A Public-Key Cryptosystem withWorst-Case/Average-Case Equivalence

Mik16s Ajtai *

Abstract

We present a probabilistic public key cryptosystem whichis secure unless the worst case of the following lattice prob-lem can be solved in polynomial time: “Find the shortestnonzero vector in an n dimensional lattice L where the short-est vector v is unique in the sense that any other vectorwhose length is at most n’ [lull is parallel to v.”

1 Introduction

The unique shortest vector problem (u-SVP) is to find theshortest nonzero vector in an n dimensional lattice L wherethe shortest vector u is unique in the sense that any othervector whose length is at most nc Ilull is parallel to v. Wepresent a pubIic key cryptosystem generator with the prop-erty that if a random instance of the cryptosystem can bebroken, that is, if for a random instance the probabilityy thatan encryption of a zero can be distinguished from an encryp-tion of a one (without the private key) in polynomial time isat least ~+n–cl for some absoloute constant c1 >0, then theworst-case unique shortest vector problem has probabilisticpolynomial time solution. The unique shortest vector prob-lem is one of the three famous problems listed in [1]. There,a random method is given to generate hard instances of aparticular lattice problem so that if it has a polynomial timesolution then all of the three worst-case problems (includingthe unique-shortest vector problem) has a polynomial timesolution. To our knowledge, this is the only public key cryp-tosystem with the property that to break a random instanceis as hard as to solve the worst-case instance of the problemon which the system is based.

Our approach also yields a conceptually simple and ex-tremely natural pseudo-random generator.

Outline of the Construction Very roughly speaking, aninstance of the cryptosystem is a collection of hidden hyper-

‘ IBM Almaden Research Center, Dept. K53/B2, 650 Harry Rd.,San Jose, CA 95120;e-mail: {ajtai,dwork}@almadenibm.com

Cynthia Dwork *

planes, which form the private key, together with a methodof generating a point guaranteed to be near one of the hy-perplanes in the collection, which forms the public key. Thepublic key is chosen so as not to reveal the collection ofhyperplanes - indeed, any ability, given the public key, todiscover the collection implies the ability to solve the worst-case unique shortest vector problem. We fix a large n-dimensional cube Q E IRn. Encryption is bit-by-bit: zero isencrypted by using the public key to find a random vectorv = Q near one of the hyperplanes – the ciphertext is v; oneis encrypted by choosing a random vector u uniformly fromQ - the ciphertext is simply u. Decryption of a ciphertextz is performed using the private key to determine the dis-tance of z to the nearest hidden hyperplane. If this distanceis sufficiently small, then z is decrypted as zero; otherwisez is decrypted as one. There is a small (but polynomial)probability of an error in decryption: an encryption of onemav be decrvuted as zero.

‘We prese-~t three separate cryptosystems; the third isthe system just described. The first has the most compactpublic key; its correctness depends on the hardness of ran-dom instances of a certain subset of instances of the uniqueshort est vector moblem. The second has a less comDact.public key, but its correctness depends only on the hardnessof random instances of the unique shortest vector problem(that is, we are no longer restricted to a subset). The thirdhas the least compact public key, However, its correctnessrelies only on the hardness of the worst-case unique shortestvector problem.

In the first two constructions the hyperplanes are ob-tained by regarding the unique shortest vector u in lattice Aas a linear functional inducing the collection of hyperplanesHi = {u I u ~u = i} for each i E 2?. The private key is abasis for I-Io. Every point in L = A* (the dual of A) is onone of the Hi. The public key is a random basis for L, to-gether with an additional parameter R. In these schemes, apoint near a hyperplane (an encryption of zero) is obtainedby choosing a random point in L and perturbing it slightly(using R). In the third construction we omit the lattice: uis chosen uniformly at random from the unit n-dimensionalball and the H, are defined exactly as above. The public keyis a collection of random points, themselves near the H,, Apoint near a hyperplane is obtained by summing a randomsubset of the published points.

Several proofs have been omitted from these proceedingsfor lack of space. Full proofs are available through the Elec-tronic Colloquium on Computational Complexity [2].

284

Independent of our work, Goldreich, Goldwasser, andHalevi obtained a completely different lattice-based public-key cryptosystem and digital signature scheme, whose se-curity is based on the complexity of lattice reduction prob-lems [7].

2 Definitions

The fundamental concepts concerning lattices and public-key crytposystems can be found in [4, 5, 6, 8, 9, 10].

A lattice in IRn is a set of the form

72

L=Lab,,...,bm)={~A,bt[J, Ez, i =1, ....ra}.,=1

where bl, . . .. b~isa basis of IRn. We say that (bl, . . . . b~)is a basis of L. The iength of a vector z = (zl, . . . . %) E

Et”, denoted Ilzll is (x? + . + z~)~. The length of thebasis (bl,. . . . b~) is the length of the longest basis vector,max~=l Ilb,II. The determinant of L, denoted det(L), is theabsolute value of the volume of the parallelepiped with sidesb,, . . . . b~, where bl, . . . . b~ is arzybasis for the lattice: det (L) =Idet(bl,. .,bn)l.

The dual lattice of L, denoted L”, is defined as

L*={z~R” lzTy E~for WyE L}.

If(bl,. ... b~) is a basis of L then (cl, . . . . cm) is a basis forL“, where

{

1 ifi=jC: b, = O ifi#j

If al, . . . . a= E JR” are linearly independent vectors,P-(al,. . ., an) denotes the half-closed parallelepipeds

then

n

{~7ta110S 7,<1, i=l,.,., n},,=1

Let PI and Pz denote two probability distributions andlet !2 be a u-field. The distance between PI and PZ is

SUP~ ~en{lR(A) - R(-4)1 + lPI(~) - pz(~)l}A; B=@

The n dimensional bail of radius R, denoted S“(R), isthe set of vectors z E IRn such that Ilzll < R.

3 (d, AI)-Lattices

Assume n is a positive integer, &f >0, d >0 are real num-bers, and L ~ iZ’ is a lattice which has an n – 1 dimensionalsublattice L’ with the following properties:

1. L’ has a basis of length at most M;

2, if H is the n – 1 dimensional subspace of Etn cent ainingL’ and H’ # His a coset of H intersecting L, then thedistance of H and H’ is at least d.

Then we say that L is a (d, &f)-lattice. If d > M, then L’is unique. In this case L’ will be denoted by Ltd)~J. Theminimum distance between H and a coset of H intersectingL will be denoted dL.

Let c >5 be a real number, and let L be a distributionon the set of (d, M) lattices for which d > ncM and d s

dL < 2d. The hidden hyperplane assumption for L saysthat, given a basis for a random (d, &f) lattice L ~R L, it is

computationally infeasible to compute L(~’~).The hidden hyperplane assumption is related to the unique

shortest vector problem as follows. If A is a lattice with annc-unique shortest vector u, then L = A* is a (d, M) latticefor some d z nc’M and d~ = null-’ (by arguments in [1],c’ = c– 2), Let H = HO be the n – 1 dimensional subspace of

IRn containing L(dS~J, and in general let H, = {v Iuw = i}.Then u is orthogonal to H (because the inner product of uwith any vector in H is O), and the distance between ad-jacent H, is Ilull’1. Thus, knowing H reveals the directionof u, and, by computing the gcd of the distances to H ofrandom points in L, dr, can be computed in probabilisticpolynomial time, yielding Ilull (and hence, u).

In all three cryptosystems the value one is encrypted bychoosing a random point uniformly in a particular region inIR” (the exact region depends on the scheme), the value zerois encrypted by choosing a random point close to one of thehyperplanes (the exact method depends on the scheme), anddecryption is performed by using the unit vector orthogonalto HO to determine the distance of the ciphertext from thenearest H,. If the distance is small then the ciphertext isinterpreted as zero; otherwise it is decrypted as one.

In the first cryptosystem, the public key is a randombasis of a (d, M) lattice where the length of the randombasis is greater than dL by only a polynomial (in n) factor.Using this constraint on the length of the basis in the publickey, we prove that the ability to distinguish encryptions ofzero from encryptions of one yields the ability to fmd H (andhence, u).

In the second cryptosystem we remove the constraint onthe length of the published basis for L. We show that theability to distinguish encryptions of zero from encryptions ofone yields the ability to construct n – 1 mutually orthogonallong vectors very close to H, from which it is possible to findH exactly (and hence, u).

In the third cryptosystem no lattice is presented; rather,the public key is a set of random points near the hyperplanesinduced by a random vector u in the n-dimensional unit ball.The sum of a random subset of these points is itself close toa hyperplane; an encryption of zero is such a random subsetsum, reduced modulo a certain parallelepipeds determinedby the public key. We introduce additional machinery toprove that every instance of the nc-unique shortest vectorproblem can with overwhelming probability be efficientlytransformed into a random instance of the third cryptosys-tem, for which the ability to distinguish encryptions of zerofrom encryptions of one yields the unique shortest vector.This proof is built on the results that we proved about thefist and second systems.

We remark that, in this first paper, we have made no at-tempt to optimize the efficiency of the cryptosystem. How-ever, there are several ways in which the system can beimproved.

4 First and Second Cryptosystems

The

1.

Key Pair Generation Procedure

Generate a random n – 1 dimensional lattice L’ havinga basis (bl, . . . . b~_l ) such that Ilball s M; for example,we can use the random class given in [1]. Let H be then – 1 dimensional subspace containing L’.

285

2.

3.

4.

5.

The

Choose d > nCM.

Choose from a large cube (depends on choice of scheme)a random vector bn of distance d < dL < 2d from H.

The private key is any basis for L(d’M).

Construct a random basis B’ for L = L(bl ,.. ., b~).The public key is (B’, M).

Encryption and Decryption Procedures

For R 6 Et and m E Z?, let the perturbation pert(l?, m)be the random variable whose value is the sum of m vectorstaken independently and with uniform distribution from then dimensional ball with radius R around O.

To encrypt zero, choose a random lattice point v in thecube KUn, where U“ is the n dimensional unit cube andK z 2nd. For m = con, co z 4, and R = n3M, choose avalue w of pert(R, m). The ciphertext is v + w. To encryptone, choose uniformly at random a point in KUn; this pointis the ciphertext.

Let UH be a unit vector orthogonal to the subspace H,and let dr, be the distance between consecutive hyperplanes.To decrypt the ciphertext z, the receiver computes the frac-tional part of (UH . Z)/dL. If it is within ~ of O or 1 thenz is decrypted as O, and as 1 otherwise.

5 Reduction for the First System

In this section we outline the proof that if we constrain thedistribution L so that each (d, M) lattice L E L can bepresented by a basis whose length exceeds dL by at mosta polynomial (in n) factor, then the ability to distinguishencryptions of zero from encryptions of one yields the abilityto solve the hidden hyperplane problem. This implies thatthe only way to break the cryptosystem is to fmd the privatekey.

Following [1], we assume there is a procedure, which,given a basis Y for L, samples lattice points within a cubewhose side has length at least n cI\Y IIwith distribution expo-nential y close to uniform. Details for the current setting ap-pear in [2]. It is also possible to give such a procedure whichdefines a uniform distribution on rzcY, using the fact thatthe points of a lattice parallelepipeds form a finite Abeliangroup, whose order can be computed. Thus a uniform distri-bution can be defined on them by using a system of genera-tors. We also frequently need to choose a vector tuniformlyfrom Sn (R). This is done inductively, one coordinate at atime, beginning with the rzth coordinate, using the fact thatthe probability density function describing the choice of thekth coordinate in a k dimensional ball of radius Rk is asfollows: the probability of choosing the kth coordinate to

~rk-l~r, ~: rk-ldr,have a value of at least ~ is &

5.1 Indistinguishability of Distributions

We _~~me a model in which for some constants eo and el,

a2 approximation to a real can be obtained in timeO(n”).

Let L be a lattice and let K >0, R >0 be real numbers.The random variable &,,K,R is defined in the following way:

we choose a point z uniformly at random from KU(”) n L,where U(”) is the unit cube in IRn, and we choose a value w

of pert(R, m), where m = con for some co > 4. The valueof [L,K, R is X + w.

Suppose that the real number c > 5 and the positiveintegers n, d, M, K, R, d > n.cM, are given, and L is a distr-ibution on (d, M)-lattices in Z“. We say that a probabilisticalgorithm A finds L(dIMl on L with a probability p, if givenas input a description of L (including d and M) and L E L,

A outputs L(d)M) with probability p, where the probabil-ity is taken both for the randomization of L and for therandomization in A. Sometimes we will allow A to use anoracle. In this case each use of the oracle will be counted asone time unit in the definition of the time used by d.

Let LJL,K,R be defined in the following way, We random-ize J c {O, l}, (L,K, R and qK independently. If J = O, then

VL,K,R = TIK; if J = 1 then VL,KtR = (L,K, R. Suppose thatthe real number c >5 and the positive integers n, d, M, K, R,d > nelkl are given, and Z is a distribution on (d, &f)-latticesin 2?”. We say that the probabilistic algorithm d distin-guishes (L,K,R and qK on L with a probability p if givena description of L, L ER Z, and a random value of VL,K,Ras an input (together with n, &f, d, K, R), d outputs a O, 1value w so that P(w = J) = p. Note that in polynomialtime A sees only polynomial (in n) bits of its input.

Theorem 5.1 There ezist c, c4, c5, C6 > 0 so that for allC1 > 0, C2 > 0 there exists cs > 0 and a probabilistic algo-rithm L?(using an oracle) so that if n, d, M, K, R are positiveintegers satisfying the inequalities,(l)logd +log&f+ log K+log R<nc’,(2) d > n“kf,(3) R > ncM,(4) 2c5nd > K > 2c’nd,and L is a distribution on the set of (d, M) lattices in Znpresented by vectors of length at most n“ dL and for whichdL > n5M and d ~ dL ~ 2d, and A is a probabilistic algo-rithm which distinguishes <L,K,R and qK on L with proba-bility at least ~ + n-c’, then B, using A as an oracle, finds

L(d,MJ on C with a probability at least 1 – 2-n, in time nca

Proof (Sketch): Let L ~R E be presented by a basis(bl ,,.., b~) of length at most n“ dL. strictly speaking, asdescribed above, we must charge time El(n” ) for B to access

a2_n. O

approximation to a real input. For simplicity, wedescribe B as if it and A could access any real in a singlestep.

Algorithm ~ works as follows. Let K’ = ncdL. Choose apolynomial (in n) random lattice points pl, . . .pm, E K’U”.(This is where we use the assumption that L is presentedby a basis of length at most polynomial in n larger than d.)Forl~i< j<m’, leta,7=p, –pj.

Note that K’Un is intersected by at most n= cosets H’of H intersecting L, where H = HO is the n – 1 dimensional

subspace of IR” containing L(d)M). Let H’ be a coset of Hwhose intersection with K’Un (1L is maximal. The numberof differences a,j such that p, and pj are both in H’ is at

least ( ~ )2( -), so a polynomial fraction of the a,,are in H. The key idea, described below, is to use A todetermine which of the differences a,j are in H. By doingso, if m’ is sufficiently large, then, by arguments appearingin [1], B will find a basis for H among the ai, .

Testing for Containment in H

Let L(dIM) = L(b, ,. ... b~_l), where maxl<,<n_l Ilb,ll ~M, and let ‘P’ = P-(Eu , . . . ,b~_l). Let w be-a value of

286

pert (R, m). The heart of the reduction, whose proof issketched below, is that the distribution of the projectionof w reduced modulo (bl, . . . . bn.-l ) into the lattice paral-lelepipeds P’ is almost uniform, even with the condition thatw lies in a strip of arbitrarily small width E >0 (E may de-pend on n) not too far from the hyperplane H. Intuitively, itfollows that the only information contained in a ciphertextis its distance from the nearest H,.

Each v E {a,, I 1 < z < j < m’} induces a probabilitydistribution as follows. Let u be a random variable withuniform distribution on KUn n J5, let a be a random vari-able distributed uniformly in [0, 1], and let w = pert (R, m).Define the random variable & = u + crv + w. It follows fromthe uniformity of the projection of w onto H (modulo P’)that the distributions obtained by projecting Ju and (L ,K,Ronto H are almost uniformly distributed on the projectionof KUn on H, independent of whether or not u c H. More-over, this is true even if we restrict the distributions to thecase in which w lies in a strip u not too far from H.

If v E H, then u + au E H’, where H’ is the coset ofH containing u c L. In this case, if v is not too long,then u + cm + w has essentially the same distribution as

.fL,K,R: each depends only on the distance from H of itsrespective copy of pert(ll, m). If v @H, then since with allbut exponentially small probability u and v are not in thesame coset of H, the signed chst ante of u + crv to the nearest

coset of H is uniformly distributed in (— ~, ~]; so if v isnot too long then & has essentially the same distributionas TK. Thus, the assumed ability of A to distinguish (L,K,Rfrom qK reveals whether or not v E H.

We now sketch the proof that the only information con-tained in a ciphertext is its distance from the nearest cosetof H. In particular, we show that the distribution of theprojection of encryptions of zero onto H is essentially uni-form, even conditioned on the perturbation pert(R, m) lyingin an arbitrarily thin strip not too far from H. Tile H withcopies of P’. The key to the intuition is as follows. In com-puting pert(R, m) = ~~ t,, we write t, = r, + s,, wherer, is the component orthogonal to H. If we first randomizer,, then s, is chosen from the (n – 1)-dimensional ball of

radius <~. If r; is not too large then with high prob-ability s, is contained in a tile that lies wholly inside this(n - 1)-dimensional ball and hence s, is chosen uniformlymodulo P’. In computing pert (R, m) we pick sufficientlymany t, that, with very high probabilityy, this “good” casehappens at least once. Finally, by first randomizing the t,and then randomizing the choice of lattice point u, we seethat the projection onto H of the sum u + t, is uniform overchoice of copy of ‘P’ as well as within the copy.

Lemma 5.1 Let w = ~~1 t,, where each t, zs chosen at

random from S“ (R). There is a c > 0 and no so that ifn ~ no and R are fixed, e >0, and I is an interval of lengthe contained in [– ~, ~], then the following holds. For1 < z < m, let (, be the signed distance from H to t,. Letus assume a coordinate system in which we can write t, =

ri+ s,, where r, = (O,O, . ...0, ti). Let G be the event “thereare at least ~ integers i in [1, m] such that s, is chosenfrom an n – 1- dimensional ball of radius at least n’ M.” Letq = ~~1 (,. Then the conditional probability of G with the

condition q E I is at least 1 – 2–cm.

Proofi For each freed positive integer k and for each realnumber z, let pk(x) be the probability of z + ~~=1 ~, E ~.We prove by induction on k that

(1) the function p, (z) is symmetric to the midpoint of 1 andmonotone decreasing in both directions as we get fartherfrom this midpoint.

Since the distribution of ~ is symmetric to O, the sym-metricity is trivial. Let x be the density function of ~. Thenfor all z we have pk(z) = ~~~~x(Y – ~)pk-l(Y)dY. X(Y– ~)

is SymmetriC to z (aS a function of y) and p&~ (y) is sym-metric to the midpoint of 1. Both functions are monotonedecreasing as we go away from their point of symmetry,

We use the following general statement about symmetricfimctions. Suppose that fO, fI are symmetric to Oand for allZ, g, IzI < IY[implies ~(z) ~ ~,(y) for i = O,1. Then for anyO<z<wwehave$_m ~o(~)~l (y+w)dy s ~_Mmfo(?J).fl (Y+

z)~v, provided that both intw~s me fite,The statement is trivial if both fO and fl are the char-

acteristic functions of finite intervals. Any other functionswith the given properties can be approximated with the sumof such functions, so using the distnbut ivity we get the in-equality.

Using (1 we may conclude the proof in the following way.Let q, = A ~<, (j. In the following, probabilities alwaysmean probabilities with the condition q E J. For each i =1, . . . . m we detine an event A, depending only on the valuesof q, ~d (i so that(2) the conditional probability of A, with any condition onq, is at most ~.Let Y be the event that A, holds for more than rn/10 valuesof 2. (2) implies:

(3) the probability of Y is smaller than 2-C’’” for some abso-lute constant c’ >0 (see, e.g., Corollary 7,1 of [3]), Finallywe will show that for any values of (1, . . . . (~ with 1(,I < R,i=l , . . . . m, we have that -Y implies G. This togetherwith (3) implies the assertion of the lemma.Definition of A~: Let a be the midpoint of 1. A, holds if~~~a~i~~e;: ~ )R and at least one of the following conditions

(4)lcr- ?7,+11>la-r7tl

(5) la – q,l < ~R.

We estimate P(A,) in cases (4) and (5) separately, usingthe monot onicity of pn.-, and the explicit formula for x. Tocompute the probabilityy that A, holds with la – V,+1I >la – q, 1, conditioned on q E 1, we randomize (,, computethe probability that in the remaining m – z steps we get to1, and multiply by pn, the probabilityy that q E 1. Since wedon’t know pq we instead bound the ratio of two conditionalprobabilities, both conditioned on q E 1 (so that the Pnterms cancel).

Suppose q, < a (the case Vi > a is analogous). Let J bethe interval [q, – R, q, – R(l – ~)]. Then the (conditioned)probability of reaching 1 through J (that is, the fist stepis in J) is pn JJ x(q, – g)p~–, (g)dy. Similarly, letting ~’

be the interval [q, – R( ~), q,], the conditional probability ofreaching 1 through J’ is pv ~~, X(V.—y)p~–-, (y)d~. A simple

calculation yields

Since P. fJ, x(qi – v)p~-. (g)dy is a conditional probability,it is bounded above by 1, so in this case P(A, ) is clearlybounded by 1/40 (for n sufficiently large), and therefore,

287

allowing also for the case q, > a, the conditional probabilityof A, in case (4) above is at most 1/20. The conditionalprobabilityy of A, in case (5) above is measured similarly.

In the remainder of the proof we show that lY A TG isimpossible. Intuitively, -Y A -G would imply that for most

!of the integers i E 1, m], q,+l would be closer to a than~, by at least (1 – ;)R, that is, ~, would move toward mwith large steps, but according to (5) it would only rarelyget close to cr.

Let us assume TGAYY. Focussing first on the more than~ values of i for which ~, is large (from --IG), we have thatfor at most % of these values for i, either f, moves awavfrom a or q, : close to a (from TY)’. ‘“

We break the sequence (~1, <I), (w, (2), . . . . (q~, (~) intointervals so that in alternate intervals q, is far from a, andalternately, close to cs. The integers j. defined next are theendpoints of these intervals: jo = O;for z ~ O, j2=+1 = mini>j,a {2 I w is close to a};for z ~ O, jz=+z = mint>,,=+, {2 I q, is far from a}.

Letg=~andletz=~. Let D = I{z s.t. (~, is largeand t, moves away from a) or (~, is large and q, is closeto CS)}I. By assumption (= Y), D s rny = ~. Let S =l{i s.t. ft is small}l. By assumption (-G), S < (1 - z)rn =

.~.For O s z, the zth jar intervals the interval (j,=, 3,.+1 –

1] (by definition q, is far from a for all i in this range). Letk be the number of far intervals. For O < z ~ k – 1, let@= denote the fraction ~ times the number of small stepsduring the zth far interval; more formally,

For O < z < k – 1, let let 7. denote the fraction ~ timesthe number of large steps away from a during the zth farinterval; formally,

Finally, let wo be a binary variable with value 1 if andonly if O = ql is close a, ~ is far from a, and (l is largeand moves toward a; in general, for O ~ z ~ k – 1,let w=be the binary variable with value 1 if and only if (j,= –1 islarge and moves toward a (note that by definition qj,= –1 isclose to a, so the w= are counting large steps toward a thatmove the walk from close to a to far from a).

Let q = ~l_l)R _<2 ~ (provided n z 2).’ Then at most7b-

q large steps are needed to walk directly (without intermp-tion) from O = ql to a. Since (1 – :)–1 ~ 2, at most twolarge steps toward a are required to compensate for a singlelarge step away from a. Moreover, by definition, a large stepis at least as large as a small step. Finally, for each largestep toward a moving the walk from close to a to far froma, at most one large step back toward a is needed to com-pensate. Using these facts and the definitions of the /3=,-y=,and w., and letting B denote the number of i such that q,is far, (, is large, and ~, moves toward a, (i. e., the numberof large steps taken toward a during the far intervals), weget

Note that if ~o<=<k_l w= > Vm then for strictly morethan yrn = ~ value~o~i we have case (5) of A, (q, is near a

and t, is large), so it follows from the assumption (lY) that

~O<;<k-, ‘z”< Ym ‘y ‘efition ~o;.<k.;(2iD +@.S~ ~ 2D + S, so B s $ + 2D + S + ym~ ~oweverl from(-YA -G) we have that B ~ (z - y)m.. Combining this withthe bound on B above, we get ~ +4yrn + m > 2zm which is

false for the values we have cho~~n (a < ~, g = ~, z = ~).■

Lemma 5.2 Let L = L(bl, ,b~) ~R c, where Lfd’MJ =L(bI, ..., b~-1). Let m = con, for some co ~ 4, let R =n3M, andletp’ = P–(bI, . . ,b~–lj. Assume each ofsl, . . . .Snt is chosen from an n —1 dimensional ball of radius at leastn2 M. For each s,, let G~ be the hyperplane parallel to Hcontaining si. If we tile each G, with copies of P’, then with

n’losm at least one of S1, , ‘n! ‘sprobability at least 1– 2–chosen from a tile completely contained in its respective ball.■

Corrolary 5.1 Let-L = L(bl,. . ., ZI*) ER L, where L(d’M) =L(bl, ..., b~_l ). Let m = con, for some co > 4, and letR = nsM. Let P’ = P-( bl,. ... b~_l). For e > 0 andfor any interval 1 of length .s contained in [– ~, ~], let

w = ~~1 t, where each L ~R Sri(R). Then the distribu-

tion obtained by projecting w onto H modulo P’ differs fromthe uniform distribution on P’ by at most 2–” m for somec1 > 0, euen with the condition that the signed distance ofwto His inI. ■

Corrolary 5.2 Let L = L(bl, ,.., b~) ~R ~, where Lfd’~l =L(bl, ..., bn_l). Let m = con, for some co z 4, let R =n3M, andlet P’ = P–(bl, ... ,bn–l). Letc >0 and let I bean interval of length e contained in [—~, ~]. Considerthe distribution D obtained by choosing p ER H and project-ing p + U, where w = ~~1 t, and each t, ~R Sri(R), ontoH. Then the distance of D from the uniform distribution onH is at most 2–=’rn, for some c1 >0, even conditioned onthe signed distance of w from H being in I. ikioreover, if H’is any coset of H intersecting L, then the lemma holds forany distribution for p in which, if we tile H with copies ofP’, each copy of P’ is equally likely to contain p.

Proofi By Corollary 5.1, the distribution obtained by pro-jecting w onto H modulo P’ is within 2‘c’ m of the uniformdistribution on P’ for some c1 > 0. By randomizing thestarting point p we eliminate the need to reduce modulo ‘P’.■

The remaining details of the proof of Theorem 5.1. can befound in [2].

6 Extension to General Lattices

As before, we wish to show that if there is a probabilisticpolynomial time machine that distinguishes ~L,K,R from qK,then, using the distinguished, H can be found in probabilisticpolynomial time. However, if the lattice L is presented bya basis of length greater than ncd for some c > 0 then theprevious reduction fails: we can no longer sample latticepoints inside a small cube. We get around this problem byusing the distinguished to help us fmd random short vectorsvery close to H, and then then “growing” these into longvectors, still quite close to H. The growing takes place instages; we use the distinguished at every stage to recognizewhen a vector close to H has been found.

288

The long vectors are then used to tind an approximationto H. If the approximation is sufficiently good then the unitvector orthogonal to the approximation will be very close tothe unit vector UH orthogonal to H. If the two unit vectorsare sufficiently close then UH can be found by rounding theunit vector orthogonal to the approximation.

Growing Long VectorsLet u denote the set of all points in IRn of distance at

most dL from H. Each iteration has a starting points whichfor the first iteration is the origin, and in general will alwaysbe within distance 2d of H. Let S(2fidr,, s) be a ball ofradius 2fid~ around the starting point s. The goal is tofind a point v in u (l 5’(2@dL, s) that is farther from theorigin than s. Then 2U becomes the new starting point, andthe process continues. Occasionally the procedure may err;this is eventually detected and the computation is backedup to an earlier starting point and repeated with differentrandom choices.

In Section 5.1 we used the distinguisher to test latticepoints v to see if they are in H or, instead, in one of thecosets of H intersecting L; v was tested by sampling thedistribution & = u + CYU+ w, and running A on the sam-ples. We will use the same test here, this time to distinguishpoints near H from points outside of u. Specifically, we havea way of choosing random points u within distance 2d of Hand testing them such that: (1) if v @ u then with high prob-ability this is detected; (2) if u is “very close” to H then withhigh probability v is recognized as being in a; and (3) theprobability that we tind a u E u that is not falsely detectedas being outside of a is polynomial in n – 1.

Our goal is to construct an approximation H to H byfmding n – 1mutually orthogonal long lattice vectors w, . . . .v~–~, say, of length at le~t f for a suitably chosen L W atdistmce less than d from H. Once we have found vi, . v,–1,we search for v, in the n – i+ 1 dimensional subspace Vn–’+lof JRmorthogonal to vi, . . . . vi_l, such that v, is close toH n V.-,+l

We now describe the general step of searching for thenext starting point in the construction of a vector of length! within distance dL of H.

Finding the Next Starting PointChoose a random v’ E Sn(zfidr,) such that Its+ v’11 >

Ilsll. Test if s + v’ is outside of a, by testing each of s +V’,s+ *V’, S+ ~v’, . ..s+ ~v’ to see if any is neara coset H’ # H intersecting L. (For any vector u this testis accomplished by sampling from 6U.) If any multiple ofv‘ tests positive, then v‘ is discarded and the procedure isrepeated for a new random v’. If no test is positive andI\s+ v’11z t!, then we set u = s+ v’. If no test is positive butI{s+v’11 <t, then we set the next starting point to 2(s + v’).

Theorem 6.1 There ezist c, c4, CK,cG > 0 so that for allCI > 0, cz > 0 there exists cs > 0 and a probabilistic algo-rithm B (using an oracle) so that if n, d, M, K, R are positiveintegers satisfying the inequalities,(l)logd +log M+log K+log R<nc’(2) nc’ltf > d > n’4M,(3) R > ncM,(~) K > 2’5nd,and C is a distribution on (d, M)-lattices in 2Zn presentedby vectors in a cube of size 2“” d, and d is a probabilisticpolynomial time algorithm which distinguishes (L,K,R andqK on L with a probability of at least ~ + n–”, then, B,

using /l as an oracle, jinds L[d,MJ on L wzth a probabilityof at least 1 – 2–n, in time nc3

Remarks. 1.Since M is just an upper bound on the lengthof L(d,A.f)the requirement nc’ M > d does not restrict L.2. The indistiguishabilit y of fL,K,R from qK yields a pseudo-random number generator,

7 The Main Theorem: Worst-Case/Average-Case Equiv-alence

In this section we will use three constants, ‘Dl, Dz, D3. K(n)will denote the function 2“ ‘“g’. We have made no attempt

to choose these constants or the function in an optimal way

in any sense.As mentioned earlier, in the third cryptosystem the pub-

lic lcey involves no lattice. Suppose that u E IRn, O < IIuII s

1, R > 0, and m is a positive integer. Let Q be the” n-dimensional cube KU(”). We define the random variable%’(u, R, m) in the following way: First let X be the set ofall x E Q so that x . u is an integer. X consists of subsetsof a finite number of n – l-dimensional hyperplanes, so then — 1 dimensional volume defined on these hyperplanes in-duces a probabilityy measure on X. We take a random pointy on X. Independently we also take a value z of pert (R, m).The value of ‘H’(u, R, m) is y + z. Let ?-l = roundz-. (%’),where for y E Et and a >0, rounds(y) = za, where i is thelargest integer with zcr s y and if z = (xl, . . . z~) ~ Et”then round~(z) = (rounda(zl ), ... , rotunda).

The private key is a random vector u chosen with uniformdistribution on the set {z 6 IR” I IlzII~ 1}. The public key—is a set of m = nD3 independent values VI, . . . . Vm of therandom variable ‘HU,n-PI ,~, so by defition, the v~ues Vtin the public key are small perturbations of points in thehyperplanes induced by u.

For the encryption of a message, the sender will need thesmallest integer io so that width (v,o+l,. . . . w,o+~) is at leastn-z~, where if al , . . ,an E JR”, then width(al, . ,a~)is the width of the parallelepiped defined by the vectors

al, ..., an (that is, the minimum of the dist antes betweenthe point a, and the subspace generated by {al Ij # z}, fori= l,... , n). We prove that, with a probability exponen.tially close to 1, io < $. Since the value of i. does notdepend on the message, we may consider Z. to be part ofthe public key. Let P = P(U,O+I, . ,viO+~).

An encryption of zero is obtained by computing the vec-tor z = ~~1 &v,, where each & CR {O, 1}, and reducing zmodulo V,0+1, . ., WO+n into P–, that is, tinding the uniquevector z’ in P–(V,O+l, . . . . v,~+n) so that z — z’ is an inte-ger linear combination of the vectors U,O+I, . . . . v,O+n. Theciphert ext is z‘. Let the random variable &~,,,, ,v~ be a ran-dom encryption of zero, as just described. An encryption ofone is obtained by choosing a random point in P– n 2–” ZV’,where 2–nZZn is the set of all vectors of the form 2–rib,b E ZZ”. Let the random variable &u,,..,,ti~ be a randomencryption of one, as just described. In light of the resultsfor the first two cryptosystems, the intuition for indistin-guishability of these two distributions is that encryptions ofzero are themselves relatively small Perturbations of Doints. .on the hyperplanes induced by u, while encryptions of oneare just random points in space. For this system, however,we obtain the following worst-case/average-case hardness re-sult .

289

Theorem 7.1 For all c1, c2, cs, C4 > 0 there ezwts a C5and a probabilistic algorithm B (using an oracle) so that forall sufficiently large n, condition (1)implies condition (2),where

(1)d is a probabilistic circuit of size n“’ so that if u, WI,V* are picked at random as described in the protocol forgenerating the public and private keys, then with a proba-bility of at least n–c’, d distinguishes the random variablesSV,,...,ttm and &l,..., *m, given w,... , v~, WithProbability atleast L + n-c’.

(z) B, using A as an oracle, can solve any instance ofsize at most nC4 of the nn= -unique shortest vector problemin time n’s and with a probability at least 1– 2-n.

Remarks. 1. As we have already indicated in the Intro-duction, there are ways to make the cryptosystem more ef-ficient. One possibllit y is that instead of choosing the vec-tors WI, . . ., w- from the set VI, . . . . v~, we may randomizethem separately, making sure that they are almost orthog-onal, and so width(wl, . . . . w~) will be automatically large.

For example, we may pick w, from the cube Ke, + (K) ~U(”).The proof remains essentially the same.

2. Lemma 8.2 shows that if the worst-case nc-rmiqueshort vector problem has no polynomial time solution thenin a large cube the uniform distribution is computationallyinclistigushable from the following distribution:

Fix a random vector u in the unit ball, than take randompoints from the large cubes on the hyperplanes where theinner products of the vectors with u is an integer, and thenperturb these points slightly. (Each perturbed point is avalue of the random variable. )

Using the fact that the distribution of this random vari-able is computationally indistingushable from the uniformdistribution we may construct a pseudo- random numbergenerator as mentioned in Section 6.

The proof of the theorem is in two parts. In the first part,assume that there exists a probabilistic polynomial time ma-chine d that, given the public key, followed by a block oft random encryptions of the bit b, followed by a block oft random encryptions of 1 – b, produces b with probabilitypolynomially better than 1/2 for a polynomial fraction of theinstances of the cryptosystem (an instance is a (public key,private key) pair generated by the cryptosystem generator).Let U’ be a random variable which takes its values with rmi-form distribution on the n-dimensional cube KU(”J and letU = roundz. ~ (U’ ). We show that the existence of A impliesthe existence of a probabilistic polynomial time machine Cthat. on immt rntvalues of a random variable <, using A asan oracle, ~etermines whether ~ is U or ‘l-lti,n-~i ,n. -

Roughly speaking, this is done as follows: C partitionsits inputs into t blocks of size m. For each block Bi =(b,,,. . btm), C “acts as if” the inputs in this block form

a public key: C generates a block of random encryptionsof zero and a block of random encryptions of one underthis hypothetical public key and feeds B, followed by thesetwo blocks of encryptions to A (the blocks are ordered atrandom). A responds with a guess of which block is fist. IfA is correct sufficiently frequently, then C concludes that ( =?lU ~-’o, ,n; otherwise C concludes that ( = U. The intuitionis that if ( = Xti,n-vl ,n then each block B, is a valid publickey, so by assumption A has a non-negligible probability ofdistinguishing encryptions of zero from encryptions of one.On the other hand, if & = U then all the “encryptions” ofzero that C generates are just sums of uniformly distributed

random vectors; hence, .4 would have to distinguish betweentwo almost identical distributions, which is impossible,

For the rest of the proof of Theorem 7,1, suppose we aregiven a basis of a lattice L whose shortest vector is unique

~z Let v be a shortest non-zero vector ‘nup to a factor of nL. Let X be the set of all u E IRn so that ~ < I[u[[ <1 andC distinguishes the random variables U and ?lU.-., .. withprobability y at least ~ + n–CJ. We describe a-probabilisticpolynomial time machine B that tinds v.

B generates a number t of linear transformations U1,. . . .U,, where each U, can be written U, = t?v where O E Etand v is an orthogonal linear transformation. Intuitively,u rotates the lattice L leaving the lengths of the basis vec-tors unchanged, while O scales the rotated basis. We argue(Lemma 8.5) that, with probability at least 1- 2-2n, at leastone of the vectors U,v is in X. Fix such an i; we will fmdU,v, the shortest vector of U,L. Since U, = tsv, we have thatw is an nnz -unique shortest vector of L iff U,W is an n=2-

unique short est vector of UiL. Moreover, since U, v E X wehave ~ < IIU,VII~ 1, It follows that J, the dual lattice of

U,L, is a random (1, n-~:) lattice, where Dj N D, – 2. Itis random because U, is random.

B chooses a new system of coordinates so that U,ej, j =1,. ... n is the new basis. Let K = K, that is, Ku(n) = Q.We prove that the dist ante of the distributiona of %u,n.~, ,nand (J,K,R is exponentially small; moreover, clearly qK = U.Therefore the distinguishability of U and fiu,n-D1 ,n wouldimply the distinguishability of fJ,K,R and VK; hence, as ar-gued in the case of the second cryptosyst em, there is a prob-

abilistic polynomial time algorithm to tind J( “M), and sothe shortest vector of U;L, using A as an oracle, with aprobabilityy exponentially close to one.

8 Proof of the Main Theorem

Lemma 8.1 For all c1, cz there exists C3, cd and a proba-bilistic algorithm B (using an oracle) so that for all suff-iciently large n, cond;tion (1) implies “condition (2), where

(1) A is a probabilistic circuit so that U,VI, . . . . v~ arepicked at random as described in the protocol for generatingthe public and private keys, then with a probability of at

d distinguishes the random vamables S~, ,.,,l~~/east n-c’,and&V 1,...,V= over VI, . . . , v~ with a bias of at least n–ca.

(2) Suppose that we pick the random vector u as describedin the protocol for generating the public and private keys.Then with a probability oj at least n-” the following holds:B, using A as an oracle, distinguishes the random variables

_+unif and ?lU,%-vl,~ with a bias of at least n , m time ncs.

Proof of Lemma 8.1. We may assume that condition (1)of the lemma holds even if in its conclusion we require thatA distinguishes z’ and z“ with a bias of at least ~ —n–2.Indeed suppose that u, vi, . . . . v~ is fixed with the propertythat A distinguishes S.l ,.,,,~~ and &~,,,..,~~ with a bias ofat least n–cz. B produces a long independent sequence ofvalues of both random variables (n”’1 times longer thanrequired by A), applies A nca+1 times, and then takes themajority of the decisions. The bias of the decision will beexponent ially close to ~, certairily greater than ~ – n‘2. Forthe sake of notational simplicity we assume that already theoriginal A has this property.

Let X be the set of sequences w, . . . . v- with the prop-erty that A distingmshes the random variables S~~,...,~~,

290

&.1, ,v~ with a bias of at least ~ — n–2. Since Svl, ,.~and &wl, ,V~ can be generated in polynomial time, thereis a polynomial time probabilistic algorithm which, for anyfixed values VI,.. ., v-, approximates the bias of A with apolynomially small error, using only a polynomial numberof applications of A. Therefore there is a set Y ~ X so that

(a) ~ E Y C= be decided in polynomial time, with a

probability y exponentially close to one.(b) for each (w, . . . ,u~) E Y, A distinguishes S~l,..,~m,

t~l,,,,,~m with a bias of at least ~ – n-l.Now we give a definition for the algorithm B. 1? gets

~t, t = ,@ values of a random variable ~ and it tries todecide whether it is urzijor ?fW,n-DI ~ in the following way:B partitions the values into blocks OFsize m. For each tlxedblock B it computes two bits f(B) and g(13). Assume thatthe values in B are bl, . . ..b~. If (bl). .,, b~) $! Y thenf(13) = g(n) = 0, Suppose (bl ,... ,bfi) E Y. B produces asmany independent values of the random variables sb 1, ,b~,&b,,,, ,b~ as needed for the input of A. ~ gives the values of

S and .f to d as an input in a random order. IfA identifies Sand & correctly then g(B) = 1 otherwise g(n) = 0. j(B) =1 in both cases. Finally let jo = ~ f(~), go = z 9(B),where we take the sums for all tblocks. If ~o > ~n–cl t ~d

go > ~fo then B decides that ( = Kfi-DI,~ otherwise it

decides that ~ = uni}. This completes the definition of l?.For any fixed u let Bu be the following event: if we ran-

domize VI, . . . . v~ as described in the protocol, then with aprobability of at least n–z”, we have that, “A distinguishesthe random variables S and g, over V1, . . . . v~ with a biasof at least ~ — n-l”.

Condition (1) of the lemma implies that if we random-ize only u then P(BU) z n–2c’. Since n–2C’ > n–=’, itis sufficient to show that if Bu holds then B distinguishesWU .-u , ~ and uni~ with a bias of at least ~.

we will show that if ( = ‘H. .-D,,., then for each fixedblock B the following holds, where the probabilities aretaken both for the randomization of the elements bl, . . . . b~and the random steps of B and A:

(c) P($(B) = 1) ~ n-c’) P(g(B) = llf(B) = 1) ~l–n-l,

Since the events for different blocks are independent,these inequalities imply that with a probability exponen-tial close to one, we have fo > ~n-clt and go > ~-fo.

For ( = unif we will show that(d) P(g(B) = ll~(B) = 1) < ~ + ~.This implies that with a probability exponentially close

to one either fO < ~n-c’t or go < ~~o.Therefore it is enough to show that the inequalities (c)

and (d) hold for the appropriate choice of (.Assume fist that ( = ~u,n-D1 ,n. Since Y ~ X and

P(X) > n-c’, we have P(Y) z n–”. Since (bl, . . ,b~) EY imp~es ~(B) = 1 we have P(f(B) = 1) > n-c’.

Assume f(B) = 1 and therefore (bl, . . . . bn) E Y. Bythe definition of Y, A distinguishes S and & with a bias ofat least ~ —n – 1. Therefore the probabilityy that A gives the

right answer is at least 1 – n–l, in other words p(g(B) =llf(B) = 1) >1 – n-l.

Assume now that ~ = unif. Suppose that u is fixed,;< /lull ~ 1. (Clearly the probability of this event is expo-nentially close to one. ) We show that in this case for almostall choices of V1,. . . . v- (with an exponentially small excep-tion) the random variables S and $ are almost identical inthe sense that the distance of their distribution is smallerthan 2 ‘n. This will imply the required inequality, since A is

trying to distinguish two random variables whose distanceis exponentially small and which are given to it in a ran-dom order, therefore the bias of its decision is exponentiallysmall,

We show now that if w,. . . .v~ are independent valuesof uni~ then with a probabilityy exponent ially close to one,we have that the distance of the distribution Svl, ,v~ and~v, ,.. ,Vm is exponentially small.

&vl ,...,t,~ by definition has a uniform distribution on A =P-(wl, . . . . wn) rl 2-’’2?”. We have to show that with highprobability S~l :,.,,~= has also an almost uniform distributionon this set, (We note that this is not true if vi , ., v- arerandom values of ?lU,. --~, ,n.) The elements of A form an

Abelian group if we detlne addition as the addition in El”modulo the subgroup generated by WI, . ., w~. We want to

mapply Lemma 8.3 for this group and the sum ~t=m,2+l &W.

First we randomize uo, . . . . Vmtz. we show that with a prOb-

ablitv of at least 1—2–* we have io < % —n– 1. therefore this. -,!randomization already decides the values W1, . . . . W.. Tothis end, we estimate for a fixed j the probability of the eventB] where B2 holds iff width(vj+l, . . . , vj+~) < a/n2. For anyiixed i = 1, ... n.the probability that the distance of v,+, fromthe subspace generated by {vklk # j’+ ij + 1< k ~ j + n}is smaller than n–2 is at most ~ (see Lemma 8.4), there-

fore the probability that this h~ppens for at least one i is

at most rz-~. Theevents13j forj =nl, 1 = 1,. ... l–lare independent, therefore the the probability y that thereexists a j = nl, 1 = 1, . . . . ~ – 1 with lBJ is at least

(l– en-+)%-’~ 1 – 2-” provided that m > rzz and nis sufficiently large with respect to c. Therefore we may as-sume that iO < f and so W1, . . . . W. are defined after therandomization of WI,. . . . Vmjz.

Let P = P–(u;O+l, . . ..~.O+~). If v%, . . ..v~ were uni-formly distributed after being reduced modulo ‘P, then we

mwould be able to apply Lemma 8.3 with k ~ ~, b, ~ v~+t,.and L ~ J++, to show that if we iix v%+l, . . ..u~ and.randomize 15%+1 , . . , 15~, then ~~1 v,& m-od P has a dis-

tribution exponentially close to uniform (A L 2-” Z!” (1 Q

has at most (2n/C)” =2n22n210s n elements). Although infact the va do not have uniform distribution when reducedmodulo ‘P, the sum ~.=, v, mod T will have distribution—.. -exponentially close to uniform if the interval 1 is sufficientlylarge. Using this and a modification of Lemma 8.3, we canshow that if we first tix V%+l, . . . . v- and then randomize

J%+]) . ,Jm, then ~’”1 ~,& mod P will have a distribu-ti&s exponentially close to uniform. Since the distance fromthe uniform distribution is a convex function, the same willbe true for the sum ~~1 J,w, if we take into account therandomization of the values 61, . . . . J%.

That is, we have shown that with ~ probability exponen-tially close to one the distribution of S is exponentially closeto the uniform distribution, that is, to the distribution of&.Q,E.D.(Lemma 8.1)

Lemma 8.2 For all c1, C2 there exist C3,C4 and a probabilis-tic algorithm f? (using an oracle) so that for all sufficientlylarge n, condition (1) implies condition (2), where

(1) A is a probabilistic circuit with the following property:if we pick the random vector u as described in the protocolfor generating the public and private keys, then with a prob-ability of at least n–cl the following holds: A distinguishesthe random variables unif and ~u,n-Dl ~ with a bias of at

291

least n–c’ ,(2] B, using d as an oracle, can solve any instance of

DZ .tin2que shortest vector problemsize at most ncs of the nin time nc~ and with a probability greater than 1– 2–m.

Proof. We describe an algorithm 1? satisfying the require-ments of (2). The input will be a basis of a lattice L whoseshortest vector is unique up to a factor of n=z. Let w bea shortest non-zero vector in L. Let X be the set of allu E IR” so that ~ ~ {lull ~ 1 and d distinguishes the ran-

dom variables unij and ?lU,n.n, ,n with a bias of at least~—.l

We apply Lemma 8.5 with the set X defined above. Thelemma implies that if we compute t = [nc’+z](where C2is from Lemma 8.5) values U1, . . . . U* of the random vari-able v then with a probability of at least 1 – 2 ‘2n, at leastone of the vectors Uiu, z = 1, . . . . t is in X. Assume thatan i is tlxed with this property. We will find the shortestvector of U,L. Since U, = OV where $ E IR and V is anorthogonal linear transformation, we have that w is an n=z -unique shortest vector of L iff U,w is an n“a -unique short-

est vector of U,L. Let ~ be the dual lattice of U,L. Since

U,L has an nD’-unique shortest vector, J is a (1, n–=~ )lattice, where D; x Dp – 2. To be able to apply the re-sults of Section 6 we pick a new system of coordinates sothat U.el, j = 1, ..., n is the new basis. Let K = K, that

is, KU(”) = Q. As proved in Section 6, the distance ofthe distributions of ?iU,=-n, ,. and ~J,K,R is exponentiallysmall and clearly ~K = unij Therefore the distinguishabil-ity of uni~ and R%,n- D1,. wo~d imply the distin@shabil-ity of ~j,K,R and qK and so the algorithm given in Section 6

would, in polynomial time, tlnd J( ‘)MJ, and hence the short-est vector of U,L, using A as an oracle with a probability yexponentially close to one. Q.E. D. (Lemma 8.2)Proof of Theorem 7.1. Condition (1) of the theorem is./identical to condition (1) of Lemma 8.1. Its consequencecondition (2) of Lemma 8.1 implies the existence of a circuitwhich satisfies the requirements of (1) Lemma 8.2. The con-clusion of Lemma 8.2 implies the existence of an algorithm,which uses another alzorithm as an oracle (the second al-gorithm uses a circuit “as an oracle. ) We ca; make a singlealgorithm from the two mentioned ones and get the conclu-sion of the theorem. Q,E. D. (Theorem 7,1)Remark. We have shown that with high probability aO < y

only in the case when uo, . . . v- are values of the randomvariable uni}. (See the proof of Lemma 8.1. ) In the same waywe can also show that if v:, ., ., v~ are random independentvalues of unif then with a probabilityy exponentially close to

mone, there M an Z1 < y so that wldth(v~, +l, , v~,+n )>

n–l a. We may get idependent values of ?f=~=.~1 n by ‘adding—, ,independent values of pert(n–n’, n) to v!, . . . . vA. Since

each possible value of pert(n ‘n’ ‘n) is much smaller thann–2a we have that width(v~l+l , . . . . V;l+n) > n ‘1a implies

width(v,,+~, . ,v,l+~) > n-2a.

Lemma 8.3 (Ajtai [1]): There exists a c > 0 so that ifA is a finite Abelian group and k is a positive integer andb = (bl, . . . . bk) is a sequence of length k whose elements arechosen independently and with uniform distribution from A,then with a probability of at least 1– 2-Ck the following holds:

Assume that b is fixed and we randomize a O, l-sequenceJ,, . . . dk, where the numbers& are chosen independently andwith uniform distribution from {O, 1}. For each a E A let

Lemma 8.4 Assume that Q = U“ ~ Et” is the unit cube ofthe n-dimensional space and and H ~ IRn is a hyperplane,and V is the set of those points in Q whose distance~om H

is at most y > 0. Then the volume of V is at most 2-yn~.

Proof. Let b = (bl, . . . b~ be a unit vector orthogonal to\H. Since 1 = [Ibll = ~ [b,l , there is a 1< j ~ n, so that

Ibj [ ~ n-~. This implies that if the vectors u, v E V dWeronly in their jth components u,, V3, then IUJ – WyI ~ z~n ~.

Let Q’ be the orthogonal projection of Q to the hyperspace‘J = ?. ‘I’he previous remark implies that for for each fixedP E Q the length of the interval in V which is projected to

p is at most 2-yn~. Therefore the volume of Q’ is at most2-fn$.

Definitions. 1. We call a linear transformation U of II?”,orthogonal, if for any u E Et”, IIuUII= I[ull. (An equivalentcharacterization of the orthogonal linear transformation U isthe following: with respect to any orthonormal basis the ma-trix of U is orthonormal, that is, its rows as n-dimensionalvectors form an orthonormal system. )

2. If the values of a random variable ~ are real numbers(or vectors, matrices with real component ), then we say thata probabilistic algorithm generates ( in polynomial time, iffor any c >0 there is a c’ >0 so that the algorithm generates

a random variable in time n“ which approximates < with an

error not greater than 2-”=.

Lemma 8.5 For all c1 >0, there is a CP>0 and a prob-abilistic algorithm which generates a random variable v in

polynomial time so that(1) each value of v can be written in the form of 6’vI

where O E IR and vi is an orthogonal linear transformtaionof IRn

(2) If X is a Lebesgue measurable subset of the unit ballof lRn whose density in it is at least n–cl and v E Etn with

2-’”2< Ilvll < 2“2, then P(VU E X) > n–c’.

In the proof of this lemma we will use the following well-known facts about orthogonal linear transformations. Theset of all orthogonal linear transformations of IRn is a com-pact topological group under the multiplication of lineartransformations and the usual topology of linear transfor-mation (induced by e.g. any fixed matrix representation).There is a unique probability measure on this group (definedon all Borel sets) which is invariant under the mappings de-fined by the multiplication with any tixed element of thegroup (the Haar measure of the group). We assume thatp is a random variable taking its values with uniform dis-tribution on the set of orthogonal linear transformations ofEtn according to this distribtuion. We will use that followingproperty of p: If v c Etn, Ilvll = 1 is fixed, then pv has a uni-form distribution on the set of vectors with length 1. Thereare several ways to generate p in polynomial time, e.g, wemay randomize sequentially the vectors pe ~, . . . pen. Afterpel, . . . . pe, has been selected, pe,+l is choosen with uni-form distribution from the set of all unit vectors orthogonaltopel, . . ..pem.

Let P be a random variable taking its values on the [0,1]interval and defined in the following way: fist we take a

292

vector w with uniform distribution on the unit ball of IR”,and let ~ = Ilwll.

Let ~ be the random variable which takes the value (1+~)’ with a probability fi+lfori = –n’,. . . . –1,0, 1,... ,n’

Finally we assume that p, ~ and T are independent anddefine v, VI and O as follows: VI = p, O = -@, v = Tj3p.

Assume now that a v G JRn is fixed with 2–n’ s Ilvll s 2’”.According to the definition of -y there is a TO so that theprobability of ~ = TO is ~ and 1 s -yOllv[l s (1+ ~).

We estimate the conditional probability F’(vw E X17 =YO). Since 7, ~, p are independent this is the (unconditional)probability y P(70/3pLJ E X). As we have remarked earlierKV has a uniform distribution on the set of all vectors with

length Ilvll and so by the definition of ~, 70PPV has a uniformdistribution on the ball around O with radius TOIlvll. Sincethis ball contains the unit ball and the ratio of their volumesis at most (1 + ~)n s 3, we get a point in X with a proba-

bility of at least ~n-c’, that is, ~(uv G X17 = 70) ~ ~n-c’

and so P(UWE X) s &-cl ~. Q.E.D.(Lemma 8.5).Remark. In order to avoid the complication of examiningthe distribution ~~~ U%+, L$%+,,we can choose W, . . ,v~as described above and v~ +~, u~ by perturbing randomlychosen points on the hyperplanes induced by u within a cubewhose sides are polynomially larger than K. The proof ofcorrectness is essentially the same, complicated slightly bythe fact that we are now working with two different distribu-tions, and the resulting construction permits a more efficientsystem (that is, smaller values of D1, Dz, and DS).

Acknowledgement We are grateful to Shai Halevi for point-ing out a mistake in an early version of the proof of the maintheorem.

References

[1]

[2]

[3]

[4]

[5]

[6]

M. Ajtai, Generating Hard Instances of Lattice Prob-lems, Proceedings 28th Annual ACM Symposium onTheory of Computing, 1996

M. Ajtai, C. Dwork, A Public-Key Cryptosystem withAverage-Case/Worst-Case Equivalence, Electrom”c Col-loquium on Computational Complexity TR96-065,http:// www.eccc.uni-trier. de/ eccc-local/Lists/TR-1996.html

M. Ajtai and R. Fagin, Reachability is Harder for Di-rect ed than for Undirected Graphs, J. Symbolic Logic55(1), pp. 113-150, 1990

J.W.S. Cassels, An Introduction to the Geometry ofNumbers, Springer, 1959

W. Diffie and M.E. Hellman, New Directions in Cryp-tography, IEEE 7hnsactions on Information Theory,v. IT-22, n.6, pp. 644–654, 1976

0. Goldreich, Lecture Notes on Foundations of Crypt-ography, http: //www. wisdom. weizmann.ac.il/people/homepages/oded/ln89 .html, 1989 (see also, Foun-dations of Cryptography (Fkagments of a Book),http: //www.wisdom.weizmann. ac.il/people/homepages/oded/frag.html)

[7]

[8]

[9]

[10]

O. Goldreich, S. Goldwasser, and S. Halevi, Public-Key Cryptosystems from Lattice Reduction Prob-lems, Electrom”c Colloqw”um on Computational Com-plexity TR96-056, http: //www.eccc.uni-tner. de/eccc-local/Lists/TR- 1996.html

P.M. Gruber, C, G. Lekkerkerker, Geometry of Num-bers, North-Holland, 1987

M. Grotschel, L. Lovrisz, A. Schrijver, Geometric Algo-rithms and Combinatorial Optimization, Springer, Al-gorithms and Combinatorics 2, 1988

R. Rivest, A. Shamir, L. Adelman, A Method for Ob-taining Digital Signatures and Public-Key Cryptosys-tems, CACM 21(2), pp. 120-126, 1978

293