Lattices that admit logarithmic worst-case to average-case connection factors

We exhibit an average-case problem that is as hard as finding γ(n)-approximate shortest nonzero vectors in certain n-dimensional lattices in the worst case, for γ(n) = O(√log n). The previously best known factor for any non-trivial class of lattices was γ(n) = Õ(n). Our results apply to families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraic number field. The worst-case problem we rely on is to find approximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. For the connection factors γ(n) we achieve, the corresponding decision problems on ideal lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are well-studied objects in computational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices. To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to exist and are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant up to O(n2/3-ε) would yield connection factors better than Õ(n). As an additional contribution, we give reductions between various worst-case problems on ideal lattices, showing for example that the shortest vector problem is no harder than the closest vector problem. These results are analogous to previously-known reductions for general lattices.

[1]  Uriel Feige,et al.  The inapproximability of lattice and coding problems with preprocessing , 2004, J. Comput. Syst. Sci..

[2]  Jin-Yi Cai,et al.  Approximating the SVP to within a Factor (1+1/dimxi) Is NP-Hard under Randomized Reductions , 1999, J. Comput. Syst. Sci..

[3]  Venkatesan Guruswami,et al.  Constructions of codes from number fields , 2001, IEEE Trans. Inf. Theory.

[4]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[5]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[6]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[7]  J. Milne Algebraic Number Theory , 1992 .

[8]  Moni Naor,et al.  The hardness of decoding linear codes with preprocessing , 1990, IEEE Trans. Inf. Theory.

[9]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[10]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[11]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[12]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[13]  Jin-Yi Cai,et al.  Approximating the SVP to within a factor (1 + 1/dimepsilon) is NP-hard under randomized reductions , 1997, Electron. Colloquium Comput. Complex..

[14]  Chih-Han Sah,et al.  Symmetric bilinear forms and quadratic forms , 1972 .

[15]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[16]  Daniele Micciancio,et al.  The hardness of the closest vector problem with preprocessing , 2001, IEEE Trans. Inf. Theory.

[17]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[18]  Kenneth S. Williams,et al.  Introductory Algebraic Number Theory , 2003 .

[19]  Gilles Brassard,et al.  Relativized cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[20]  Sean Hallgren,et al.  Fast quantum algorithms for computing the unit group and class group of a number field , 2005, STOC '05.

[21]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[22]  S. Lang Algebraic Number Theory , 1971 .

[23]  Gisbert Wüstholz,et al.  A panorama in number theory or the view from Baker's garden , 2002 .

[24]  Daniele Micciancio,et al.  The shortest vector in a lattice is hard to approximate to within some constant , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[25]  Chris Peikert,et al.  Limits on the Hardness of Lattice Problems in ell _p Norms , 2007, CCC.

[26]  Ravi Kumar,et al.  On Polynomial-Factor Approximations to the Shortest Lattice Vector Length , 2003, SIAM J. Discret. Math..

[27]  Oded Goldreich,et al.  On basing one-way functions on NP-hardness , 2006, STOC '06.

[28]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[29]  H. Lenstra,et al.  Algorithms in algebraic number theory , 1992, math/9204234.

[30]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[31]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[32]  Jin-Yi Cai,et al.  A new transference theorem in the geometry of numbers and new bounds for Ajtai's connection factor , 2003, Discret. Appl. Math..

[33]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[34]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[35]  Chris Peikert,et al.  Limits on the Hardness of Lattice Problems in ℓp Norms , 2008, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[36]  Denis Simon Construction de polynômes de petits discriminants , 1999 .

[37]  Henri Cohen,et al.  A Table of Totally Complex Number Fields of Small Discriminants , 1998, ANTS.

[38]  N. J. A. Sloane,et al.  Sphere Packings, Lattices and Groups , 1987, Grundlehren der mathematischen Wissenschaften.

[39]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[40]  Oded Regev,et al.  Lattice problems and norm embeddings , 2006, STOC '06.

[41]  Amnon Ta-Shma,et al.  New connections between derandomization, worst-case complexity and average-case complexity , 2006, Electron. Colloquium Comput. Complex..

[42]  Alan Kay User Interface, or User Interference? , 2004, IUI '04.

[43]  Dorit Aharonov,et al.  Lattice problems in NP ∩ coNP , 2005, JACM.

[44]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[45]  Jin-Yi Cai,et al.  Approximating the Svp to within a Factor ? , 2007 .

[46]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[47]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[48]  Wojciech Banaszczyk,et al.  Inequalities for convex bodies and polar reciprocal lattices inRn , 1995, Discret. Comput. Geom..

[49]  H. Lenstra,et al.  Codes from algebraic number fields , 1986 .

[50]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[51]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.