Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pages 1--9. Dallas, Texas, 23--26 May 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....shown to be NPhard as early as in 1981 [49] for a much simpler one line proof using the knapsack problem, see [100] Approximating CVP to within a quasi polynomial factor 2 log 1 Gamma is NP hard [7, 45] However, NP hardness results for SVP and CVP have limits. Goldreich and Goldwasser [58] showed that approximating SVP or CVP to within d= log d is not NP hard, unless the polynomial time hierarchy collapses. Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [49] In fact, approximating ....

....Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [49] In fact, approximating SVP1 CVP1 to within an almost polynomial factor 1= log log d is NP hard [44] On the other hand, Goldreich and Goldwasser [58] showed that approximating SVP1 CVP1 to within d= log d is not NP hard, unless the polynomial time hierarchy collapses. We will not discuss Ajtai s worst case average case equivalence [3, 33] which refers to special versions of SVP and SBP (see [30, 31, 14] such as SVP when the lattice gap 2 = ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. of 30th STOC. ACM, 1998. Available at [47] as TR97-031.

.... into (1 ffl) Babai [Bab86] gave an algorithm that approximates the closest vector by a factor of (3= 2) The existence of polynomial bounds is completely open: CVP is hard to approximate within a factor 2 (log n) 0:99 as shown in [ABSS97] but a result of Goldreich and Goldwasser [GG] suggests that it is hopeless to try to extend this inapproximability result to n. The relevance of lattice reduction algorithms to cryptography was immediately understood: in April 1982, Shamir ( Sha82] found a polynomial time algorithm breaking the Merkle Hellman public key cryptosystem ....

.... (1 ffl) Babai [Bab86] gave an algorithm that approximates the closest vector by a factor of (3= 2) The existence of polynomial bounds is completely open: CVP is hard to approximate within a factor 2 (log n) 0:99 as shown in [ABSS97] but a result of Goldreich and Goldwasser [GG] suggests that it is hopeless to try to extend this inapproximability result to n. The relevance of lattice reduction algorithms to cryptography was immediately understood: in April 1982, Shamir ( Sha82] found a polynomial time algorithm breaking the Merkle Hellman public key cryptosystem ( MH78] ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. Preprint. Revision of ECCC Report TR97-031, Oct 16, 1997. Can be found at http://www.eccc.uni-trier.de/eccc/.

....CVP to within d 3=2 f(d) CVP was shown to be NP hard as early as in 1981 [40] for a simplified proof, see [65] Approximating CVP to within a quasi polynomial factor 2 log 1 Gamma is NP hard [6, 38] However, NP hardness results for SVP and CVP have limits. Goldreich and Goldwasser [46] showed that approximating SVP or CVP to within d=O(log d) is not NP hard, unless the polynomial time hierarchy collapses. Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [40] In fact, approximating ....

....Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [40] In fact, approximating SVP1 CVP1 to within an almost polynomial factor 1= log log d is NP hard [37] On the other hand, Goldreich and Goldwasser [46] showed that approximating SVP1 CVP1 to within d=O(log d) is not NP hard, unless the polynomial time hierarchy collapses. We will not discuss Ajtai s worst case average case equivalence [3, 27] which refers to special versions of SVP and SBP (see [24, 25, 11] such as SVP when the lattice gap 2 ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. of 30th STOC. ACM, 1998. Available at [39] as TR97-031.

....CVP was shown to be NP hard by van Emde Boas [6] with a simpler proof by Kannan [10] It was recently shown by Dinur et al. 5] to be NP hard to approximate to within 2 log 1 Gammaffl n . Goldreich and Goldwasser showed that CVP is unlikely to be NP hard to approximate within p n= log n [7]. Cai [4] showed a worst case to average case reduction for certain approximate versions of CVP. In general, CVP seems to be a harder problem than SVP; for example, it was shown by Goldreich et al. 8] that if one can approximate CVP, then one can approximate SVP to within the same factor in ....

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. Journal of Computer and System Sciences, 60(3):540--563, 2000.

....lattice vectors. On the other hand, the best known hardness result ( Mic98] building on Ajtai s proof) only states that it is NP hard to produce a vector that is within p 2 times the length of the shortest vector. To make matters more complicated and interesting, Goldreich and Goldwasser [GG98] show that finding vectors within p dimension is unlikely to be NP hard (unless the polynomial time hierarchy collapses) From the viewpoint of complexity theory, Ajtai s NP completeness proof has two intriguing aspects: First, the reduction is probabilistic (in fact, both technical ideas ....

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th Annual ACM Symposium on the Theory of Computing, pages 1--9, 1998.

....Schnorr [10] that approximating SVP to within a factor of n is in NP coNP. In particular, this implies that when the approximation factor is relaxed to n, SVP is unlikely to remain NP hard, unless the polynomial time hierarchy collapses. This result was strengthened by Goldreich and Goldwasser [7] who showed that approximating SVP to within p n=O(log n) is also unlikely to be NP hard. This result is based on constructing an interactive proof system for an appropriate gap version of SVP. Recall that an interactive proof system consists of a prover and a verifier that interact on a common ....

....system for the complement of Gap SVP[ p n=O(log n) abbreviated Gap SVP[ p n] This proof system would accept No instances with probability 1 and would reject Yes instances with high probability. Technically, this will show that Gap SVP[ p n] is in coAM. Based on the proof structure of [7], together with some duality theory, it was shown by Cai and Nerurkar [6] that Gap SVP[ p n] is not NP hard under the most general kind of Cook reductions unless the polynomial time hierarchy collapses. This generalization removes some annoying technical possibilities left open by [7] We will ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences, 60(3):540--563, 2000.

....trials and absorbed in to the simulator deviation. 9 that we prove them for the promise class only makes them stronger, by virtue of the fact that the promise class contains the language class. Second, several of the most important natural problems known to be in SZK, such as those in [GK93, GG98] are not languages, but promise problems, so it may actually be preferable to study the promise class. Our only result which requires new interpretation for the language class is the Completeness Theorem. As the complete problem is a promise problem, it is not complete for the language class in ....

....has a statistical zero knowledge proof if and only if it reduces to the complete problem. We note that one must be a bit more careful in a complexity theoretic investigation of promise classes, particularly when discussing reductions that may violate the promise (cf. discussions in [ESY84, GG98] and it may be the case that the language class has some di erent properties than the promise one. 3 The Completeness Theorem 3.1 The complete problem The main aim of this paper is to demonstrate that SZK consists exactly of the problems that involve deciding whether two eciently samplable ....

Oded Goldreich and Sha Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pages 1-9, Dallas, 23-26 May 1998.

....these problems to within exponential factors, and the above hardness results. Nevertheless, some other results provide a discouraging indication for improving the hardness result beyond a certain factor. LLS90] showed that approximating CVP to within dim 1:5 is in co NP, and recently [GG] showed that approximating both SVP and CVP to within p dim is in NP co AM. Hence showing the unlikelihood of any of these problems to be NP hard. The strongest hardness result likely to be true for these problems hence, is that they are hard to approximate to within a constant power of the ....

....falls into one of the following two cases, Yes: There is a consistent natural assignment for Psi. No: No non trivial consistent super assignment is of norm g. Theorem 1 (SSAT Theorem) SSAT is NP hard for g = 2 (logn) 1 Gammaffl where ffl = log log n) Gammac for any c 1 2 . We suggest a stronger conjecture. If true, it would imply that CVP is hard to approximate to within a constant power of the dimension. Conjecture 2 SSAT is hard for g = n c for some constant c 1 2 . The SSAT theorem (theorem 1) can be viewed as an extension of Cook s theorem [Coo71] in the ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. ECCC, TR97-031.

....factors, and the above hardness results. Nevertheless, some other results provide a discouraging indication for improving the hardness result beyond a certain factor. Lagarias et al. 10] showed that approximating CVP to within dim 1:5 is in co NP, and recently Goldreich and Goldwasser [9] showed that approximating both SVP and CVP to within p dim is in NP co AM. Hence showing NP hardness for these problems is unlikely. The strongest hardness result likely to be true for these problems hence, is that they are hard to approximate to within a constant power of the dimension. The ....

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. In Proc. 30th ACM Symp. on Theory of Computing, pages 1--9, 1998.

....to within d 3=2 f(d) 2 . CVP was shown to be NP hard as early as in 1981 [40] for a simplified proof, see [65] Approximating CVP to within a quasi polynomial factor 2 log 1 Gamma d is NP hard [6, 38] However, NP hardness results for SVP and CVP have limits. Goldreich and Goldwasser [46] showed that approximating SVP or CVP to within p d=O(log d) is not NP hard, unless the polynomial time hierarchy collapses. Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [40] In fact, approximating ....

....Interestingly, SVP and CVP problems seem to be more difficult with the infinity norm. It was shown that SVP1 and CVP1 are NP hard in 1981 [40] In fact, approximating SVP1 CVP1 to within an almost polynomial factor d 1= log log d is NP hard [37] On the other hand, Goldreich and Goldwasser [46] showed that approximating SVP1 CVP1 to within d=O(log d) is not NP hard, unless the polynomial time hierarchy collapses. We will not discuss Ajtai s worst case average case equivalence [3, 27] which refers to special versions of SVP and SBP (see [24, 25, 11] such as SVP when the lattice gap 2 ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. of 30th STOC. ACM, 1998. Available at [39] as TR97-031.

.... result since, when it is combined with the IP(2) protocol for graph non isomorphism of [GMW91] we have that graph non isomorphism is not coNP hard, i.e. graph isomorphism is not NP hard (unless the polynomial hierarchy collapses) This approach has been used recently by Goldreich and Goldwasser [GG98] to show that finding approximate solutions for certain lattice minimization problems cannot be NP hard (unless the polynomial hierarchy collapses) even though polynomial time approximation algorithms are not known. It was conjectured that Theorem 1 could be extended to IP, i.e. that one could ....

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the 30th ACM Symposium on Theory of Computing, pages 1--9, 1998.

.... 8 in [4] and was improved to 3:5 in [14] 10 The importance of studying the hardness of approximating SVP is now clear: if approximating the shortest vector in a lattice within a factor n c were NP hard, then we could base cryptography on the P versus NP question [30] The results in [53] and [29] point out some difficulties in bridging the gap between the approximation factors for which we can hope to prove the NP hardness of SVP, and those required by current lattice based crypto systems. Still, the possibility that progress in both the study of the complexity of lattice problems and the ....

....is long is a bit harder. Lagarias, Lenstra and Schnorr [53] proved that approximating SVP within a factor n is in coNP, that is, there exist short polynomial time verifiable proofs that the shortest vector in a lattice is at least 1 =n (for an alternative proof see [12] Goldreich and Goldwasser [29] proved that approximating SVP within a factor p n is in coAM, that is, there is a constant round interactive proof system to show that the shortest vector in a lattice has length at least 1 = p n. A similar result was proved by Cai in [12] for the n 1=4 unique shortest vector problem (a ....

[Article contains additional citation context not shown here]

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In ACM [1], pages 1--9. 81

.... vector can be exponentially shorter than in the original protocol, resulting in an n 2 bits saving per vector) We use our techniques to obtained improved versions of the Goldreich Goldwasser zero knowledge interactive proof systems for the Closest Vector Problem and the Shortest Vector Problem [6], and the GGH public key cryptosystem [8] In the case of the GGH cryptosystem we also show how a clever choice of the public basis may lead to a modified cryptosystem with keys and ciphertexts more than one order of magnitude shorter than the original scheme. The rest of the paper is organized ....

.... CVP seems to be computationally hard problems and have been used as the basis of various cryptographic protocols (e.g. 1, 2, 8] The approximation problems associated to the shortest vector problem and the closest vector problem are usually formalized in terms of the following promise problems [6]. Definition 1 (Approximate SVP) The promise problem GapSVP fl , where fl (the gap function) is a function of the dimension, is defined as follows: ffl yes instances are pairs (B; d) where B 2 Z n Thetak , d 2 R and kBzk d for some z 2 Z k n f0g. ffl no instances are pairs (B; d) where B 2 ....

[Article contains additional citation context not shown here]

Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pages 1--9. Dallas, Texas, 23--26 May 1998.

....University 1 whose average case complexity is as hard as the worst case of some other problem is interesting from a theoretic perspective. Yet this result also has significant cryptographic applications [AD97] showed that NP hardness for that specific restriction of SVP although unlikely [GG98] would imply an unbreakable cryptosystem, unless P=NP. Only recently [Ajt97] showed a randomized reduction from the NP complete problem SubsetSum to SVP. This has been improved [CN98] showing approximation hardness for some small factor (1 1 n ) Very recently [Mic98] has significantly ....

....CVP 1 . So far there is still a huge gap between the positive results, showing approximations for SVP and CVP with exponential factors, and the above hardness results. Nevertheless, some other results provide a discouraging indication for improving the hardness result beyond a certain factor. GG98] showed that approximating both SVP 2 and CVP 2 to within p n and approximating SVP 1 and CVP1 to within n=O(log n) is in NP co AM. Hence it is unlikely for any of these problems to be NP hard. Our Result We prove that approximating SVP 1 to within a factor of n c= log log n is NP hard ....

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In Proc. 30th ACM Symp. on Theory of Computing, pages 1--9, 1998.

No context found.

O. Goldreich and S. Goldwasser. On the limits of non-approximability of lattice problems. In ACM [1], pages 1--9.

....more recently, Micciancio [14] has proven that it is NP Hard (again under randomized reductions) to approximate the Shortest Vector Problem to within any constant factor smaller than p 2. The approximation factors mentioned in the above two types of results are very far apart, and our own work [10] points out difficulties in trying to bridge the gap. Still, the above effords renew the interest in the Open Problem (as a negative answer to the latter deems these efforts to be futile) In this note we present some extensions of Brassard s Claim. On one hand, these extensions do cover some ....

....; Pi no ) is said to be in NP if there exists a polynomial time recognizable (witness) relation R so that ffl For every x 2 Pi yes there exists a y 2 f0; 1g such that (x; y) 2 R (and jyj = poly(jxj) ffl For every x 2 Pi no and every y 2 f0; 1g , x; y) 62 R. As explained in [9] see also [10]) the fact that a promise problem in NP coNP (resp. AM coAM) is NP hard via arbitrary Cook reductions does not seem to imply that NP = coNP (resp. coNP AM) However, such a conclusion does hold in case NP hardness is proven by a restricted type of Cook reductions, called smart reductions, ....

O. Goldreich and S. Goldwasser. On the Limits of Non-Approximability of Lattice Problems. In 30th STOC, to appear (1998).

.... problems, believed to be hard, are known to have statistical zero knowledge proof systems; for example, Quadratic Residuosity [GMR89] Graph Isomorphism [GMW91] a problem equivalent to the Discrete Logarithm Problem [GK93] Statistical Difference [SV97] a gap promise problem for lattices [GG97] Negative for SZK: HVSZK AM coAM [For89, AH87] Inside HVSZK: A key result regarding SZK is that any honest verifier statistical zero knowledge proof can be transformed into one using only public coins [Oka96] That is, HVSZK = HVSZKj am . It is also known that SZK is closed under ....

Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of lattice problems. Available from http://theory.lcs.mit.edu/oded/, September 1997.

No context found.

Oded Goldreich and Shafi Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pages 1--9. Dallas, Texas, 23--26 May 1998.

No context found.

O. Goldreich and S. Goldwasser, On the limits of non-approximability of lattice problems, STOC 1998, pp. 1-9

No context found.

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences, 60(3):540--563, 2000. Preliminary version in STOC'98.

No context found.

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. In Proceedings of the 30th Annual ACM Symposium on Theory of Computing (STOC-98), pages 1--9, New York, May 23--26 1998. ACM Press.

No context found.

Oded Goldreich and Sha Goldwasser. On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences, 60(3):540-563, 2000. 30th Annual ACM Symposium on Theory of Computing (Dallas, TX, 1998).

No context found.

Oded Goldreich and Sha Goldwasser. On the limits of non-approximability of lattice problems. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pages 1-9, Dallas, 23-26 May 1998.

No context found.

O. Goldreich and S. Goldwasser, On the limits of non-approximability of lattice problems, STOC 1998, pp. 1-9

No context found.

O. Goldreich and S. Goldwasser. On the limits of nonapproximability of lattice problems. J. Comput. System Sci., 60(3):540--563, 2000.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC