@MISC{Regev_average-casehardness, author = {Lecturer Oded Regev and Scribe Elad Verbin}, title = {Average-case Hardness}, year = {} }

Share

OpenURL

Abstract

Traditionally, lattices were used as tools in cryptanalysis, that is, as tools in breaking cryptographic schemes. We have seen an example of such an application in a previous lecture. In 1996, Ajtai made a surprising discovery: lattices can be used to construct cryptographic schemes [1]. His seminal work sparked great interest in understanding the complexity of lattice problems and their relation to cryptography. Ajtai’s discovery is interesting for another reason: the security of his cryptographic scheme is based on the worst-case hardness of lattice problems. What this means is that if one succeeds in breaking the cryptographic scheme, even with some small probability, then one can also solve any instance of a certain lattice problem. This remarkable property is what makes lattice-based cryptographic construction so attractive. In contrast, virtually all other cryptographic constructions are based on some average-case assumptions. For example, in cryptographic constructions based on factoring, the assumption is that it is hard to factor numbers chosen from a certain distribution. But how should we choose this distribution? Obviously, we should not use numbers with small factors (such as even number), but perhaps there are other numbers that we should avoid? In cryptographic constructions based on worst-case hardness, such questions do not even arise. Let us describe Ajtai’s result more precisely. The cryptographic construction given in [1] is known as a