## Generalized compact knapsacks, cyclic lattices, and efficient one-way functions (2007)

### Cached

### Download Links

- [www-cse.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In STOC |

Citations: | 50 - 8 self |

### BibTeX

@INPROCEEDINGS{Micciancio07generalizedcompact,

author = {Daniele Micciancio},

title = {Generalized compact knapsacks, cyclic lattices, and efficient one-way functions},

booktitle = {In STOC},

year = {2007},

pages = {33--43}

}

### OpenURL

### Abstract

We investigate the average-case complexity of a generalization of the compact knapsack problem to arbitrary rings: given m (random) ring elements a1,..., am ∈ R and a (random) target value b ∈ R, find coefficients x1,..., xm ∈ S (where S is an appropriately chosen subset of R) such that P ai · xi = b. We consider compact versions of the generalized knapsack where the set S is large and the number of weights m is small. Most variants of this problem considered in the past (e.g., when R = Z is the ring of the integers) can be easily solved in polynomial time even in the worst case. We propose a new choice of the ring R and subset S that yields generalized compact knapsacks that are seemingly very hard to solve on the average, even for very small values of m. Namely, we prove that for any unbounded function m = ω(1) with arbitrarily slow growth rate, solving our generalized compact knapsack problems on the average is at least as hard as the worst-case instance of various approximation problems over cyclic lattices. Specific worst-case lattice problems considered in this paper are the shortest independent vector problem SIVP and the guaranteed distance decoding problem GDD (a variant of the closest vector problem, CVP) for approximation factors n 1+ǫ almost linear in the dimension of the lattice. Our results yield very efficient and provably secure one-way functions (based on worst-case complexity assumptions) with key size and time complexity almost linear in the security parameter n. Previous constructions with similar security guarantees required quadratic key size and computation time. Our results can also be formulated as a connection between the worst-case and average-case complexity of various lattice problems over cyclic and quasi-cyclic lattices.

### Citations

741 | Pseudo-random generation from one-way functions (extended abstract
- Impagliazzo, Levin, et al.
- 1989
(Show Context)
Citation Context ...es other than one-way functions and collision resistant hash functions. One-way functions are known to be sufficient to build many other useful cryptographic primitives, like pseudo-random generators =-=[21, 24]-=-, one-way hash functions [50], commitment schemes [49], digital signatures schemes [61], or private key encryption schemes [20]. However, these generic constructions are rather inefficient, so with th... |

650 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...other useful cryptographic primitives, like pseudo-random generators [21, 24], one-way hash functions [50], commitment schemes [49], digital signatures schemes [61], or private key encryption schemes =-=[20]-=-. However, these generic constructions are rather inefficient, so with their use most of the efficiency benefits of our compact knapsack function would be lost. We leave as an open problem the constru... |

379 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...es other than one-way functions and collision resistant hash functions. One-way functions are known to be sufficient to build many other useful cryptographic primitives, like pseudo-random generators =-=[21, 24]-=-, one-way hash functions [50], commitment schemes [49], digital signatures schemes [61], or private key encryption schemes [20]. However, these generic constructions are rather inefficient, so with th... |

237 |
On Lovasz’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ...ced basis satisfies ‖S‖ ≤ 2nλn(L(B)), i.e., it solves SIVPγ for approximation factors γ(n) = 2n . A well known method to find lattice points close to a given target is Babai’s nearest plane algorithm =-=[7]-=-. This is a polynomial time algorithm that on input a lattice S and a target point t, finds a lattice vector x ∈ L(S) within distance ‖x −t‖ ≤ ( √ n/2)‖S‖ from the target. Notice that the quality of t... |

209 | A Public-key Cryptosystem with Worst-case/average-case Equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ...ty assumptions). Still, based on the similarities between NTRU and other lattice-based cryptosystems [42], we hope that, as Ajtai’s oneway function [2] inspired the design of public-key cryptosystems =-=[3, 59]-=-, our work will provide a starting point for the design of efficient and provably secure public-key cryptosystems based on cyclic lattices. Proving the security of NTRU, or finding alternative ways to... |

167 |
Generating hard instances of lattice problems
- Ajtai
- 2004
(Show Context)
Citation Context ...ly questioned the security of the systems either in theory or in practice. Recently, knapsack-like cryptographic functions have started attracting again considerable attention after Ajtai’s discovery =-=[2]-=- that the generalized subset-sum problem (over the additive group Zn p of n-dimensional vectors modulo p) is provably hard to solve on the average based on a worst-case intractability assumption about... |

156 | The hardness of approximate optima in lattices, codes, and systems of linear equations
- Arora, Babai, et al.
- 1993
(Show Context)
Citation Context ...r randomized reductions) to approximate within any constant factor [1, 43, 32], while the closest vector problem (CVP) is NP-hard to approximate even within quasi polynomial factors n O(1/ log log n) =-=[67, 6, 15]-=-. These results support the conjecture that lattice problems are hard to solve in the worst case, at least for arbitrary lattices. It is natural to ask whether lattice problems remain hard even when t... |

155 | A Sieve Algorithm for the Shortest Lattice Vector Problem
- Ajtai, Kumar, et al.
(Show Context)
Citation Context ...tor γ(n) = √ n2n . Slightly better approximations (namely, for slightly subexponential factors 2O(nlog log n/ log n) ) can be computed in (probabilistic) polynomial time using more complex algorithms =-=[62, 4]-=-, but they offer no advantages in the context of our paper. 2.4 Gaussian distributions We use the Gaussian distribution techniques recently introduced in [48] to simplify and improve the results descr... |

119 |
The Shortest Vector Problem in L2 is NP-hard for Randomized Reductions (Extended Abstract
- Ajtai
(Show Context)
Citation Context ... approximation versions for sufficiently small approximation factors. For example, the shortest vector problem (SVP) is NP-hard (under randomized reductions) to approximate within any constant factor =-=[1, 43, 32]-=-, while the closest vector problem (CVP) is NP-hard to approximate even within quasi polynomial factors n O(1/ log log n) [67, 6, 15]. These results support the conjecture that lattice problems are ha... |

71 | On the existence of statistically hiding bit commitment schemes and fail-stop signatures
- Damg̊ard, Pedersen, et al.
- 1997
(Show Context)
Citation Context ...38, 57], where it is shown that a simple variant of the function proposed in this paper is collision resistant, and therefore also a one-way hash function. We also observe that by standard reductions =-=[50, 14]-=-, the collision resistant hash function of [57, 38] also yields efficient constructions of (statistically hiding) commitment schemes based on the worst-case hardness of cyclic lattices. Finally, and p... |

64 |
Approximating CVP to within almost-polynomial factors is NP-hard
- Dinur, Kindler, et al.
- 1998
(Show Context)
Citation Context ...r randomized reductions) to approximate within any constant factor [1, 43, 32], while the closest vector problem (CVP) is NP-hard to approximate even within quasi polynomial factors n O(1/ log log n) =-=[67, 6, 15]-=-. These results support the conjecture that lattice problems are hard to solve in the worst case, at least for arbitrary lattices. It is natural to ask whether lattice problems remain hard even when t... |

58 | Collision-free hashing from lattice problems
- Goldreich, Goldwasser, et al.
- 1996
(Show Context)
Citation Context ...perspective, since it establishes a connection between the worst-case and average-case complexity of solving various lattice problems on (quasi-)cyclic lattices. This is analogous to previous results =-=[2, 10, 19, 46, 48]-=- connecting the worst-case and average-case complexity of problems on arbitrary lattices, but adapted to the special class of lattices with (quasi-)cyclic structure. Related work. The first constructi... |

56 | An Improved Worst-Case to Average-Case Connection for Lattice Problems
- Cai, Nerurkar
- 1997
(Show Context)
Citation Context ...he lattice. This results in strong one-way functions with average-case security guarantees based on a worst-case intractability assumption similar to Ajtai’s function [2] (and subsequent improvements =-=[10, 46, 48]-=-,) but with a much smaller key size O(m log pn ) = ω(1) · n logn, where ω(1) is an unbounded function with arbitrarily slow growth rate. (For comparison, [2, 10, 46, 48] require m(n) = Ω(n log n), and... |

56 |
NTRU : a ring based public key cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ... function may not be so out of reach. We remark that the class of cyclic lattices used in this paper is related to (although different from) the class of “convolutional modular lattices” used by NTRU =-=[25]-=-, a commercial public-key cryptosystem based on lattices. Specifically, the lattices used by NTRU can be described as quasi-cyclic lattices of order 2, i.e., lattices that are invariant under cyclic s... |

41 | R.L.: A knapsack-type public key cryptosystem based on aritmethic in finite fields - Chor, Rivest - 1988 |

33 |
Breaking Iterated Knapsacks
- Brickell
- 1985
(Show Context)
Citation Context ...d Hellman [40] in the late 70’s was immediately followed by intensive cryptanalytic efforts that culminated in the early 80’s with the total break of the system in its basic [65] and iterated version =-=[9]-=-. Still, the possibility of building cryptographic functions based on NP-hard problems, and the relatively high speed at which numbers can be added up (compared to modular multiplication and exponenti... |

30 |
On the complexity of computing short linearly independent vectors and short bases in a lattice
- Blömer, Seifert
- 1999
(Show Context)
Citation Context ...VP φ γ , given an n-dimensional lattice B, asks for a set of n linearly independent lattice vectors S ⊂ L(B) such that ‖S‖ ≤ γ(n) · φ(L(B)). The shortest independent vectors problem SIVPγ (studied in =-=[8]-=- and used in [2, 10, 46, 48] as a source of computational hardness) corresponds to SIVP φ γ with φ = λn. Another problem that will play a fundamental role in this paper is the following. Definition 2.... |

27 | Maximum-likelihood decoding of Reed– Solomon codes is NP-hard
- Guruswami, Vardy
(Show Context)
Citation Context ...ynomial time algorithm is known for many computational problems on cyclic codes (or lattices). A very recent result somehow suggesting that no such polynomial time algorithm may exist is the proof in =-=[23]-=- that the nearest codeword problem (the coding analogue of the closest vector problem for lattices) for appropriately shortened Reed-Solomon codes is NP-hard. Reed-Solomon codes are a well known class... |

26 |
D.: The inapproximability of lattice and coding problems with preprocessing
- Feige, Micciancio
- 2004
(Show Context)
Citation Context ...yclic lattices NP-hard? What about the closest vector problem on cyclic lattices? Is the closest vector problem NP-hard even for fixed families of cyclic lattices as shown (for arbitrary lattices) in =-=[41, 16, 58]-=-? Organization The rest of the paper is organized as follows. In Section 2 we recall basic notation, definitions and results needed in this paper. In Section 3 we prove two preliminary lemmas about cy... |

17 | Cryptanalysis of the revised NTRU signature scheme
- Gentry, Szydlo
- 2002
(Show Context)
Citation Context ...r how to exploit the cyclic structure of the lattice in state of the art lattice algorithms, e.g., lattice basis reduction. The only algorithmic results related to cyclic lattices we are aware of are =-=[39, 26, 66, 18]-=-. The first paper [39] shows how the solution of certain lattice problems can be speeded up by a factor n when the lattice is cyclic of dimension n. This is a quite modest improvement since the runnin... |

10 |
Solving medium-density subset sum problems in expected polynomial time
- Flaxman, Przydatek
- 2005
(Show Context)
Citation Context ...sack problem modulo p, which can be efficiently solved in the worst case for any polynomially bounded p(n) = nO(1) by dynamic programming, and on the average for p(n) = nO(log n) using the methods in =-=[17, 37]-=-. Our contribution. The main contribution of this paper is the study of a new class of compact knapsack functions fa(x) = ∑ i ai ·xi that are provably hard to invert in a very strong sense, even when ... |

5 |
Compact Knapsacks are Polynomial Solvable
- Amirazizi, Karnin, et al.
- 1983
(Show Context)
Citation Context ... as a method to increase the bandwidth of the scheme. These early attempts to reduce the key size of knapsack based functions were subject to attacks 2even more devastating than the general case: in =-=[5]-=- it is observed that the problem easily reduces to an integer programming instance with O(m) variables, and therefore it can be solved in polynomial time for any constant value of m(n) = O(1), or even... |

4 |
A New Trapdoor Knapsack Public Key Cryptosystem
- Goodman, McAuley
- 1985
(Show Context)
Citation Context ...t necessarily reflect the views of the National Science Foundation. 1operations required by number theoretic functions), prompted many researchers to suggest variants, fixes, and improvements (e.g., =-=[22, 11]-=-) to the initial Merkle-Hellman proposal. These efforts, which lasted for more than a decade, were invariably followed by attacks (e.g., [29, 64, 51, 55]) that seriously questioned the security of the... |

2 |
Cryptanalysis of a public key system based on Diophantine equations
- Cusick
- 1995
(Show Context)
Citation Context ...function m(n) = O(log n/ loglog n). Attempts to use compact knapsacks to design efficient cryptographic functions persisted during the 90’s [56, 36], but were always followed by cryptanalytic attacks =-=[60, 13, 34]-=-. In this paper we introduce and study a new class of compact knapsacks which are both very efficient and provably hard to solve in a strong sense similar to Ajtai’s function [2]. The one-way function... |

2 | A method to solve cyclotomic norm equations
- Howgrave-Graham, Szydlo
- 2004
(Show Context)
Citation Context ...r how to exploit the cyclic structure of the lattice in state of the art lattice algorithms, e.g., lattice basis reduction. The only algorithmic results related to cyclic lattices we are aware of are =-=[39, 26, 66, 18]-=-. The first paper [39] shows how the solution of certain lattice problems can be speeded up by a factor n when the lattice is cyclic of dimension n. This is a quite modest improvement since the runnin... |