Voronoi Graph and the Closest Vector Problem with Preprocessing Daniel Dadush Centrum Wiskunde en Informatica Joint work with Nicolas Bonifas École Polytechnique ID: 228292
Download Presentation The PPT/PDF document "Short Paths on the" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Short Paths on the Voronoi Graphand theClosest Vector Problem with Preprocessing
Daniel
Dadush
Centrum
Wiskunde
en
Informatica
Joint
work with
Nicolas
Bonifas
(
École
Polytechnique
& IBM)Slide2
A lattice
is all integral combinations
of some basis. denotes lattice generated by .Note: a lattice has many equivalent bases.
Lattices
Slide3
Closest Vector Problem (CVP)
Given: Lattice basis
, target
.Goal: Compute minimizing .
Slide4
CVP with Preprocessing (CVPP)Given: Lattice basis
,
, target .Goal: Compute minimizing
.Preprocess can be any function of the lattice basis , and need not be computationally bounded.
Limit Preprocess by the size of the generated advice (i.e. polynomial, exponential, etc. in enc-size(B)). Slide5
CVP with Preprocessing (CVPP)Given: Lattice basis
,
, target .Goal: Compute minimizing
.Remark: Most solvers for CVP can be decoupled into a preprocessing phase and a search phase.
Slide6
Applications
1. Lattice based Cryptography:
Encrypt messages as perturbed lattice points. 2. Error Correcting Codes: Lattice points are codewords, want to correct against Gaussian perturbations. Basic model in wireless communications.3. Discretizing / Compressing continuous data: Round continuous source to ``low distortion’’ lattice. Used for speech, image, video data.Slide7
Hardness
/
: compute approximate solution.Lattice dimension is . : NP-hard for
[DKRS 03, ABSS 93]. with polynomial advice:NP-hard any constant [AKKV 05, Reg. 04, FM 04].Hard for
, fixed assuming
). [KPV 12, AKKV 05]. Slide8
Algorithms for CVP
Method
ApxTimeSpaceAuthorsBasis Reduction
LLL 83, Sch. 85, Bab. 86, MV 10
LLL 83, Kan. 87, …, HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi Cell
SFS 09, MV 10
MethodApxTime
SpaceAuthorsBasis Reduction
LLL 83, Sch.
85, Bab. 86, MV 10
LLL 83, Kan. 87, …,
HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi Cell
SFS 09, MV
10Slide9
Algorithms for CVPPreprocessing: Short lattice basis .
Search Phase:
Compute coefficients of closest vector with respect to using search tree. MethodApxTimeSpaceAuthorsBasis Reduction
LLL 83, Sch.
85, Bab. 86, MV 10
LLL 83, Kan. 87, …, HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi
CellSFS 09, MV 10
Method
ApxTimeSpace
AuthorsBasis Reduction
LLL 83, Sch.
85, Bab. 86, MV 10
LLL 83, Kan. 87,
…, HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi
Cell
SFS 09, MV 10Slide10
Algorithms for CVPIterivately clusters exponentially many “random” lattice points to construct closer & closer vectors.Only gives probabilistic guarantee output (Monte Carlo).
Method
ApxTimeSpaceAuthorsBasis Reduction
LLL 83, Sch. 85, Bab. 86, MV 10
LLL 83, Kan. 87, …, HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi
Cell
SFS 09, MV 10MethodApx
TimeSpaceAuthorsBasis Reduction
LLL 83, Sch.
85, Bab. 86, MV 10
LLL 83, Kan. 87,
…, HS 08
Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi Cell
SFS 09, MV 10Slide11
Algorithms for CVPPreprocessing: Compute facets of Voronoi cell.Search Phase: Directed search over
Voronoi
graph to find closest vector.MethodApxTimeSpaceAuthorsBasis Reduction
LLL 83, Sch. 85, Bab. 86, MV 10
LLL 83, Kan. 87, …, HS 08
Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi Cell
SFS 09, MV 10
MethodApxTimeSpaceAuthors
Basis Reduction
LLL 83, Sch.
85, Bab. 86, MV 10
LLL 83, Kan. 87,
…, HS 08Randomized Sieve
AKS 01, AKS 02, BN 07
Voronoi
Cell
SFS 09, MV 10Slide12
CVP with
Preprocessing
[D.-Bonifas 14]: Using the Voronoi cell as preprocessing, can compute closest vectors in expected time.Speeds up the search phase of the Micciancio-Voulgaris algorithm by a factor. Main Result
Slide13
Theorem
[D.-
Bonifas
14]
:
CVP is polynomial time
equivalent
to separation over the
Voronoi
cell
.
Micciancio-Voulgaris
algorithm requires
calls to a
Voronoi
cell separator.
Main Result
Slide14
Theorem
[D.-
Bonifas
14]
:
CVP is polynomial time
equivalent
to separation over the
Voronoi
cell
.
Will assume facet separator.
Can be derived from weaker separator*.
Main Result
Slide15
Outline
Voronoi
Cell based Algorithms: Micciancio-Voulgaris CVPP algorithm.2. Faster navigation of the Voronoi graph: Randomized path finding algorithm.3. Summary and Open Problems.Slide16
Voronoi CellThe Voronoi of a lattice
is
Slide17
Voronoi Cell
The
Voronoi
of a lattice
is
Slide18
Voronoi Cell
The
Voronoi
of a lattice
is
Slide19
Voronoi Cell tiles spaces with respect to
.
Slide20
Voronoi
relevant vectors
Define halfspace
.
The Voronoi relevant vectors are the minimal subset such that
.Theorem [Voronoi]:
Slide21
Voronoi
relevant vectors
For ,
such that
where is a closest vector to in .Can compute by solving CVPs!
Slide22
CVP and
Voronoi
Cells
CVP:
Compute center of
Voronoi
cell containing
.
Slide23
CVP and
Voronoi
Cells
closest vector to
.
Slide24
CVP and
Voronoi
Cells
.
Can perform check in
time.
Slide25
Voronoi
Graph
Graph
on
.
if and only if
.
Slide26
Voronoi based CVP algorithmsIdea: Build path along Voronoi graph
from to using .
Slide27
Voronoi based CVP algorithmsQuestion: What is the most efficient way to traverse the Voronoi
graph
?
Slide28
Sommer, Feder, Shalvi 09: Iterative
Slicer
While Find such that . Update .
Slide29
Sommer, Feder, Shalvi 09: Iterative Slicer
Showed only finite termination.
Slide30
Voronoi
Norm
Norm with respect to
Computable in
time.
Slide31
Micciancio, Voulgaris 10
While
Find such that . Update .
Slide32
Micciancio, Voulgaris 10
Theorem:
If , then the MV path from to the closest vector to on has length at most .Why is this enough?Can assure
by rounding coordinates of w.r.t. a basis of VR vectors.Use MV path iteratively to find closest vector to
in , for down to .Total runtime:
. Slide33
Micciancio, Voulgaris 10
Why is this enough?
Shift so that by coordinate rounding.For to Starting from a closest vector to in follow MV path to closest vector in
.Since
, the distance to under decreases by a factor at each iteration.Total runtime:
.
Slide34
Micciancio, Voulgaris 10
Theorem:
If , , then the MV path from to the closest vector to on has length at most .1. After each move from to , can show
and
.2.
. Each point corresponds to a closest vector to in , for some
.
Slide35
Micciancio
,
Voulgaris
10
MV
subgraph
on
.
Slide36
Micciancio
,
Voulgaris 10
CVP:
Want to compute
.
Slide37
Micciancio
,
Voulgaris
10
is
a closest
vector in
.
Slide38
Micciancio
,
Voulgaris
10
Move to closest vector in
.
Slide39
Micciancio
,
Voulgaris
10
Move to closest vector in
.
Slide40
Micciancio
,
Voulgaris
10
Move to closest vector in
.
Slide41
Micciancio, Voulgaris 10
Why is this enough?
Shift so that by coordinate rounding.For to Starting from a closest vector to in follow MV path to closest vector in
.Since
, the distance to under decreases by a factor at each iteration.Each iteration requires
time (case
. Slide42
Micciancio, Voulgaris 10
Why is this enough?
Shift so that by coordinate rounding.For to Starting from a closest vector to in follow MV path to closest vector in
.Since
, the distance to under decreases by a factor at each iteration.Total runtime:
.
Slide43
Micciancio, Voulgaris 10
How to compute initial shift of
?Compute such that .Take linearly independent.Write
.Let
.
Replace
by
. Unshift CVP solution by at the end. Slide44
Navigating the Voronoi GraphQuestion:
Is there a polynomial sized path from the origin to the target
Voronoi cell?If so, can each step of the path be computed in time?Implies time algorithm for CVPP.Answer: Yes! ** path length depends polynomially on bit size of basis of and target . Slide45
Straight Line Algorithm
How many cells does this cross?Slide46
Straight Line Algorithm
Initial analysis in
[MV 10]
.
Gives
worse bounds
… Slide47
Straight Line Algorithm
Initial analysis in
[MV 10]
.
Don’t have any bad examples!Slide48
What if we add randomness to the process? Randomized Straight Line
Slide49
Randomized Straight Line
+
Sample a “random”
.
P
ath:
.
Slide50
Randomized Straight LineHow long is path when going between lattice points? Let’s restrict to the case
.
Slide51
Path Lengths on the Voronoi GraphPath from
to
:where .Theorem: Expected path length bounded by .Corollary:
For ,
.
Proof: Write
, ,
.
. Slide52
Randomized Straight Line
+
a
.
b.
c.
where
.
Slide53
Bounding the number of crossings
+
Phase
a+c
:
crossings
Phase
b
: ???
Slide54
Bounding the number of crossings
+
Slide55
Bounding the number of crossings
+
depends only on distribution of
.
is uniform
is uniform!
Slide56
Bounding the number of crossings
+
Slide57
Bounding the number of crossings
+
Slide58
Bounding the number of crossings
+
Slide59
Bounding the number of crossings
+
.
Can save a factor of
with a more careful analysis.
Slide60
Path for General Targets
Sampling from
is expensive (MCMC methods needed).Can we use a simpler distribution for ?Let be an ellipsoid such that .
Slide61
Path for General TargetsSampling from
is expensive (MCMC methods needed).
Can we use a simpler distribution for ?Let be an ellipsoid such that .Path from to :
where
. (admits linear time sampler!)Theorem: Path traverses , after at most
steps on expectation.
Slide62
+
Path for General Targets
a
.
b.
c.
where
.
Slide63
+
Bounding the number of crossings
Phase
a
:
Phase
c
: ???
Phase
b
:
Slide64
+
Bounding the number of crossings
Don’t know how to bound Phase
c
…Slide65
+
Truncating the Path
Follow phase
c
line until
we reach
such that
.
Slide66
+
Truncating the Path
Slide67
+
Truncating the Path
Need to bound number of intersections from
to
.
Slide68
Bounds for General TargetsPath from to
:
where .Theorem: Path traverses ,
after at most
steps on expectation.Lemma: Assume and
and that
. If and , then
.
Gives poly dependence on bit description of and . Slide69
The Last Mile
Density
Slide70
The Last Mile
Total number of intersections:
Slide71
The Last Mile
Total number of intersections:
Slide72
The Last Mile
Total
number of intersections:
Slide73
The Last Mile
Total
number of intersections:
Slide74
Bounding the Truncated Path
expected # of intersections with boundaries at distance
.
Slide75
Bounding the Truncated Path
Only need to control
!
Slide76
Bounding the Truncated Path
For
, define
Slide77
Bounding the Truncated Path
For , define
Slide78
Bounding the Truncated Path
For
, define
Slide79
Bounding the Truncated Path
For
, define
Slide80
Bounding the Truncated Path
For
, define
Slide81
Bounding the Truncated Path
For
, define
Slide82
Bounding the Truncated Path
Lemma:
,
.
scaling of
-boundaries falls out of
.
Slide83
Bounding Int()
Strategy: Show that grows slowly as a function of by bounding its derivative.Problem: Uniform measure on not smooth enough.Trick: Replace uniform distribution on by on . Equivalent to sampling scaling
and
and returning . Slide84
Bounding Int()
Trick: Replace uniform distribution on by on . Equivalent to sampling scaling and
and returning .
with constant probability.Expected number of crossings can only decrease by a constant factor. Slide85
Bounding Int()
Trick: Replace uniform distribution on by on . Equivalent to sampling scaling and
and returning . Smoothness: For
,
.
Slide86
Bounding Int()
For , let denote the outer unit normal.
Slide87
Bounding Int()
.
Slide88
Bounding Int()
Idea:
use
smoothness
of
+
tiling property
to relate surface integral to integral over
.
Slide89
Bounding
Int
(
)
Idea:
use
smoothness
of
+
tiling property
to relate surface integral to integral over
.
Slide90
Bounding
Int
(
)
Idea:
use
smoothness
of
+
tiling property
to relate surface integral to integral over
.
Slide91
Bounding
Int
(
)
Idea:
use
smoothness
of
+
tiling property
to relate surface integral to integral over
.
Slide92
+
Total Path Length
Phase
a
:
Phase
c
:
Phase
b
:
Slide93
Conclusions
speedup of
Micciancio and Voulgaris CVPP algorithm. Tight relationship between geometric and path distance on the Voronoi graph. Slide94
Open ProblemsCan we get speedup for full MV CVP algorithm?(need to solve
CVPs in time!)Are there any bad examples for the straight line algorithm? Is randomness needed?Can we make the path length strongly polynomial?Can we compress the description of the Voronoi cell? (know: combinations of vectors!)Does anything hold for general norms? Slide95
THANK YOU!