, Ravi Kumar, and D. Sivakumar, "A sieve algorithm for the shortest lattice vector problem," in Proceedings of the thirty-third annual ACM symposium on Theory of computing (Hersonissos, Greece: ACM, 2001), 601–610, http://portal.acm.org/citation.cfm?doid=380752.380857
  14. ^ W. Banaszczyk, New bounds in some transference theorems in the geometry of numbers, Math. Ann. 296 (1993) 625–635.
  15. ^ Oded Goldreich and Shafi Goldwasser, "On the limits of non-approximability of lattice problems," in Proceedings of the thirtieth annual ACM symposium on Theory of computing (Dallas, Texas, United States: ACM, 1998), 1–9, http://portal.acm.org/citation.cfm?id=276704.
  16. ^ Aharonov, Dorit; Oded Regev (2005). "Lattice problems in NP \cap coNP". J. ACM 52 (5): 749–765. doi:10.1145/1089023.1089025. http://portal.acm.org/citation.cfm?id=1089025. 
  17. ^ I. Dinur, G. Kindler, and S. Safra, "Approximating-CVP to within Almost-Polynomial Factors is NP-Hard," in Proceedings of the 39th Annual Symposium on Foundations of Computer Science (IEEE Computer Society, 1998), 99, http://portal.acm.org/citation.cfm?id=796466.
  18. ^ {A. K. Lenstra, H. W. Lenstra, Jr., L. Lovász, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515–534.}
  19. ^ a b M. Ajtai, "Generating hard instances of lattice problems (extended abstract)," in Proceedings of the twenty-eighth annual ACM symposium on Theory of computing (Philadelphia, Pennsylvania, United States: ACM, 1996), 99–108, http://portal.acm.org/citation.cfm?id=237838
  20. ^ Miklós Ajtai, "The shortest vector problem in <italic>L<subscrpt>2</subscrpt></italic> is <italic>NP</italic>-hard for randomized reductions (extended abstract)," in Proceedings of the thirtieth annual ACM symposium on Theory of computing (Dallas, Texas, United States: ACM, 1998), 10–19, http://portal.acm.org/citation.cfm?id=276705
  21. ^ Miklós Ajtai and Cynthia Dwork, "A public-key cryptosystem with worst-case/average-case equivalence," in Proceedings of the twenty-ninth annual ACM symposium on Theory of computing (El Paso, Texas, United States: ACM, 1997), 284–293, http://portal.acm.org/citation.cfm?id=258604
  22. ^ 1Jin-Yi Cai, "The Complexity of Some Lattice Problems," in Algorithmic Number Theory, 2000, 1–32, http://dx.doi.org/10.1007/10722028_1
  • Daniele Micciancio: The Shortest Vector Problem is {NP}-hard to approximate to within some constant. SIAM Journal on Computing. 2001,
  • Phong Q. Nguyen and Jacques Stern, "Lattice Reduction in Cryptology: An Update," in Proceedings of the 4th International Symposium on Algorithmic Number Theory (Springer-Verlag, 2000), 85–112, http://portal.acm.org/citation.cfm?id=749906.
  • Agrell, E.; Eriksson, T.; Vardy, A.; Zeger, K.. "Closest Point Search in Lattices". IEEE Trans. Inform. Theory 48 (8): 2201–2214. doi:10.1109/TIT.2002.800499. 

Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Congruence lattice problem — In mathematics, the congruence lattice problem asks whether every algebraic distributive lattice is isomorphic to the congruence lattice of some other lattice. The problem was posed by Robert P. Dilworth, and for many years it was one of the most …   Wikipedia

  • Lattice based cryptography — is the generic term for asymmetric cryptographic primitives based on lattice. HistoryLattice have first been discovered by mathematicans Lagrange and Gauss. Lattice have been used laterly in computer algorithms and in cryptanalysis. In 1996 Atjai …   Wikipedia

  • Lattice sieving — is a technique for finding smooth values of a bivariate polynomial f(a,b) over a large region. It is almost exclusively used in connection with the number field sieve.The algorithm implicitly involves the ideal structure of the number field of… …   Wikipedia

  • Lattice gas automaton — Lattice gas automata (LGA) or lattice gas cellular automata (LGCA) methods are a series of cellular automata methods used to simulate fluid flows. It was the precursor to the lattice Boltzmann methods. From the LGCA, it is possible to derive the… …   Wikipedia

  • Lattice problems — In the following computational problems on lattices are described. These problems are essential for lattice based cryptosystems.The Shortest Vector Problem (SVP)In SVP, a basis B of a lattice L is given and one must find the shortest non zero… …   Wikipedia

  • Lattice (group) — A lattice in the Euclidean plane. In mathematics, especially in geometry and group theory, a lattice in Rn is a discrete subgroup of Rn which spans the real vector space Rn. Every lattice in Rn …   Wikipedia

  • Lattice QCD — In physics, lattice quantum chromodynamics (lattice QCD) is a theory of quarks and gluons formulated on a space time lattice. That is, it is a lattice model of quantum chromodynamics, a special case of a lattice gauge theory or lattice field… …   Wikipedia

  • Lattice reduction — In mathematics, the goal of lattice basis reduction is given an integer lattice basis as input, to find a basis with short, nearly orthogonal vectors. This is realized using different algorithms, whose running time is usually at least exponential …   Wikipedia

  • Particle in a one-dimensional lattice (periodic potential) — In quantum mechanics, the particle in a one dimensional lattice is a problem that occurs in the model of a periodic crystal lattice. The problem can be simplified from the 3D infinite potential barrier (particle in a box) to a one dimensional… …   Wikipedia

  • Free lattice — In mathematics, in the area of order theory, a free lattice is the free object corresponding to a lattice. As free objects, they have the universal property. The word problem for free lattices is also challenging.Formal definitionAny set X may be …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”