Generalized compact knapsacks, cyclic lattices, and efficient one-way functions (2007)
Cached
Download Links
- [www-cse.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- [cseweb.ucsd.edu]
- [eprint.iacr.org]
- DBLP
Other Repositories/Bibliography
| Venue: | In STOC |
| Citations: | 72 - 9 self |
BibTeX
@INPROCEEDINGS{Micciancio07generalizedcompact,
author = {Daniele Micciancio},
title = {Generalized compact knapsacks, cyclic lattices, and efficient one-way functions},
booktitle = {In STOC},
year = {2007},
pages = {33--43}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
We investigate the average-case complexity of a generalization of the compact knapsack problem to arbitrary rings: given m (random) ring elements a1,..., am ∈ R and a (random) target value b ∈ R, find coefficients x1,..., xm ∈ S (where S is an appropriately chosen subset of R) such that P ai · xi = b. We consider compact versions of the generalized knapsack where the set S is large and the number of weights m is small. Most variants of this problem considered in the past (e.g., when R = Z is the ring of the integers) can be easily solved in polynomial time even in the worst case. We propose a new choice of the ring R and subset S that yields generalized compact knapsacks that are seemingly very hard to solve on the average, even for very small values of m. Namely, we prove that for any unbounded function m = ω(1) with arbitrarily slow growth rate, solving our generalized compact knapsack problems on the average is at least as hard as the worst-case instance of various approximation problems over cyclic lattices. Specific worst-case lattice problems considered in this paper are the shortest independent vector problem SIVP and the guaranteed distance decoding problem GDD (a variant of the closest vector problem, CVP) for approximation factors n 1+ǫ almost linear in the dimension of the lattice. Our results yield very efficient and provably secure one-way functions (based on worst-case complexity assumptions) with key size and time complexity almost linear in the security parameter n. Previous constructions with similar security guarantees required quadratic key size and computation time. Our results can also be formulated as a connection between the worst-case and average-case complexity of various lattice problems over cyclic and quasi-cyclic lattices.
Keyphrases
cyclic lattice compact knapsack efficient one-way function average-case complexity compact knapsack problem ring element a1 specific worst-case lattice problem similar security guarantee arbitrary ring quadratic key size small value vector problem key size compact version time complexity computation time provably secure one-way function security parameter target value approximation factor new choice various approximation problem worst-case complexity assumption worst-case instance slow growth rate unbounded function guaranteed distance polynomial time various lattice problem generalized knapsack shortest independent vector problem sivp quasi-cyclic lattice problem gdd previous construction
