Results 1  10
of
52
The Hardness of Approximate Optima in Lattices, Codes, and Systems of Linear Equations
, 1993
"... We prove the following about the Nearest Lattice Vector Problem (in any `p norm), the Nearest Codeword Problem for binary codes, the problem of learning a halfspace in the presence of errors, and some other problems. 1. Approximating the optimum within any constant factor is NPhard. 2. If for some ..."
Abstract

Cited by 173 (8 self)
 Add to MetaCart
We prove the following about the Nearest Lattice Vector Problem (in any `p norm), the Nearest Codeword Problem for binary codes, the problem of learning a halfspace in the presence of errors, and some other problems. 1. Approximating the optimum within any constant factor is NPhard. 2. If for some ffl ? 0 there exists a polynomialtime algorithm that approximates the optimum within a factor of 2 log 0:5\Gammaffl n , then every NP language can be decided in quasipolynomial deterministic time, i.e., NP ` DTIME(n poly(log n) ). Moreover, we show that result 2 also holds for the Shortest Lattice Vector Problem in the `1 norm. Also, for some of these problems we can prove the same result as above, but for a larger factor such as 2 log 1\Gammaffl n or n ffl . Improving the factor 2 log 0:5\Gammaffl n to p dimension for either of the lattice problems would imply the hardness of the Shortest Vector Problem in `2 norm; an old open problem. Our proofs use reductions from fewpr...
PublicKey Cryptosystems from Lattice Reduction Problems
, 1996
"... We present a new proposal for a trapdoor oneway function, from whichwe derive publickey encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of latticereduction problems, providing a possible alternative to existing publicke ..."
Abstract

Cited by 148 (4 self)
 Add to MetaCart
We present a new proposal for a trapdoor oneway function, from whichwe derive publickey encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of latticereduction problems, providing a possible alternative to existing publickey encryption algorithms and digital signatures such as RSA and DSS.
On the Limits of NonApproximability of Lattice Problems
, 1998
"... We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for th ..."
Abstract

Cited by 102 (3 self)
 Add to MetaCart
We show simple constantround interactive proof systems for problems capturing the approximability, to within a factor of p n, of optimization problems in integer lattices; specifically, the closest vector problem (CVP), and the shortest vector problem (SVP). These interactive proofs are for the "coNP direction"; that is, we give an interactive protocol showing that a vector is "far" from the lattice (for CVP), and an interactive protocol showing that the shortestlatticevector is "long" (for SVP). Furthermore, these interactive proof systems are HonestVerifier Perfect ZeroKnowledge. We conclude that approximating CVP (resp., SVP) within a factor of p n is in NP " coAM. Thus, it seems unlikely that approximating these problems to within a p n factor is NPhard. Previously, for the CVP (resp., SVP) problem, Lagarias et. al., Hastad and Banaszczyk showed that the gap problem corresponding to approximating CVP (resp., SVP) within n is in NP " coNP . On the other hand, Ar...
The shortest vector in a lattice is hard to approximate to within some constant
 in Proc. 39th Symposium on Foundations of Computer Science
, 1998
"... Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (r ..."
Abstract

Cited by 61 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (random polynomial time), unless NP equals RP. We also prove a proper NPhardness result (i.e., hardness under deterministic manyone reductions) under a reasonable number theoretic conjecture on the distribution of squarefree smooth numbers. As part of our proof, we give an alternative construction of Ajtai’s constructive variant of Sauer’s lemma that greatly simplifies Ajtai’s original proof. Key words. NPhardness, shortest vector problem, point lattices, geometry of numbers, sphere packing
Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors
"... We show that given oracle access to a subroutine which returns approximate closest vectors in a lattice, one may nd in polynomial time approximate shortest vectors in a lattice. The level of approximation is maintained; that is, for any function f , the following holds: Suppose that the subroutine, ..."
Abstract

Cited by 56 (11 self)
 Add to MetaCart
We show that given oracle access to a subroutine which returns approximate closest vectors in a lattice, one may nd in polynomial time approximate shortest vectors in a lattice. The level of approximation is maintained; that is, for any function f , the following holds: Suppose that the subroutine, on input a lattice L and a target vector w (not necessarily in the lattice), outputs v 2 L such that kv wk f(n) ku wk for any u 2 L. Then, our algorithm, on input a lattice L, outputs a nonzero vector v 2 L such that kvk f(n) kuk for any nonzero vector u 2 L. The result holds for any norm, and preserves the dimension of the lattice, i.e. the closest vector oracle is called on lattices of exactly the same dimension as the original shortest vector problem. This result establishes the widely believed conjecture by which the shortest vector problem is not harder than the closest vector problem. The proof can be easily adapted to establish an analogous result for the corresponding computational problems for linear codes. Key words: Computational problems in integer lattices, reducibility among approximation problems, linear errorcorrecting codes. 1 Partially supported by DARPA contract DABT6396C0018. Preprint submitted to Elsevier Preprint 6 July 1999 1
A LinearTime Algorithm for Computing the Memory Access Sequence in DataParallel Programs
 In Proceedings of the Fifth ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming
, 1995
"... Dataparallel languages, such as High Performance Fortran, are designed to facilitate writing of portable programs for distributedmemory machines. Novel features of these languages call for development of new techniques in both compilers and runtime support systems. We present an improved algorith ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
Dataparallel languages, such as High Performance Fortran, are designed to facilitate writing of portable programs for distributedmemory machines. Novel features of these languages call for development of new techniques in both compilers and runtime support systems. We present an improved algorithm for finding the local memory access sequence in computations involving regular sections of arrays with cyclic(k) distribution. Using the fact that regular section elements form an integer lattice we show how to find a lattice basis that allows for simple and fast enumeration of memory accesses. The complexity of our algorithm is shown to be lower than that of the previous solution for the same problem. In addition, the experimental results demonstrate the efficiency of our method in practice. This work was supported in part by ARPA contract DABT6392C0038 and NSF Cooperative Agreement Number CCR9120008. The content of this paper does not necessarily reflect the position or the policy of ...
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
, 2009
"... We prove the equivalence, up to a small polynomial approximation factor p n / log n, of the lattice problems uSVP (unique Shortest Vector Problem), BDD (Bounded Distance Decoding) and GapSVP (the decision version of the Shortest Vector Problem). This resolves a longstanding open problem about the r ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
(Show Context)
We prove the equivalence, up to a small polynomial approximation factor p n / log n, of the lattice problems uSVP (unique Shortest Vector Problem), BDD (Bounded Distance Decoding) and GapSVP (the decision version of the Shortest Vector Problem). This resolves a longstanding open problem about the relationship between uSVP and the more standard GapSVP, as well the BDD problem commonly used in coding theory. The main cryptographic application of our work is the proof that the AjtaiDwork ([AD97]) and the Regev ([Reg04a]) cryptosystems, which were previously only known to be based on the hardness of uSVP, can be equivalently based on the hardness of worstcase GapSVP O(n 2.5) and GapSVP O(n 2), respectively. Also, in the case of uSVP and BDD, our connection is very tight, establishing the equivalence (within a small constant approximation factor) between the two most central problems used in lattice based public key cryptography and coding theory. 1
Sampling methods for shortest vectors, closest vectors and successive minima
 In Proceedings of the 34th ICALP
, 2007
"... Abstract. In this paper we introduce a new lattice problem, the subspace avoiding problem (Sap). We describe a probabilistic single exponential time algorithm for Sap for arbitrary ℓp norms. We also describe polynomial time reductions for four classical problems from the geometry of numbers, the sho ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we introduce a new lattice problem, the subspace avoiding problem (Sap). We describe a probabilistic single exponential time algorithm for Sap for arbitrary ℓp norms. We also describe polynomial time reductions for four classical problems from the geometry of numbers, the shortest vector problem (Svp), the closest vector problem (Cvp), the successive minima problem (Smp), and the shortest independent vectors problem (Sivp) to Sap, establishing probabilistic single exponential time algorithms for them. The result generalize and extend previous results of Ajtai, Kumar and Sivakumar. The results on Smp and Sivp are new for all norms. The results on Svp and Cvp generalize previous results of Ajtai et al. for the ℓ2 norm to arbitrary ℓp norms. 1
Security of the most significant bits of the Shamir message passing scheme
 MATH. COMP
, 2000
"... Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfor ..."
Abstract

Cited by 20 (14 self)
 Add to MetaCart
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden ” element α of a finite field Fp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from F ∗ p.Unfortunately the applications to the computational security of most significant bits of private keys of some finite field exponentiation based cryptosystems given by Boneh and Venkatesan are not quite correct. For the DiffieHellman cryptosystem the result of Boneh and Venkatesan has been corrected and generalized in our recent paper. Here a similar analysis is given for the Shamir message passing scheme. The results depend on some bounds of exponential sums.
Predicting Nonlinear Pseudorandom Number Generators
 MATH. COMPUTATION
, 2004
"... Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecut ..."
Abstract

Cited by 17 (11 self)
 Add to MetaCart
(Show Context)
Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.