Worst-case to average-case reductions based on Gaussian measures

We show that solving modular linear equation on the average is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the rank of the lattice. The lattice problems we consider are the shortest vector problem, the shortest independent vectors problem and the covering radius problem. The approximation factor we obtain is O(n) for all three problems. This greatly improves on all previous work on the subject starting from Ajtai's seminal paper (STOC, 1996), up to the strongest previously known results by Micciancio (STOC, 2002). Our results also bring us closer to the limit where the problems are no longer known to be in NP /spl cap/ coNP. Our main tools are Gaussian measures on lattices and the high dimensional Fourier transform. We start by defining a new lattice parameter which determines the amount of Gaussian noise that one has to add to a lattice in order to get close to a uniform distribution, in addition to yielding quantitatively much stronger results, the use of this parameter allows us to simplify many of the complications in previous work. Our technical contributions are two-fold. First, we show tight connections between this new parameter and existing lattice parameters. One such important connection is between this parameter and the length of the shortest set of linearly independent vectors. Second, we prove that the distribution that one obtains after adding Gaussian noise to the lattice has the following interesting property: the distribution of the noise vector when conditioning on the final value behaves in many respects like the original Gaussian noise vector. In particular, its moments remain essentially unchanged.

[1]  Luca Trevisan,et al.  On worst-case to average-case reductions for NP problems , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[2]  Venkatesan Guruswami,et al.  The complexity of the covering radius problem on lattices and codes , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[3]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[4]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[5]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[6]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[7]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[8]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[9]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[10]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[11]  O. Regev,et al.  The complexity of the covering radius problem on lattices and codes , 2004 .

[12]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[13]  Daniele Micciancio A Note on the Minimal Volume of Almost Cubic Parallelepipeds , 2003, Discret. Comput. Geom..

[14]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[15]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[16]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[17]  Daniele Micciancio The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant , 2000, SIAM J. Comput..

[18]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[19]  Wolfgang Ebeling,et al.  Lattices and Codes , 1994 .

[20]  Daniele Micciancio Improved cryptographic hash functions with worst-case/average-case connection , 2002, STOC '02.

[21]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[22]  Venkatesan Guruswami,et al.  The complexity of the covering radius problem , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[23]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[24]  Jin-Yi Cai,et al.  A new transference theorem in the geometry of numbers and new bounds for Ajtai's connection factor , 2003, Discret. Appl. Math..

[25]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[26]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[27]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..