Worst-case to average-case reductions based on Gaussian measures

We show that finding small solutions to random modular linear equations is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the dimension of the lattice. The lattice problems we consider are the shortest vector problem, the shortest independent vectors problem, the covering radius problem, and the guaranteed distance decoding problem (a variant of the well-known closest vector problem). The approximation factor we obtain is $n \log^{O(1)} n$ for all four problems. This greatly improves on all previous work on the subject starting from Ajtai’s seminal paper [Generating hard instances of lattice problems, in Complexity of Computations and Proofs, Quad. Mat. 13, Dept. Math., Seconda Univ. Napoli, Caserta, Italy, 2004, pp. 1-32] up to the strongest previously known results by Micciancio [SIAM J. Comput., 34 (2004), pp. 118-169]. Our results also bring us closer to the limit where the problems are no longer known to be in NP intersect coNP. Our main tools are Gaussian measures on lattices and the high-dimensional Fourier transform. We start by defining a new lattice parameter which determines the amount of Gaussian noise that one has to add to a lattice in order to get close to a uniform distribution. In addition to yielding quantitatively much stronger results, the use of this parameter allows us to simplify many of the complications in previous work. Our technical contributions are twofold. First, we show tight connections between this new parameter and existing lattice parameters. One such important connection is between this parameter and the length of the shortest set of linearly independent vectors. Second, we prove that the distribution that one obtains after adding Gaussian noise to the lattice has the following interesting property: the distribution of the noise vector when conditioning on the final value behaves in many respects like the original Gaussian noise vector. In particular, its moments remain essentially unchanged.

[1]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[2]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[3]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[4]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[5]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[6]  Venkatesan Guruswami,et al.  The complexity of the covering radius problem , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[7]  Jin-Yi Cai,et al.  A new transference theorem in the geometry of numbers and new bounds for Ajtai's connection factor , 2003, Discret. Appl. Math..

[8]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[9]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[10]  Luca Trevisan,et al.  On worst-case to average-case reductions for NP problems , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[11]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[12]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[13]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[14]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[15]  Wolfgang Ebeling,et al.  Lattices and Codes: A Course Partially Based on Lectures by Friedrich Hirzebruch , 1994 .

[16]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[17]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[18]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[19]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[20]  Daniele Micciancio A Note on the Minimal Volume of Almost Cubic Parallelepipeds , 2003, Discret. Comput. Geom..

[21]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[22]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.