On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

  • Vadim Lyubashevsky
  • Daniele Micciancio
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)

Abstract

We prove the equivalence, up to a small polynomial approximation factor \(\sqrt{n/\log n}\), of the lattice problems uSVP (unique Shortest Vector Problem), BDD (Bounded Distance Decoding) and GapSVP (the decision version of the Shortest Vector Problem). This resolves a long-standing open problem about the relationship between uSVP and the more standard GapSVP, as well the BDD problem commonly used in coding theory. The main cryptographic application of our work is the proof that the Ajtai-Dwork ([2]) and the Regev ([33]) cryptosystems, which were previously only known to be based on the hardness of uSVP, can be equivalently based on the hardness of worst-case GapSVP\({_{O({n^{2.5}})}}\) and GapSVP\({_{O(n^{2})}}\), respectively. Also, in the case of uSVP and BDD, our connection is very tight, establishing the equivalence (within a small constant approximation factor) between the two most central problems used in lattice based public key cryptography and coding theory.

References

  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: STOC, pp. 99–108 (1996)Google Scholar
  2. 2.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC (1997); An improved version is described in ECCC 2007 (2007)Google Scholar
  3. 3.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  4. 4.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Cai, J.Y.: A relation of primal-dual lattices and the complexity of shortest lattice vector problem. Theor. Comput. Sci. 207(1), 105–116 (1998)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Cai, J.Y.: On the average-case hardness of CVP. In: FOCS, pp. 308–317 (2001)Google Scholar
  7. 7.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices, and new cryptographic constructions. In: STOC (2008)Google Scholar
  9. 9.
    Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60(3), 540–563 (2000)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Goldreich, O., Goldwasser, S., Halevi, S.: Collision-free hashing from lattice problems. In: Electronic Colloquium on Computational Complexity (ECCC) (1996)Google Scholar
  11. 11.
    Goldreich, O., Goldwasser, S., Halevi, S.: Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 105–111. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  12. 12.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Goldreich, O., Micciancio, D., Safra, S., Seifert, J.P.: Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Information Processing Letters 71(2), 55–61 (1999)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In: STOC, pp. 469–477 (2007)Google Scholar
  15. 15.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Impagliazzo, R.: A personal view of average-case complexity. In: Structure in Complexity Theory Conference, pp. 134–147 (1995)Google Scholar
  17. 17.
    Kannan, R.: Algorithmic geometry of numbers. Annual Review of Computer Science 2, 231–267 (1987)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. In: FOCS, pp. 126–135 (2004)Google Scholar
  20. 20.
    Klivans, A., Sherstov, A.: Cryptographic hardness for learning intersections of halfspaces. In: FOCS, pp. 553–562 (2006)Google Scholar
  21. 21.
    Kumar, R., Sivakumar, D.: On the unique shortest lattice vector problem. Theor. Comput. Sci. 255(1-2), 641–648 (2001)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Lagarias, J.C., Odlyzko, A.M.: Solving low density subset sum problems. Journal of the ACM 32, 229–246 (1985)MathSciNetCrossRefMATHGoogle Scholar
  23. 23.
    Lenstra, A.K., Lenstra Jr., H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Mathematische Annalen (261), 513–534 (1982)Google Scholar
  24. 24.
    Liu, Y.-K., Lyubashevsky, V., Micciancio, D.: On bounded distance decoding for general lattices. In: Díaz, J., Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX 2006 and RANDOM 2006. LNCS, vol. 4110, pp. 450–461. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. 26.
    Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Micciancio, D.: Efficient reductions among lattice problems. In: SODA, pp. 84–93 (2008)Google Scholar
  28. 28.
    Micciancio, D., Goldwasser, S.: Complexity Of Lattice Problems: A Cryptographic Perspective. Kluwer Academic Publishers, Dordrecht (2002)CrossRefMATHGoogle Scholar
  29. 29.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. on Computing 37(1), 267–302 (2007)MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    Micciancio, D., Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. 31.
    Nguyen, P.Q.: Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto 1997. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 288–304. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  32. 32.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC (2009)Google Scholar
  33. 33.
    Regev, O.: New lattice-based cryptographic constructions. J. ACM 51(6), 899–942 (2004)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Regev, O.: Quantum computation and lattice problems. SIAM J. Comput. 33(3), 738–760 (2004)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Vadim Lyubashevsky
    • 1
  • Daniele Micciancio
    • 2
  1. 1.School of Computer ScienceTel Aviv UniversityTel AvivIsrael
  2. 2.Computer Science and Engineering DepartmentUniversity of California at San DiegoLa JollaUSA

Personalised recommendations