## Worst-case to average-case reductions based on Gaussian measures (2004)

### Cached

### Download Links

- [www.cs.tau.ac.il]
- [www.cims.nyu.edu]
- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [www.cs.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | SIAM J. on Computing |

Citations: | 88 - 17 self |

### BibTeX

@INPROCEEDINGS{Micciancio04worst-caseto,

author = {Daniele Micciancio and Oded Regev},

title = {Worst-case to average-case reductions based on Gaussian measures},

booktitle = {SIAM J. on Computing},

year = {2004},

pages = {372--381},

publisher = {IEEE Computer Society}

}

### Years of Citing Articles

### OpenURL

### Abstract

We show that finding small solutions to random modular linear equations is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the dimension of the lattice. The lattice problems we consider are the shortest vector problem, the shortest independent vectors problem, the covering radius problem, and the guaranteed distance decoding problem (a variant of the well known closest vector problem). The approximation factor we obtain is nlog O(1) n for all four problems. This greatly improves on all previous work on the subject starting from Ajtai’s seminal paper (STOC, 1996), up to the strongest previously known results by Micciancio (SIAM J. on Computing, 2004). Our results also bring us closer to the limit where the problems are no longer known to be in NP intersect coNP. Our main tools are Gaussian measures on lattices and the high-dimensional Fourier transform. We start by defining a new lattice parameter which determines the amount of Gaussian noise that one has to add to a lattice in order to get close to a uniform distribution. In addition to yielding quantitatively much stronger results, the use of this parameter allows us to simplify many of the complications in previous work. Our technical contributions are two-fold. First, we show tight connections between this new parameter and existing lattice parameters. One such important connection is between this parameter and the length of the shortest set of linearly independent vectors. Second, we prove that the distribution that one obtains after adding Gaussian noise to the lattice has the following interesting property: the distribution of the noise vector when conditioning on the final value behaves in many respects like the original Gaussian noise vector. In particular, its moments remain essentially unchanged. 1

### Citations

1567 | Probability inequalities for sums of bounded random variables
- Hoeffding
- 1963
(Show Context)
Citation Context ... only one oracle call. The third follows similarly with the use of Lemma 5.18. 26s5.4 Shortest vector problem In this subsection we reduce GapSVP to SIS ′ . Let us first recall Hoeffding’s inequality =-=[15]-=-, which states the following. Let X1, . . . , XN be N independent random variables, such that for all i, Xi ∈ [a, b]. Then SN = � i Xi satisfies Pr{SN ≥ Exp[SN] + Nɛ} ≤ e −Nɛ2 /(b−a) 2 . (14) We will ... |

750 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...ion from GDD λn γ ′ to IncGDDλn γ,g where γ ′ (n) = (2n /g(n)) + 2γ(n). Proof: Given a lattice B and a target t, we want to find a lattice vector close to t. Using the LLL lattice reduction algorithm =-=[17]-=-, we can efficiently compute a basis S of L(B) such that �S� ≤ 2 n λn(B). Let ˜λn = �S�/2 n and notice that ˜ λn ≤ λn(B) ≤ 2 n˜ λn. The reduction then calls the IncGDD oracle on input (B,S,t, 2 i · ˜ ... |

245 |
On Lovász lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ...γ(n) = √ n/2 and φ = λn. Often, �S� is much larger than r, so the dominant part in the distance bound is �S�/g, or �S�/4 for our choice 18sof parameters. Notice that using the nearest plane algorithm =-=[4]-=- one can always find (in polynomial time) a lattice point within distance ( √ n/2)�S� from any target. Here we are trying to do much better than that. However, it is not always possible to find a latt... |

212 | A public-key cryptosystem with worst-case/averagecase equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ...h that g(n) ≤ af(n) log c f(n) for all sufficiently large n. 3 The main result of [24] is a lattice based encryption scheme. This encryption scheme, as the one in the original work of Ajtai and Dwork =-=[3]-=-, is also based on the unique shortest vector problem. Constructing an encryption scheme based on other lattice problems such as the shortest vector problem is a major open problem. 2sIn other words, ... |

169 | Generating hard instances of lattice problems - Ajtai - 2004 |

128 |
Complexity of lattice problems: A cryptographic perspective
- Micciancio, Goldwasser
- 2002
(Show Context)
Citation Context ...tion factor γ(n), there is a polynomial time reduction from GapSVPγ to GapCVP ′ γ. Proof: In [13] it is shown that for any γ, there is a deterministic Cook reduction from GapSVPγ to GapCVPγ (see also =-=[23]-=-). Here we observe that the same reduction can be used as a reduction from GapSVPγ to GapCVP ′ γ. To see this, it suffices to know that on input GapSVPγ instance (B, d), all the GapCVPγ calls made by ... |

85 | On the limits of nonapproximability of lattice problems
- Goldreich, Goldwasser
(Show Context)
Citation Context ...us problem.) Beside the fact that all known hardness results are only for subpolynomial approximation factors, all three problems have been shown to be in coAM for O( � n/ logn) approximation factors =-=[11, 14]-=- (see also [1, 14] where the problems are shown to be in coNP for O( √ n) factors), giving evidence6 that the problems are not NP-hard within such factors. Still, one might conjecture that some of the... |

73 |
New bounds in some transference theorems in the geometry of numbers
- Banaszczyk
- 1993
(Show Context)
Citation Context ...vements and simplifications for similar results about cyclic lattices. Gaussian distributions: The use of Gaussian distributions in the study of lattices is standard in mathematics (see, for example, =-=[5]-=-). In computer science, they have been recently used in [8, 24, 1]. In [1], for example, Gaussian distributions are used to prove that certain lattice problems are in coNP. We believe that a large par... |

68 | Hardness of approximating the shortest vector problem in lattices
- Khot
(Show Context)
Citation Context ...property of the smoothing parameter that conveys the intuition behind our definition. See Definition 3.1 for the actual definition. 4s(log n)1/2−ɛ factors of the form 2 (for any ɛ > 0) has been shown =-=[16]-=- under the assumption5 that NP �= RP or NP �⊆ BPTIME(2polylog(n) ) respectively. No hardness result (under deterministic or probabilistic reductions) is currently known for the covering radius problem... |

60 | Collision-free hashing from lattice problems
- Goldreich, Goldwasser, et al.
- 1996
(Show Context)
Citation Context ...ments bring us closer to factors for which lattice problems are not known to be in NP ∩ coNP. This is discussed in Subsection 1.2. 1.1 Our techniques The reduction: In this paper, as in previous work =-=[2, 12, 9, 21, 24]-=-, we consider the problem of reducing worst-case instances of lattice approximation problems (e.g., finding short lattice vectors) to the problem of finding small solutions to random linear equations ... |

56 | An improved worst-case to average-case connection for lattice problems
- Cai, Nerurkar
(Show Context)
Citation Context ...actors for which the hardness of approximating these lattice problems in the worst case implies that the function fA is one-way on the average. The factors implicit in Ajtai’s proof are rather large: =-=[9]-=- estimates all these factors to be larger than n 8 . In subsequent developments the factors have been improved, leading to the currently best known results of Micciancio [21]: the subset-sum function ... |

52 | On worst-case to averagecase reductions for NP problems
- Bogdanov, Trevisan
(Show Context)
Citation Context ...vious queries and hence can be performed all at once. It is known that unless the polynomial hierarchy collapses, no average-case problem can be shown to be NP-hard under non-adaptive reductions. See =-=[7]-=- and references therein for a more accurate description of these results. Here, we observe that our reductions can be made non-adaptive with only a slight worsening of the approximation factors obtain... |

50 | Generalized compact knapsacks, cyclic lattices, and efficient oneway functions
- Micciancio
(Show Context)
Citation Context ...her with the fact that we do not need to start from a large cube, allows us to obtain a much cleaner and simpler reduction. The ideas and techniques presented in this paper have been recently used in =-=[22]-=- to obtain analogous improvements and simplifications for similar results about cyclic lattices. Gaussian distributions: The use of Gaussian distributions in the study of lattices is standard in mathe... |

48 | Approximating shortest lattice vectors is not harder than approximating closest lattice vectors
- Goldreich, Micciancio, et al.
- 1999
(Show Context)
Citation Context ...ence between GapCVP ′ and the standard problem GapCVP, is that when the target is far from the lattice, also any odd multiple of the target is far and the minimum distance of the lattice is large. In =-=[13]-=- it is shown that there is a polynomial time reduction from GapSVPγ to GapCVPγ. We observe that the reduction given in [13] is also a reduction from GapSVPγ to GapCVP ′ γ , as shown in the following l... |

45 |
New lattice-based cryptographic constructions
- Regev
(Show Context)
Citation Context ...rs can be further reduced by √ n if certain sequences of “almost perfect” easily decodable lattices exist, and conjectured a reduction achieving factors as low as Õ(n 1.5 ). In a recent work of Regev =-=[24]-=-, a similar result was shown based on worst-case instances of a problem known as the Õ(n1.5 )-unique shortest vector problem. This problem is a special case of the shortest vector problem in which the... |

43 |
The shortest vector problem is NP-hard to approximate to within some constant
- Micciancio
- 1998
(Show Context)
Citation Context ... A as ∆(X, Y ) = 1 � | Pr{X = a} − Pr{Y = a}|. 2 a∈A 5 No true NP-hardness result (i.e., under deterministic polynomial time reductions) is currently known for SVP even in its exact version. However, =-=[19]-=- showed that if a certain number theoretic conjecture on the distribution of square-free smooth numbers holds true, then SVP is NP-hard (under deterministic polynomial time Karp reductions) for any fa... |

32 | Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor
- Micciancio
(Show Context)
Citation Context ...’s proof are rather large: [9] estimates all these factors to be larger than n 8 . In subsequent developments the factors have been improved, leading to the currently best known results of Micciancio =-=[21]-=-: the subset-sum function fA is hard to invert (in fact, even collision resistant) on the average, provided any of the following problems is hard in the worst case: • Computing a set of n linearly ind... |

30 |
On the complexity of computing short linearly independent vectors and short bases in a lattice
- Blömer, Seifert
- 1999
(Show Context)
Citation Context ...the NP-hardness of approximating the length of the shortest linearly independent set within any constant and, under the stronger assumption NP � DTIME(2polylog(n) (log n)1−ɛ ), within 2 for any ɛ > 0 =-=[6]-=-. For the shortest vector problem, hardness within any constant approximation factor or 4 The actual definition of smoothing parameter involves the dual lattice, and it is rather technical. Here we on... |

30 | Improving Lattice Based Cryptosystems Using the Hermite Normal Form
- Micciancio
- 2001
(Show Context)
Citation Context ...B = {0}. 11 In fact, no uniform probability distribution can be defined over a lattice (or other countably infinite set) or over the entire space. Formally, in order to define this property we follow =-=[18]-=- and capture the intuition of “starting from a random lattice point” by working modulo the lattice. See Section 4 for details, and [18] for more motivations and explanations about working modulo the l... |

27 |
Lattice problems in NP intersect coNP
- Aharonov, Regev
- 2004
(Show Context)
Citation Context ...c lattices. Gaussian distributions: The use of Gaussian distributions in the study of lattices is standard in mathematics (see, for example, [5]). In computer science, they have been recently used in =-=[8, 24, 1]-=-. In [1], for example, Gaussian distributions are used to prove that certain lattice problems are in coNP. We believe that a large part of our technical contribution is in the study of these Gaussian ... |

10 | The complexity of the covering radius problem
- Guruswami, Micciancio, et al.
- 2005
(Show Context)
Citation Context ...IME(2polylog(n) ) respectively. No hardness result (under deterministic or probabilistic reductions) is currently known for the covering radius problem, although the problem is conceivably hard. (See =-=[14]-=- for further discussion of the complexity of the covering radius problem.) Beside the fact that all known hardness results are only for subpolynomial approximation factors, all three problems have bee... |

8 |
A New Transference Theorem in the Geometry of Numbers. Submitted to The
- Cai
- 1999
(Show Context)
Citation Context ...c lattices. Gaussian distributions: The use of Gaussian distributions in the study of lattices is standard in mathematics (see, for example, [5]). In computer science, they have been recently used in =-=[8, 24, 1]-=-. In [1], for example, Gaussian distributions are used to prove that certain lattice problems are in coNP. We believe that a large part of our technical contribution is in the study of these Gaussian ... |

3 |
Lattices and codes. Advanced Lectures in Mathematics. Friedr. Vieweg
- Ebeling
- 2002
(Show Context)
Citation Context ... the shortest maximal set of independent vectors. Fourier transform: We briefly review some of the important properties of the Fourier transform. For a more precise and in-depth treatment, see, e.g., =-=[10]-=-. The Fourier transform of a function h : Rn ↦→ R is defined to be ˆ h(w) = � Rn h(x)e−2πi〈x,w〉 dx. From the definition we can obtain several useful formulas; first, if h is defined by h(x) = g(x + v)... |

3 |
A note on the minimal volume of almost cubic parallelepiped
- Micciancio
- 2002
(Show Context)
Citation Context ... distance γλn(B)/4 √ n from the corresponding vector 2i˜ λnej. Since the length of the latter is strictly greater than γλn(B)/4, it follows that the columns of Si are linearly independent (see, e.g., =-=[20]-=-). Finally, by the triangle inequality, each vector in Si has length at most 2 i˜ λn + γλn(B)/4 √ n ≤ γλn(B)/2 + γλn(B)/4 √ n ≤ γλn(B). Theorem 5.19 There exist functions q(n) = 2 O(n) and m(n) = n O(... |