Generating hard instances of lattice problems (extended abstract)

  title={Generating hard instances of lattice problems (extended abstract)},
  author={Mikl{\'o}s Ajtai},
  booktitle={STOC '96},
  • M. Ajtai
  • Published in STOC '96 1 July 1996
  • Mathematics, Computer Science
We give a random class of lattices in Zn whose elements can be generated together with a short vector in them so that, if there is a probabilistic polynomial time algorithm which finds a short vector in a random lattice with a probability of at least ~ then there is also a probabilistic polynomial time algorithm which solves the following three lattice problems in ev-e~g lattice in Zn with a probability exponentially close to one. [] Key Method (2) Find the shortest nonzero vector in an n-dimensional lattice…
On the hardness of the shortest vector problem
It is proved that the shortest vector problem is NP-hard (for randomized reductions) to approximate within some constant factor greater than 1 in any lp norm (p ≥ 1).
Generating Hard Instances of the Short Basis Problem
  • M. Ajtai
  • Mathematics, Computer Science
  • 1999
It is shown that lattices of the same random class can be generated not only together with a short vector in them, but also together withA short basis, which may make the construction more applicable for cryptographic protocols.
The worst-case behavior of schnorr's algorithm approximating the shortest nonzero vector in a lattice
  • M. Ajtai
  • Computer Science, Mathematics
    STOC '03
  • 2003
It is shown that if k=o(n), this bound on the performance of Schnorr's algorithm cannot be improved (apart from a constant factor in the exponent), namely there is a lattice and a basis so that if they are given as an input to the algorithm then the resulting approximating factor of the output is at least k ε n/k.
An LLL Algorithm for Module Lattices
This work introduces an algorithm that efficiently finds short vectors in rank-n modules when given access to an oracle that finds short Vector Problem oracle for a lattice that depends only on K and provides a generalization to R-modules contained in \(K^n\) for arbitrary number fields K and dimension n.
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)
  • M. Ajtai
  • Mathematics, Computer Science
    STOC '98
  • 1998
There is a prob-abilistic Turing-machine which in polynomial time reduces any problem in NP to instances of the shortest vector problem, provided that it can use an oracle which returns the solution of the longest vector problem if an instance of it is presented (by giving a basis of the corresponding lattice).
Closest Vectors, Successive Minima, and Dual HKZ-Bases of Lattices
In this paper we introduce a new technique to solve lattice problems. The technique is based on dual HKZ-bases. Using this technique we show how to solve the closest vector problem in lattices with
On the complexity of computing short linearly independent vectors and short bases in a lattice
The strongest result in this direction states that under reasonable complexity-theoretic assumptions, approximating the length of a shortest set of linearly independent vectors (shortest basis) within a factor of n/a is not NP-hard.
Lattices that admit logarithmic worst-case to average-case connection factors
An average-case problem that is as hard as finding γ(n)-approximate shortest nonzero vectors in certain n-dimensional lattices in the worst case is exhibited, and reductions between various worst-case problems on ideal lattices are given, showing for example that the shortest vector problem is no harder than the closest vector problem.
Low-Dimensional Lattice Basis Reduction Revisited ( Extended Abstract )
The analysis, based on geometric properties of low-dimensional lattices and in particular Voronöı cells, arguably simplifies Semaev’s analysis in dimensions two and three, and unifies the cases of dimensions two, three and four, but breaks down in dimension five.
An Efficient Quantum Algorithm for a Variant of the Closest Lattice-Vector Problem
A quantum algorithm is designed that can efficiently solve a variant of the bounded-distance-decoding problem and invalidate one of the security assumptions of the Learning-with-Errors (LWE) cryptosystem against quantum attacks.


Generating Hard Instances of Lattice Problems
  • M. Ajtai
  • Mathematics, Computer Science
    Electron. Colloquium Comput. Complex.
  • 1996
We give a random class of lattices in Z n so that, if there is a probabilistic polynomial time algorithm which nds a short vector in a random lattice with a probability of at least 1 2 then there is
Solving low density subset sum problems
  • J. Lagarias, A. Odlyzko
  • Computer Science, Mathematics
    24th Annual Symposium on Foundations of Computer Science (sfcs 1983)
  • 1983
This method gives a polynomial time attack on knapsack public key cryptosystems that can be expected to break them if they transmit information at rates below dc (n), as n → ∞.
Factoring polynomials with rational coefficients
In this paper we present a polynomial-time algorithm to solve the following problem: given a non-zero polynomial fe Q(X) in one variable with rational coefficients, find the decomposition of f into
An Introduction to the Geometry of Numbers
Notation Prologue Chapter I. Lattices 1. Introduction 2. Bases and sublattices 3. Lattices under linear transformation 4. Forms and lattices 5. The polar lattice Chapter II. Reduction 1. Introduction
Geometric Algorithms and Combinatorial Optimization
0. Mathematical Preliminaries.- 0.1 Linear Algebra and Linear Programming.- Basic Notation.- Hulls, Independence, Dimension.- Eigenvalues, Positive Definite Matrices.- Vector Norms, Balls.- Matrix
On Breaking the Iterated Merkle-Hellman Public-Key Cryptosystem
Despite the widespread interest in the area, the years have produced no other public-key cryptosystems which have attracted widespread interest.
Breaking Iterated Knapsacks
An outline of an attack that is used successfully to break iterated knapsacks is presented, although it is not provided that the attack almost always works.
Efficient cryptographic schemes provably as secure as subset sum
  • R. Impagliazzo, M. Naor
  • Computer Science, Mathematics
    30th Annual Symposium on Foundations of Computer Science
  • 1989
We show very efficient constructions for a pseudorandom generator and for a universal one-way hash function based on the intractability of the subset-sum problem for certain dimensions. (Pseudorandom