## Lattices that admit logarithmic worst-case to averagecase connection factors (2007)

### Cached

### Download Links

- [eprint.iacr.org]
- [eprint.iacr.org]
- [theory.lcs.mit.edu]
- [www.cc.gatech.edu]
- [theory.csail.mit.edu]
- [www.cc.gatech.edu]
- [eprint.iacr.org]
- [www.eecs.harvard.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In STOC |

Citations: | 19 - 9 self |

### BibTeX

@INPROCEEDINGS{Peikert07latticesthat,

author = {Chris Peikert and Alon Rosen},

title = {Lattices that admit logarithmic worst-case to averagecase connection factors},

booktitle = {In STOC},

year = {2007},

pages = {478--487}

}

### OpenURL

### Abstract

Abstract We demonstrate an average-case problem which is as hard as finding fl(n)-approximateshortest vectors in certain n-dimensional lattices in the worst case, where fl(n) = O(plog n).The previously best known factor for any class of lattices was fl(n) = ~O(n).To obtain our results, we focus on families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraicnumber field. The worst-case assumption we rely on is that in some `p length, it is hard to findapproximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. Our results build upon prior works by Micciancio (FOCS 2002), Peikert andRosen (TCC 2006), and Lyubashevsky and Micciancio (ICALP 2006). For the connection factors fl(n) we achieve, the corresponding decisional promise problemson ideal lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are well-studiedobjects in computational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices.To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to existand are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant upto O(n2/3-ffl) would yield connection factors better than the current best of ~O(n).

### Citations

913 | A Course in Computational Algebraic Number Theory, Graduate Texts - Cohen - 1996 |

700 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...lications introduce another, more pragmatic motivation for tightening the connection factor. The best known polynomial-time shortest vector algorithms produce only a 2~\Omega (n)-approximate solution =-=[29, 45]-=-, whereas the best algorithm for finding an optimal solution takes 2O(n) time [5]. In addition, there are algorithms that allow trade-offs between running time and quality of approximation [45, 28]. I... |

400 | Sphere Packings, Lattices and Groups - Conway, Sloane - 1999 |

206 | A Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence
- Ajtai, Dwork
(Show Context)
Citation Context ...that they actually yield cryptographic one-way functions and collision-resistant hash functions [22]. Even public-key encryption is attainable from certain worst-case hardness assumptions on lattices =-=[4, 41, 42]-=-. These cryptographic applications introduce another, more pragmatic motivation for tightening the connection factor. The best known polynomial-time shortest vector algorithms produce only a 2~\Omega ... |

194 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
(Show Context)
Citation Context ...d above, it is possible that explicit constructions of number fields might come with the required advice as a side-effect. A final interesting question is whether the public-key cryptosystem of Regev =-=[44]-=- can be adapted to work based on ideal lattices, with a corresponding improvement in its efficiency and connection factor. It seems plausible that this could be done without requiring the encryption a... |

150 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
- 2001
(Show Context)
Citation Context ...actor. The best known polynomial-time shortest vector algorithms produce only a 2~\Omega (n)-approximate solution [29, 45], whereas the best algorithm for finding an optimal solution takes 2O(n) time =-=[5]-=-. In addition, there are algorithms that allow trade-offs between running time and quality of approximation [45, 28]. In practice, then, a loose connection factor may fail to guarantee security for re... |

124 | Symmetric Bilinear Forms - Milnor, Husemoller - 1973 |

115 | The shortest vector problem in L2 is NP-hard for randomized reductions - Ajtai |

113 |
A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms
- Schnorr
- 1987
(Show Context)
Citation Context ...eecs.harvard.edu 1sLenstra, Lenstra, and Lovász designed an efficient algorithm that approximates SVP to within a 2 O(n) factor [31] (which was later improved to 2 O(n(log log n)2 / log n) by Schnorr =-=[47]-=-). While the so-called LLL algorithm has proved to be useful in many diverse applications, its approximation factors are much too large to undermine the hardness assumption associated with Ajtai’s res... |

90 | Generating hard instances of lattice problems (extended abstract
- Ajtai
- 1996
(Show Context)
Citation Context ...own reductions for general lattices. 1 Introduction In 1996, Ajtai established a remarkable connection between the worst-case and average-case complexity of certain computational problems on lattices =-=[4]-=-. He showed that approximating the length of the shortest nonzero vector in n-dimensional lattices to within a certain connection factor γ(n) = poly(n) in the worst case reduces to solving a related p... |

83 | Regev Worst-case to Average-case Reductions based on Gaussian Measures
- Micciancio, O
- 2004
(Show Context)
Citation Context ...ncreasingly large approximation factors [16, 32]. The current state of the art is defined by two powerful results: the first, by Micciancio and Regev, establishes a connection factor of fl(n) = ~O(n) =-=[36]-=-. The second, by Khot, establishes the NP-hardness of approximating the shortest vector to within any constant factor [27]. The latter result already approaches the perceived limits on the hardness of... |

81 | On the Limits of NonApproximability of Lattice Problems
- Goldreich, Goldwasser
- 1998
(Show Context)
Citation Context ...d limits on the hardness of approximating the shortest vector, as NP-hardness beyond a certain \Omega (pn) factor would imply that NP ` coNP [1] (or NP ` coAM, for a certain \Omega (pn/ log n) factor =-=[21]-=-). Worst-case/average-case connections are also useful in arenas outside complexity theory. Ajtai's result and its successors go beyond average-case hardness, in that they actually yield cryptographic... |

69 |
New bounds in some transference theorems in the geometry of numbers
- Banaszczyk
- 1993
(Show Context)
Citation Context ... fields with constant root discriminant give rise to a large collection of lattices which exemplify the tightness (up to constant factor) of known transference theorems on lattices, in all `p lengths =-=[8, 9]-=-. This gives an alternative to a prior example by Conway and Thompson [37] for `2 lengths. 3s1.6 Related Work The idea of imposing special structure on lattices is not new. Some of the results in Ajta... |

63 | Hardness of approximating the shortest vector problem in lattices
- Khot
- 2004
(Show Context)
Citation Context ...st, by Micciancio and Regev, establishes a connection factor of fl(n) = ~O(n) [36]. The second, by Khot, establishes the NP-hardness of approximating the shortest vector to within any constant factor =-=[27]-=-. The latter result already approaches the perceived limits on the hardness of approximating the shortest vector, as NP-hardness beyond a certain \Omega (pn) factor would imply that NP ` coNP [1] (or ... |

56 | An Improved Worst-Case to Average-Case Connection for Lattice Problems
- Cai, Nerurkar
- 1997
(Show Context)
Citation Context ...e the worst-case/average-case connection factor fl(n) to a point at which the corresponding approximation problem is NP-hard. In pursuit of this goal, the connection factor was successively tightened =-=[15, 35]-=-, and NP-hardness was established for increasingly large approximation factors [16, 32]. The current state of the art is defined by two powerful results: the first, by Micciancio and Regev, establishe... |

56 | Collision-free hashing from lattice problems. Available from ECCC as
- Goldreich, Goldwasser, et al.
(Show Context)
Citation Context ...arenas outside complexity theory. Ajtai's result and its successors go beyond average-case hardness, in that they actually yield cryptographic one-way functions and collision-resistant hash functions =-=[22]-=-. Even public-key encryption is attainable from certain worst-case hardness assumptions on lattices [4, 41, 42]. These cryptographic applications introduce another, more pragmatic motivation for tight... |

51 | The shortest vector in a lattice is hard to approximate to within some constant - Micciancio - 1998 |

47 | Generalized compact knapsacks, cyclic lattices, and efficient one-way functions
- Micciancio
(Show Context)
Citation Context ...t-case/average-case reduction inherits from a sequence of works starting with Ajtai's original paper [2] and the improvements proposed by Micciancio and Regev [36], as well as the works of Micciancio =-=[34]-=-, Peikert and Rosen [40], and Lyubashevsky and Micciancio [31]. The latter works obtained efficient cryptographic primitives by generalizing the role of the integers in prior reductions, replacing the... |

45 | Approximating shortest lattice vectors is not harder than approximating closest lattice vectors
- GOLDREICH, MICCIANCIO, et al.
- 1999
(Show Context)
Citation Context ...st vector problem (SVP) to the closest vector problem (CVP), and from the exact search version of CVP to the exact decisional version of CVP. Analogous results were already known for general lattices =-=[23]-=-, however these reductions do not preserve the "ideal" structure of their input lattices. (That is, the instances generated by the reduction are not necessarily ideal lattices, even if the input latti... |

45 |
New lattice-based cryptographic constructions
- Regev
(Show Context)
Citation Context ...that they actually yield cryptographic one-way functions and collision-resistant hash functions [22]. Even public-key encryption is attainable from certain worst-case hardness assumptions on lattices =-=[4, 41, 42]-=-. These cryptographic applications introduce another, more pragmatic motivation for tightening the connection factor. The best known polynomial-time shortest vector algorithms produce only a 2~\Omega ... |

45 | Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices
- Peikert, Rosen
- 2006
(Show Context)
Citation Context ...ction inherits from a sequence of works starting with Ajtai’s original paper [4] and the improvements proposed by Micciancio and Regev [38], as well as the works of Micciancio [36], Peikert and Rosen =-=[42]-=-, and Lyubashevsky and Micciancio [33]. The latter works generalized the role of the integers Z in prior reductions, replacing them with some “larger” ring to obtain efficient cryptographic primitives... |

42 | Algorithms in algebraic number theory - Lenstra - 1992 |

41 | Generalized compact knapsacks are collision resistant
- Lyubashevsky, Micciancio
- 2006
(Show Context)
Citation Context ...s starting with Ajtai's original paper [2] and the improvements proposed by Micciancio and Regev [36], as well as the works of Micciancio [34], Peikert and Rosen [40], and Lyubashevsky and Micciancio =-=[31]-=-. The latter works obtained efficient cryptographic primitives by generalizing the role of the integers in prior reductions, replacing them with elements from some larger ring. (See Section 2 for deta... |

32 | Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor
- Micciancio
(Show Context)
Citation Context ...e the worst-case/average-case connection factor fl(n) to a point at which the corresponding approximation problem is NP-hard. In pursuit of this goal, the connection factor was successively tightened =-=[15, 35]-=-, and NP-hardness was established for increasingly large approximation factors [16, 32]. The current state of the art is defined by two powerful results: the first, by Micciancio and Regev, establishe... |

30 |
Relativized Cryptography
- Brassard
- 1983
(Show Context)
Citation Context ...vectors in these lattices, under an appropriate form of preprocessing of the number field. 1In fact, giving up on NP-hardness might even be necessary for constructing certain cryptographic primitives =-=[12, 6]-=-. 1sFor the connection factors we achieve, the corresponding decisional promise problems on these lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation proble... |

30 | The hardness of the closest vector problem with preprocessing
- Micciancio
(Show Context)
Citation Context ...fixed choice of number field, and the non-uniform advice depends only on this choice (not on the input instance). Preprocessing is a standard notion for computational problems over codes and lattices =-=[13, 33, 20]-=-, and it seems to be the proper way of stating problems in our setting, given that in real applications the number fields will be chosen well in advance of any particular problem instance. We remark t... |

29 | On basing one-way functions on NP-hardness
- Akavia, Goldreich, et al.
- 2006
(Show Context)
Citation Context ...vectors in these lattices, under an appropriate form of preprocessing of the number field. 1In fact, giving up on NP-hardness might even be necessary for constructing certain cryptographic primitives =-=[12, 6]-=-. 1sFor the connection factors we achieve, the corresponding decisional promise problems on these lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation proble... |

27 |
M.: The hardness of decoding linear codes with preprocessing. Information Theory
- Bruck, Naor
- 1990
(Show Context)
Citation Context ...fixed choice of number field, and the non-uniform advice depends only on this choice (not on the input instance). Preprocessing is a standard notion for computational problems over codes and lattices =-=[14, 35, 21]-=-, and it seems to be the proper way of stating problems in our setting, given that in real applications the number fields will be chosen well in advance of any particular problem instance. We remark t... |

26 |
D.: The inapproximability of lattice and coding problems with preprocessing
- Feige, Micciancio
- 2004
(Show Context)
Citation Context ...fixed choice of number field, and the non-uniform advice depends only on this choice (not on the input instance). Preprocessing is a standard notion for computational problems over codes and lattices =-=[13, 33, 20]-=-, and it seems to be the proper way of stating problems in our setting, given that in real applications the number fields will be chosen well in advance of any particular problem instance. We remark t... |

24 | Tensor-based hardness of the shortest vector problem to within almost polynomial factors
- Haviv, Regev
- 2007
(Show Context)
Citation Context ...s result was improved in a series of works to hardness for any constant approximation factor unless NP �⊆ RP [17, 34, 30], and for almost-polynomial factors 2log1−ɛ n unless NP �⊆ RTIME(2polylog(n) ) =-=[30, 29]-=-. The latter results already approach the perceived limits on the hardness of approximating SVP, as NP-hardness beyond O( √ n) factors would imply that NP ⊆ coNP [3] (or NP ⊆ coAM, for factors beyond ... |

23 |
Inequalities for convex bodies and polar reciprocal lattices in r n , Discrete Computational Geometry 13
- Banaszczyk
- 1995
(Show Context)
Citation Context ... fields with constant root discriminant give rise to a large collection of lattices which exemplify the tightness (up to constant factor) of known transference theorems on lattices, in all `p lengths =-=[8, 9]-=-. This gives an alternative to a prior example by Conway and Thompson [37] for `2 lengths. 3s1.6 Related Work The idea of imposing special structure on lattices is not new. Some of the results in Ajta... |

21 | Lattice problems in NP ∩ coNP
- Aharonov, Regev
- 2004
(Show Context)
Citation Context ...ess NP �⊆ RTIME(2polylog(n) ) [30, 29]. The latter results already approach the perceived limits on the hardness of approximating SVP, as NP-hardness beyond O( √ n) factors would imply that NP ⊆ coNP =-=[3]-=- (or NP ⊆ coAM, for factors beyond O( � n/ log n) [22]). In light of the above, improving the worst-case/average-case connection factor to γ(n) = n1/2−ɛ appears problematic. In particular, it would im... |

20 |
Fast quantum algorithms for computing the unit group and class group of a number field
- Hallgren
(Show Context)
Citation Context ..."ideal reduction," which is, for example, an essential step in the computation of the unit group and class group of a number field (e.g., this is a reason why the recent quantum algorithm of Hallgren =-=[26]-=- is limited to fixed degree). Any efficient algorithm for finding a short element in ideal lattices in the worst case would be considered a major breakthrough in computational number theory [46, 10]. ... |

20 | Limits on the hardness of lattice problems in ℓp norms
- Peikert
- 2007
(Show Context)
Citation Context ... of any ℓp length, p ∈ [1, ∞]. The connection factor is (essentially) the same for all p. This result relies upon an analysis of Gaussian distributions over lattices from a concurrent work by Peikert =-=[41]-=-. Our treatment of general ℓp lengths is partly motivated by a recent result of Regev and Rosen [45], who showed that worst-case lattice problems are easiest in the ℓ2 length (at least for general lat... |

14 | On polynomial approximation to the shortest lattice vector length
- Kumar, Sivakumar
- 2002
(Show Context)
Citation Context ...on [29, 45], whereas the best algorithm for finding an optimal solution takes 2O(n) time [5]. In addition, there are algorithms that allow trade-offs between running time and quality of approximation =-=[45, 28]-=-. In practice, then, a loose connection factor may fail to guarantee security for realistic values of the dimension. Indeed, one of the critiques of lattice-based cryptography is that the known lattic... |

14 |
Lattice problems and norm embeddings
- Regev, Rosen
- 2006
(Show Context)
Citation Context ...on the moments of sums of discrete Gaussians, yields an D1.5K * O(plog n) bound on the connection factor. Our treatment of general `p lengths is partly motivated by a recent result of Regev and Rosen =-=[43]-=-, who showed that worst-case lattice problems are, at least for general lattices, at their easiest in `2 length. In light of this fact, obtaining reductions for arbitrary `p lengths under a unified co... |

14 |
Algebraic Number Theory
- Mollin
- 1999
(Show Context)
Citation Context ...e review the necessary background in algebraic number theory. Due to lack of space, we will present most facts without proof (which can be found in any number of introductory books on the topic, e.g. =-=[9, 40]-=-.) As new concepts are introduced, the reader may wish to follow along with an extended example which appears at the end of this section. An algebraic number ζ ∈ C is any root of some polynomial in Q[... |

12 |
Approximating the SVP to within a factor (1 + 1/dim ɛ ) is NP-hard under randomized reductions
- Cai, Nerurkar
- 1999
(Show Context)
Citation Context ...ctions). Ajtai first showed hardness for its exact version (in the Euclidean norm) [5]. This result was improved in a series of works to hardness for any constant approximation factor unless NP �⊆ RP =-=[17, 34, 30]-=-, and for almost-polynomial factors 2log1−ɛ n unless NP �⊆ RTIME(2polylog(n) ) [30, 29]. The latter results already approach the perceived limits on the hardness of approximating SVP, as NP-hardness b... |

8 |
A New Transference Theorem in the Geometry of Numbers. Submitted to The
- Cai
- 1999
(Show Context)
Citation Context ...Lambda , hx, vi 2 Z}. Banaszczyk's transference theorems give relations between properties of lattices and their duals, in both the standard `2 length [8] and in general `p lengths [9]. Following Cai =-=[14]-=- in a straightfoward manner, we can slightly generalize Banaszczyk's results to relate the length of a shortest basis for \Lambdas(under any `p length) to the minimum distance of \Lambda * (under the ... |

7 |
Introductory Algebraic Number Theory
- Alaca, Williams
- 2004
(Show Context)
Citation Context ...ecessary background in algebraic number theory. Due to lack of space, we will present most facts without proof (which may be found in any number of introductory books on algebraic number theory, e.g. =-=[7, 38]-=-.) An algebraic number is any root of some polynomial p(x) 2 Q[x]. The minimal polynomial of an algebraic number ` is the unique monic, irreducible polynomial f (x) 2 Q[x] of minimal degree such that ... |

6 |
Approximating the SVP to within a factor (1 + 1=dim ffl ) is NP-hard under randomized reductions
- Cai, Nerurkar
- 1999
(Show Context)
Citation Context ...ding approximation problem is NP-hard. In pursuit of this goal, the connection factor was successively tightened [15, 35], and NP-hardness was established for increasingly large approximation factors =-=[16, 32]-=-. The current state of the art is defined by two powerful results: the first, by Micciancio and Regev, establishes a connection factor of fl(n) = ~O(n) [36]. The second, by Khot, establishes the NP-ha... |

5 | Constructions of codes from number fields, in
- GURUSWAMI
(Show Context)
Citation Context ...truction, we mean an efficient algorithm which, given n, outputs an explicit description of the degree-n number field from the family. Such constructions would also have applications in coding theory =-=[30, 24]-=-. It would be even nicer to find an explicit construction which provides, by design, the non-uniform advice that is needed by our reductions. A promising starting point is a construction due to Simon ... |

4 |
A table of totally complex number fields of small discriminants, Algorithmic number theory
- Cohen, Diaz, et al.
- 1998
(Show Context)
Citation Context ...nant. A review of the literature suggests that a fair amount of attention has been devoted to searching for number fields having highly-optimized root discriminants for small fixed degrees (see, e.g. =-=[19]-=-). To our knowledge, the problem of efficiently constructing good asymptotic families of number field has not received nearly as much attention. The best construction we know of is an infinite family ... |

3 |
Lattice problems in NP " coNP
- Aharonov, Regev
- 1996
(Show Context)
Citation Context ...tor [27]. The latter result already approaches the perceived limits on the hardness of approximating the shortest vector, as NP-hardness beyond a certain \Omega (pn) factor would imply that NP ` coNP =-=[1]-=- (or NP ` coAM, for a certain \Omega (pn/ log n) factor [21]). Worst-case/average-case connections are also useful in arenas outside complexity theory. Ajtai's result and its successors go beyond aver... |

3 | Full version - Springer - 2005 |

2 |
Codes from algebraic number fields
- Lenstra
- 1986
(Show Context)
Citation Context ...truction, we mean an efficient algorithm which, given n, outputs an explicit description of the degree-n number field from the family. Such constructions would also have applications in coding theory =-=[30, 24]-=-. It would be even nicer to find an explicit construction which provides, by design, the non-uniform advice that is needed by our reductions. A promising starting point is a construction due to Simon ... |

2 |
New connections between derandomization, worst-case complexity and average-case complexity
- Gutfreund, Ta-Shma
- 2006
(Show Context)
Citation Context ...re significantly new ideas [8]. Going even further to, say, γ(n) = polylog(n) would imply cryptography based on quasiNP-hardness, a feat which appears far beyond our current capabilities. (Though see =-=[26]-=- for an interesting first step in this direction.) Note that all the perceived barriers to improving the connection factor are based on the complexity of the decision version of SVP. However, Ajtai’s ... |

1 |
A Panorama of Number Theory Or The View from Baker’s Garden, chapter 11
- Bayer-Fluckiger
- 2002
(Show Context)
Citation Context ...lgren [26] is limited to fixed degree). Any efficient algorithm for finding a short element in ideal lattices in the worst case would be considered a major breakthrough in computational number theory =-=[46, 10]-=-. Finally, the LLL and related algorithms for general lattices seem to perform no better on ideal lattices. It is hard to qualitatively compare our results with the known results on general lattices. ... |

1 |
On class field towers, chapter IX
- Roquette
- 1967
(Show Context)
Citation Context ...where fl(n) = D1.5 * O(plog n). It is a known fact of algebraic number theory that there exist computable infinite families of number fields (of increasing degree n) having constant root discriminant =-=[44]-=-, though no efficient construction is yet known. In lattices defined over these families, therefore, we obtain a connection factor of O(plog n). More generally, any family of number fields whose root ... |

1 |
Construction de polyn^omes de petits discriminants. Comptes Rendus de l'Acad'emie des
- Simon
- 1999
(Show Context)
Citation Context ...families of number field has not received nearly as much attention. The best we know of is an infinite family of cyclotomic number fields having root discriminants as small as O(n(log log n)/(log n)) =-=[46]-=-. As mentioned above, families having root discriminants even up to O(n2/3-ffl) would yield improved connection factors. In some sense, the current state of affairs is not unlike the early days of cod... |