Generating Hard Generating Hard instances of Lattice instances of Lattice ProblemsProblems

Generating Hard Generating Hard Instances of Lattice Instances of Lattice

ProblemsProblems

byby

M. AjtaiM. Ajtai

Generating Hard Generating Hard InstancesInstances

• There are many hard problems.There are many hard problems.

• Can we Can we generategenerate hard instances of hard instances of those problems ? (good for those problems ? (good for cryptography).cryptography).

• We need a distribution over the We need a distribution over the instances which, at least on the instances which, at least on the average, gives hard instances.average, gives hard instances.

Distribution of Hard Distribution of Hard InstancesInstances

• Even if worst cases are hard, the Even if worst cases are hard, the average average casecase may be easy. may be easy.

• ExamplesExamples: Coloring number of a random : Coloring number of a random graph, minimal-monotone-SAT, 3-SAT(?).graph, minimal-monotone-SAT, 3-SAT(?).

• DefinitionDefinition: An instance distribution is a : An instance distribution is a function function (n)(n), which obtains for each , which obtains for each nn, a , a distribution of instances.distribution of instances.

Reduction to Average Reduction to Average CaseCase

• To show To show generates hard instances of a generates hard instances of a problem problem PP, we reduce a hard problem to it., we reduce a hard problem to it.

• An An average case oracleaverage case oracle for for PP, solves , solves PP on on (n)(n), for all , for all nn, with probability , with probability 1/21/2..

• A (random) algorithm is a reduction from A (random) algorithm is a reduction from L L to the average caseto the average case of of PP, if it solves any , if it solves any instance of instance of LL with probability with probability 1/21/2, using an , using an average case oracle for average case oracle for PP..

InstanceOracle

(n)n Oracle

Trash

Trash

Solution

Hard Average ProblemsHard Average Problems

• A problem is A problem is hard on the averagehard on the average, if we , if we can reduce some hard (preferably NP-can reduce some hard (preferably NP-complete) problem, to its average case.complete) problem, to its average case.

• Graph isomorphism can be reduced to its Graph isomorphism can be reduced to its average case.average case.

• But no graph isomorphism cryptosystem But no graph isomorphism cryptosystem exists - we need a exists - we need a trap doortrap door..

LatticesLattices

• The lattice The lattice L(aL(a11,..,a,..,ann)) in the Euclidean in the Euclidean space, space, RRnn,is the additive group ,is the additive group generated by generated by {a{a11,..,a,..,ann}}..

• L(aL(a11,..,a,..,ann) ) is a discrete subgroup of is a discrete subgroup of RRnn..

• {a{a11,..,a,..,ann}} is a is a lattice baseslattice bases of of L(aL(a11,..,a,..,ann))..

• LL has many other bases. has many other bases.

The vectors must form a basis in Rn

Measuring Stuff in a Measuring Stuff in a Lattice Lattice LL

• Unit(L)Unit(L): “The tiler volume”.: “The tiler volume”.

• sv(L)sv(L): The length of the : The length of the shortest non-shortest non-zero vectorzero vector in in LL..

• A A basisbasis length is the maximal norm of length is the maximal norm of the basis vectors.the basis vectors.

• bl(L)bl(L): The length of the shortest basis of : The length of the shortest basis of LL..

Lattice Problems..Lattice Problems..

• SVPSVP: Given a lattice : Given a lattice L(aL(a11,..,a,..,ann)), find the , find the length of the shortest vector.length of the shortest vector.

• Unique-SVPUnique-SVP: Given a lattice : Given a lattice L(aL(a11,..,a,..,ann)), , find a shortest vector, given that it is find a shortest vector, given that it is unique.unique.

• Given a lattice Given a lattice L(aL(a11,..,a,..,ann)), find a shortest , find a shortest basis.basis.

Lattice Problems - HistoryLattice Problems - History

• [Dirichle[Dirichlett, Minkowsky], Minkowsky] Upper bounds on Upper bounds on sv(L)sv(L)..

• [LLL][LLL] Approximation algorithm for Approximation algorithm for SVPSVP, factor , factor 22n/2n/2

• [Schnorr][Schnorr] Improved factor, Improved factor, (1+(1+))nn for both for both CVPCVP and and SVPSVP

• [[Ajtai96]:Ajtai96]: Average-case/worst-case Average-case/worst-case equivalence for equivalence for SVPSVP..

• [Ajtai-Dwork96]:[Ajtai-Dwork96]: Cryptosystem Cryptosystem

Lattice Problems - HistoryLattice Problems - History

• [Ajtai97]:[Ajtai97]: SVPSVP is is NPNP-hard.-hard.

• [Micc98]:[Micc98]: SVPSVP is hard to approximate within is hard to approximate within some constant.some constant.

• [GG]:[GG]: Approximating Approximating SVPSVP to within to within nn is in is in coAMcoAMNPNP..

The Ajtai-Dwork The Ajtai-Dwork CryptosystemCryptosystem

We will Show..We will Show..

• We reduce shortest-bases-We reduce shortest-bases-approximation of factor approximation of factor nn10+c10+c to the to the average case average case SVPSVP-approximation of -approximation of factor factor nncc..

• SVPSVP and and Unique-SVPUnique-SVP approx. are approx. are reducible to shortest basis, so reducible to shortest basis, so similar results apply to them.similar results apply to them.

Average-Case DistributionAverage-Case Distribution

• Pick an Pick an n*mn*m matrix, with coefficients matrix, with coefficients uniformly ranging over uniformly ranging over [0,…,q-1][0,…,q-1]..

q n n nc[ ] log1 m = [c ]2

( ) |n x m Z Ax 0 (mod q)

1 q

1 q

v2

v4

v3

v1

2v1+v4

(2,0,0,1)(2,0,0,1)

(1,1,1,0)(1,1,1,0)q(a,b,c,d)q(a,b,c,d)

Reduction From the Reduction From the Shortest Basis ProblemShortest Basis Problem

1.1. Start with a given bases.Start with a given bases.

2.2. Try to halve it using the oracle.Try to halve it using the oracle.

3.3. If succeeded - go back to If succeeded - go back to section 2.section 2.It remains to show how to It remains to show how to

halve a bases, using the halve a bases, using the oracle, given that it is oracle, given that it is nn8+c8+c

times longer than the times longer than the shortest bases.shortest bases.

Halving the BasisHalving the Basis

1.1. We generate an instance with We generate an instance with distribution distribution (n)(n). .

2.2. The solution of this instance will obtain The solution of this instance will obtain a “random” vector in a “random” vector in LL, considerably , considerably shorter than the current bases length.shorter than the current bases length.

3.3. Doing it Doing it nn times will form a short times will form a short linearlinear basis.basis.

4.4. We transform it to a We transform it to a latticelattice basis. basis.

Generating a Short VectorGenerating a Short Vector

• We find a lattice We find a lattice LL11, so close pairs , so close pairs (u,v)(u,v)LL11xLxL are easy to find. are easy to find.

• We find We find mm such such (u,v)(u,v) pairs. pairs.

• We find small coefficients We find small coefficients hh11,…,,…,hhnn, , such thatsuch that

• is our short vector. is our short vector.

m = [c ]2n nlog

hii=1

m

( , )u vi i L L

hii=1

m

( )u vi i