Average-Case Hardness
Average-Case Hardness
) Given a basis B Z
nn
, nd a set of n linearly independent vectors in L(B) each
of length at most
n
(L(B)).
The transference theorem of Banaszczyk, which we saw in the last lecture, shows that a solution to SIVP
on
the dual lattice. Therefore our CRHF construction is also based on the worst-case hardness of O(n
4
)-
approximate SVP. We now give the formal denition of a CRHF.
DEFINITION 2 A family of collision resistant hash functions (CRHF) is a sequence T
n
n=1
, where each
T
n
is a family of functions f : 0, 1
m(n)
0, 1
k(n)
, with the following properties.
1. There exists an algorithm that given any n 1 outputs a random element of T
n
in time polynomial
in n.
1
2. Every function f T
n
is efciently computable.
3. For any c > 0, there is no polynomial-time algorithm that with probability at least
1
n
c
, given a random
f T
n
outputs x, y such that x ,= y and f(x) = f(y) (i.e., there is no polynomial-time algorithm
that with non-negligible probability nds a collision).
REMARK 1 We usually consider functions from 0, 1
m
to 0, 1
k
for m > k so that collisions are guar-
anteed to exist. If no collisions exist, the last requirement is trivially void.
REMARK 2 The more standard notion of a family of one-way functions (OWF) is dened similarly, where
instead of the last requirement we have the following:
3. For any c > 0, there is no polynomial-time algorithm that with probability at least
1
n
c
, given a random
f T
n
and the value f(x) for a random x 0, 1
m
, outputs y such f(x) = f(y) (i.e., there is
no polynomial-time algorithm that with non-negligible probability inverts the function on a random
input).
It is easy to see that any CRHF is in particular a OWF. We remark that both are important primitives in
cryptography, but we will not expand on this topic.
Our CRHF is essentially the modular subset-sum function over Z
n
q
, as dened next. It is parameterized
by two functions m = m(n), q = q(n).
DEFINITION 3 For any a
1
, . . . , a
m
Z
n
q
, dene f
a
1
,...,a
m
as the function from 0, 1
m
to 0, 1
nlog q
given
by
f
a
1
,...,a
m
(b
1
, . . . , b
m
) =
m
i=1
b
i
a
i
mod q.
Then, we dene the family T
n
as the set of functions f
a
1
,...,a
m
for all a
1
, . . . , a
m
Z
n
q
.
This family clearly satises the rst two properties of a CRHF. Our main theorem below shows that for
a certain choice of parameters, the existence of a collision nder (i.e., an algorithm that violates the third
property of a CRHF) implies a solution to SIVP
O(n
3
)
.
THEOREM 4 Let q = 2
2n
and m = 4n
2
. Assume that there exists a polynomial-time algorithm COLLI-
SIONFIND that given random elements a
1
, . . . , a
m
Z
n
q
nds b
1
, . . . , b
m
1, 0, 1, not all zero, such
that
m
i=1
b
i
a
i
= 0 (mod q) with probability at least n
c
0
for some constant c
0
> 0. Then there is a
polynomial-time algorithm that solves SIVP
O(n
3
)
on any lattice.
Notice that for this choice of parameters, m > nlog q so collisions are guaranteed to exist. The proof is
based on the idea of smoothing a lattice by Gaussian noise, which is described in the next section.
2 The Smoothing Parameter
For s > 0 and x R
n
dene
s
(x) =
s
(x)/s
n
. This is the Gaussian probability density function with
parameter s. As we have seen in the last lecture, a vector chosen randomly according to
s
has length at
most
ns with probability 1 2
(n)
. In this section we are interested in understanding what happens
when we take the uniform distribution on a lattice and add Gaussian noise to it. An illustration of this is
shown in Figure 1. The four plots show the distribution obtained with four different values of s. Notice that
as we add more Gaussian noise, the distribution becomes closer to uniform. Our goal in this section is to
2
Figure 1: A lattice distribution with different amounts of Gaussian noise
analyze this formally and understand how large s has to be for this to happen. This will play a crucial role
in the proof of the main theorem.
To make the above formal, we work modulo the parallelepiped, as was described in Lecture 7. Namely,
the statement we wish to prove is that for large enough s, if we reduce the distribution
s
modulo T(B), we
obtain a distribution that is very close to uniform over T(B). This is done in the following lemma.
LEMMA 5 Let be a lattice with basis B. Then, the statistical distance between the uniform distribution
on T(B) and the distribution obtained by sampling from
s
and reducing the result modulo T(B) is at most
1
2
1/s
(
0).
PROOF: We need to calculate the statistical distance between the following two density functions on T(B):
U(x) =
1
det()
= det(
)
and
Y (x) =
s.t. x
mod 1(B)=x
s
(x
t
) =
1
s
n
s
(x + ).
Using the Poisson summation formula and properties of the Fourier transform, we obtain
Y (x) =
1
s
n
det(
) s
n
1/s
(w) e
2iw,x)
= det(
1 +
\0
1/s
(w) e
2iw,x)
.
3
So,
(Y, U) =
1
2
1(B)
[Y (x) U(x)[dx
1
2
vol(T(B)) max
x1(B)
[Y (x) det(
)[
=
1
2
det() det(
) max
x1(B)
\0
1/s
(w) e
2iw,x)
1
2
det() det(
\0
1/s
(w)
=
1
2
1/s
(
0)
where the last inequality uses the triangle inequality.
The above lemma motivates the following denition.
DEFINITION 6 For any > 0, we dene the smoothing parameter of with parameter as the smallest s
such that
1/s
(
0) and denote it by
().
To see why this is well-dened, notice that
1/s
(
0) = and lim
s
1/s
(
()
1
1
(
)
.
PROOF: Let s =
1
1
(
)
, and let y
be of norm
1
(
). Then
1/s
(
0)
1/s
(y) = e
|y/
1
(
)|
2
= e
>
1
100
.
()
1
n
n
().
CLAIM 9 For any 2
n+1
,
()
1
(
)
.
PROOF: Let s =
n/
1
(
0) 2
n+1
. Then,
1/s
(
0) = (s
0) 2
n+1
where the inequality follows from a corollary we saw in the previous lecture together with
1
(s
)
n.
Using the easy direction of the transference theorem, we obtain the following corollary.
COROLLARY 10 For any 2
n+1
,
()
n
n
().
We remark that it can be shown that
() log n
n
() for n
log n
(see Lemma 15).
4
3 Proof of Theorem 4
Our goal is to describe an algorithm that solves SIVP
O(n
3
)
on any given lattice using calls to COLLISION-
FIND (as dened in Theorem 4). The core of the algorithm is the procedure FINDVECTOR presented below.
In this procedure and elsewhere in this section, we x to be n
log n
and recall that we choose q = 2
2n
and
m = 4n
2
. The output of FINDVECTOR is some random short lattice vector. As we shall see later, by calling
FINDVECTOR enough times, we can obtain a set of n short linearly independent vectors, as required.
Roughly speaking, FINDVECTOR works as follows. It rst chooses mvectors x
1
, . . . , x
m
independently
from the Gaussian distribution
where is close to the smoothing parameter of the lattice. Since the
smoothing parameter is not much bigger than
n
, these vectors are short. Then, these vectors are reduced
modulo T(B) to obtain y
1
, . . . , y
m
. By Lemma 5, each of y
1
, . . . , y
m
is distributed almost uniformly in
T(B). We now partition T(B) into a very ne grid containing q
n
cells (see Figure 2). Each cell naturally
corresponds to an element of Z
n
q
and we dene a
i
Z
n
q
as the element corresponding to the cell containing
y
i
. Notice that each a
i
is distributed almost uniformly in Z
n
q
. We can therefore apply COLLISIONFIND to
a
1
, . . . , a
m
and obtain a 1, 0, 1-combination of them that sums to zero in Z
n
q
. We then notice that the
same combination applied to x
1
, . . . , x
m
is: (i) a short vector (since each x
i
is short and the coefcients are
at most 1 is absolute value) (ii) extremely close to a lattice vector (which must therefore be short as well).
The procedure outputs this close-by lattice vector.
z
i
y
i
Figure 2: Partitioning a basic parallelepiped into 4
2
parts
Procedure 1 FINDVECTOR
Input: A lattice given by an LLL-reduced basis B, and a parameter satisfying 2
() 4
().
Output: A (short) element of , or a message FAIL.
1: For each i 1, . . . , m do the following:
2: Choose a random vector x
i
from distribution
3: Let y
i
= x
i
mod T(B)
4: Consider the sub-parallelepiped containing y
i
. Let a
i
be the element of Z
n
q
corresponding to it, and
let z
i
be its lower-left corner. In symbols, a
i
= qB
1
y
i
| and z
i
= Ba
i
/q = BqB
1
y
i
|/q.
5: Run COLLISIONFIND on (a
1
, . . . , a
m
). If it fails then output FAIL. Otherwise, we obtain b
1
, . . . , b
m
1, 0, 1, not all zero, such that
m
i=1
b
i
a
i
= 0 (mod q)
6: Return
m
i=1
b
i
(x
i
y
i
+ z
i
)
Later in this section, we will prove that FINDVECTOR satises the following properties:
When it is successful, its output is a lattice vector, and with probability exponentially close to 1, its
length is at most O(n
3
n
())
It is successful with probability at least n
c
0
/2
The distribution of its output is full-dimensional, in the sense that the probability that the output
vector lies in any xed n 1-dimensional hyperplane is at most 0.9.
5
Based on these properties, we can now describe the SIVP
O(n
3
)
algorithm. Given some basis of a lattice
, the algorithm starts by applying the LLL algorithm to obtain an LLL-reduced basis B. Assume for
simplicity that we know a value as required by FINDVECTOR. We can then apply FINDVECTOR n
c
0
+2
times (where n
c
0
is the success probability of COLLISIONFIND). Among all vectors returned, we look for
n linearly independent vectors. If such vectors are found, we output them; otherwise, we fail.
By the properties mentioned above, we see that among the n
c
0
+2
applications of FINDVECTOR made
by our algorithm, the expected number of successful calls is at least n
2
/2. Using standard arguments, we
obtain that with very high probability, the number of successful calls is at least, say, n
2
/4. Moreover, we see
that with high probability all these vectors are lattice vectors of length at most O(n
3
n
()). Finally, we
claim that these vectors contain n linearly independent vectors with very high probability. Indeed, as long
as the dimension of the space spanned by the current vectors is less than n, each new vector increases it by
one with probability at least 0.1. Hence, with very high probability, we nd n linearly independent vectors.
It remains to explain how to nd a parameter in the required range. Recall that the length of the
longest vector in an LLL-reduced basis gives a 2
n
approximation to
n
. Together with Corollaries 8 and
10, we obtain a n
3/2
2
n
approximation to
m
i=1
b
i
(x
i
y
i
+z
i
). Each x
i
y
i
is a lattice vector by the denition of y
i
. Moreover,
m
i=1
b
i
z
i
= B
m
i=1
b
i
a
i
/q
is a lattice vector because
m
i=1
b
i
a
i
/q is an integer vector.
The following claim shows that when FINDVECTOR is successful, its output is a short vector. By
combining the bound below with Corollary 10 and our choice of m, we obtain a bound of O(n
3
n
()) on
the length of the output.
CLAIM 12 If
(), the probability that FINDVECTOR outputs a vector v of length |v| > 2m
n
is at most 2
(n)
.
PROOF: Using the triangle inequality and the fact that b
i
1, 0, 1 we get that
i=1
b
i
(x
i
y
i
+ z
i
)
i=1
[b
i
[ |x
i
y
i
+ z
i
|
m
i=1
|x
i
| +
m
i=1
|z
i
y
i
|.
We bound the two terms separately. First, each x
i
is chosen independently from the distribution
. As we
saw in the previous lecture, the probability that |x
i
| >
n is at most 2
(n)
. So the contribution of the
rst term is at most m
()
where we used that B is LLL-reduced and therefore
diam(T(B)) n 2
n
n
().
6
CLAIM 13 If
1/
(
i=1
(a
i
, U(Z
n
q
)) =
= m
f(
mod T(B)), f(U(T(B)))
m (
mod T(B), U(T(B)))
m .
Since m = 4n
2
n
log n
is a negligible function, we are done.
It remains to prove that the output of FINDVECTOR is full-dimensional. (Notice that so far we havent
even excluded the possibility that its output is constantly the zero vector!) We cannot make any assumptions
on the behavior of COLLISIONFIND, and we need to argue that even if it acts maliciously, the vectors given
by FINDVECTOR are full-dimensional. Essentially, the idea is the following. We note that COLLISIONFIND
is only given the a
i
. From this, it can deduce the z
i
and also the y
i
to within a good approximation. But,
as we show later, it still has lots of uncertainty about the vectors x
i
: conditioned on any xed value for y
i
,
the distribution of x
i
is full-dimensional. So no matter what COLLISIONFIND does, the distribution of the
output vector is full-dimensional.
To argue this formally, it is helpful to imagine that the vectors x
i
are chosen after we call COLLISION-
FIND. This is done by introducing the following virtual procedure FINDVECTOR
t
. We use the notation
D
s,y
to denote the probability obtained by conditioning
s
on the outcome x satisfying x mod T(B) = y.
More precisely, for any x + y,
Pr[D
s,y
= x] =
s
(x)
s
( + y)
=
s
(x)
s
( + y)
.
We only use FINDVECTOR
t
in our analysis and therefore it doesnt matter that we dont have an efcient way
to sample from D
s,y
. The important thing is that its output distribution is identical to that of FINDVECTOR.
We complete the analysis with the following lemma. It shows that for s
() and any n
1-dimensional hyperplane H, the probability that a vector x chosen from D
s,y
is in H is at most 0.9.
This implies that the same holds for the output distribution of FINDVECTOR
t
(and hence also for that of
FINDVECTOR). Indeed, consider Step 5. Not all b
i
are zero, so assume for simplicity that b
1
= 1. Then for
the output of the procedure to be in some n 1-dimensional hyperplane H, the vector x
1
must also be in
some hyperplane (namely, H + y
1
z
1
m
i=2
b
i
(x
i
y
i
+ z
i
)), which happens with probability at most
0.9.
7
Procedure 2 FINDVECTOR
t
Input: A lattice given by an LLL-reduced basis B, and a parameter satisfying 2
() 4
().
Output: A (short) element of , or a message FAIL.
1: For each i 1, . . . , m do the following:
2: Choose y
i
according to the distribution
mod T(B)
3: Dene a
i
= qB
1
y
i
| and z
i
= Ba
i
/q = BqB
1
y
i
|/q.
4: Run COLLISIONFIND on (a
1
, . . . , a
m
). If it fails then output FAIL. Otherwise, we obtain b
1
, . . . , b
m
1, 0, 1, not all zero, such that
m
i=1
b
i
a
i
= 0
5: For each i 1, . . . , m, choose x
i
from the distribution D
,y
i
6: Return
m
i=1
b
i
(x
i
y
i
+ z
i
)
LEMMA 14 For s
x+y
s
(x)
s
( + y)
e
(
x
1
c
s
)
2
=
1
s
( + y)
x+y
e
|
x
s
|
2
e
(
x
1
c
s
)
2
.
We now analyze this expression. Using the Poisson summation formula and the fact that s
(),
s
( + y) = det
s
n
1/s
(w)e
2iw,y)
det
s
n
(1 ).
To analyze the sum, we dene
g(x) := e
|
x
s
|
2
e
(
x
1
c
s
)
2
= e
s
2
(x
2
1
+(x
1
c)
2
+x
2
2
++x
2
n
)
= e
s
2
c
2
2
e
s
2
((
2(x
1
1
2
c))
2
+x
2
2
++x
2
n
)
.
From this we can see that the Fourier transform of g is given by
g(w) = e
s
2
c
2
2
e
2iw
1
(
1
2
c)
s
n1
2
e
s
2
((
w
1
2
)
2
+w
2
2
++w
2
n
)
and in particular,
[ g(w)[
s
n
2
e
s
2
((
w
1
2
)
2
+w
2
2
++w
2
n
)
s
n
2/s
(w).
We can now apply the Poisson summation formula and obtain
g( + y) = det
g(w) e
2iw,y)
det
[ g(w)[ det
s
n
2
(1 + )
where the last inequality follows from s
s
n
(1 + )/
2
det
s
n
(1 )
< 0.9.
8
4 Possible Improvements and Some Remarks
The reduction we presented here shows how to solve SIVP
O(n
3
)
using a collision nder. The best known
reduction [6] achieves a solution to SIVP
O(n)
, where the
O hides polylogarithmic factors. This improvement
is obtained by adding three more ideas to our reduction:
1. Use the bound
() log n
n
() for = n
log n
described below in Lemma 15. This improves
the approximation factor to
O(n
2.5
).
2. It can be shown that the summands of
m
i=1
b
i
(x
i
y
i
+ z
i
) add up like random vectors, i.e., with
cancellations. Therefore, the total norm is proportional to
m and not m. This means that one can
improve the bound in Claim 12 to
O(
m
n ). Together with the previous improvement, this
gives an approximation factor of
O(n
1.5
).
3. The last idea is to use an iterative algorithm. In other words, instead of obtaining an approximate
solution to SIVP in one go, we obtain it in steps: starting with a set of long vectors, we repeatedly
make it shorter by replacing long vectors with shorter ones. This allows us to choose a smaller value
of q, say, q = n
10
, which in turn allows us to choose m =
(n). This smaller value of m makes the
length of the resulting basis only
O(n)
n
(). See [6] for more details.
Let us also mention two modications to the basic reduction. First, notice that it is enough if COL-
LISIONFIND returns coefcients b
1
, . . . , b
m
that are small, and not necessarily in 1, 0, 1. So nding
small solutions to random modular equations is as hard as worst-case lattice problems. Another possible
modication is to partition the basic parallelepiped into p
1
p
2
p
n
parts for some primes p
1
, . . . , p
n
(in-
stead of q
n
parts). This naturally gives rise to the group Z
p
1
Z
p
n
= Z
p
1
p
n
. Hence, we see that
nding small solutions to a random equation in Z
N
(for an appropriate N) is also as hard as worst-case
lattice problems.
Finally, we note that the basic reduction presented in the previous section is non-adaptive in the sense
that all oracle queries can be made simultaneously. In contrast, in an adaptive reduction, oracle queries
depend on answers from previous oracle queries and therefore cannot be made simultaneously. If we apply
the iterative technique outlined above in order to gain an extra
n in the approximation factor, then the
reduction becomes adaptive.
4.1 A Tighter Bound on the Smoothing Parameter
LEMMA 15 Let = n
log n
. Then for any lattice ,
() log n
n
().
This lemma is essentially tight: consider, for instance, the lattice = Z
n
. Then clearly
n
() = 1. On
the other hand, the dual lattice is also Z
n
and we can therefore lower bound
1/s
(
0) by (say) e
s
2
.
To make this quantity at most , s should be at least (log n) and hence
() (log n).
PROOF: Let v
1
, . . . , v
n
be a set of n linearly independent vectors in of length at most
n
() (such a set
exists by the denition of
n
). Take s = log n
n
(). Our goal is to show that
1/s
(
0) is smaller
than . The idea is to show that for each i, almost all the contribution to
1/s
(
) is essentially 1 and
1/s
(
0) is very
small.
For i = 1, . . . , n and j Z we dene
S
i,j
= y
[ v
i
, y) = j.
9
If we recall the denition of the dual lattice, we see that for any i, the union of S
i,j
over all j Z is
.
Moreover, if S
i,j
is not empty, then it is a translation of S
i,0
and we can write
S
i,j
= S
i,0
+ w + ju
i
where u
i
= v
i
/|v
i
|
2
is a vector of length 1/|v
i
| 1/
n
() in the direction of v
i
and w is some vector
orthogonal to v
i
. Using these properties, we see that if S
i,j
is not empty, then
1/s
(S
i,j
) = e
|jsu
i
|
2
1/s
(S
i,0
+ w)
e
|jsu
i
|
2
1/s
(S
i,0
)
e
j
2
log
2
n
1/s
(S
i,0
).
where the rst inequality follows from a lemma in the previous lecture. Hence,
1/s
(
S
i,0
) =
j,=0
1/s
(S
i,j
)
1/s
(S
i,0
)
j,=0
e
j
2
log
2
n
1/s
(S
i,0
) n
2 log n
n
2 log n
1/s
(
).
Since v
1
, . . . , v
n
are linearly independent,
0 =
n
i=1
(
S
i,0
)
and therefore
1/s
(
0)
n
i=1
1/s
(
S
i,0
)
n n
2 log n
1/s
(
)
= n
2 log n+1
(1 +
1/s
(
0)).
We obtain the result by rearranging.
References
[1] M. Ajtai. Generating hard instances of lattice problems. In Proc. of 28th STOC, pages 99108, 1996.
Available from ECCC.
[2] M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc.
29th ACM Symp. on Theory of Computing (STOC), pages 284293, 1997.
[3] J. Cai and A. Nerurkar. An improved worst-case to ity average-case connection for lattice problems. In
Proc. of 38th FOCS, pages 468477, 1997.
[4] O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Technical
report, TR96-056, Electronic Colloquium on Computational Complexity (ECCC), 1996.
10
[5] D. Micciancio. Improved cryptographic hash functions with worst-case/average-case connection. In
Proc. of 34th STOC, pages 609618, 2002.
[6] D. Micciancio and O. Regev. Worst-case to average-case reductions based on Gaussian measures. In
Proc. 45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 372381, 2004.
[7] O. Regev. New lattice-based cryptographic constructions. Journal of the ACM, 51(6):899942, 2004.
Preliminary version in STOC03.
11