Showing papers by "Oded Regev published in 2009"

On lattices, learning with errors, random linear codes, and cryptography

Abstract: Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the “learning from parity with error” problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum).We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size O(n2) and encrypting a message increases its size by a factor of O(n) (in previous cryptosystems these values are O(n4) and O(n2), respectively). In fact, under the assumption that all parties share a random bit string of length O(n2), the size of the public key can be reduced to O(n).

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

Abstract: Lattice-based signature schemes following the Goldreich–Goldwasser–Halevi (GGH) design have the unusual property that each signature leaks information on the signer’s secret key, but this does not necessarily imply that such schemes are insecure. At Eurocrypt ’03, Szydlo proposed a potential attack by showing that the leakage reduces the key-recovery problem to that of distinguishing integral quadratic forms. He proposed a heuristic method to solve the latter problem, but it was unclear whether his method could attack real-life parameters of GGH and NTRUSign. Here, we propose an alternative method to attack signature schemes a la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelepiped or an approximation thereof. We transform this problem into a multivariate optimization problem that can provably be solved by a gradient descent. Our approach is very effective in practice: we present the first successful key-recovery experiments on NTRUSign-251 without perturbation, as proposed in half of the parameter choices in NTRU standards under consideration by IEEE P1363.1. Experimentally, 400 signatures are sufficient to recover the NTRUSign-251 secret key, thanks to symmetries in NTRU lattices. We are also able to recover the secret key in the signature analogue of all the GGH encryption challenges.

Conditional Hardness for Approximate Coloring

Abstract: We study the AprxColoring$(q,Q)$ problem: Given a graph $G$, decide whether $\chi(G)\le q$ or $\chi(G)\ge Q$. We present hardness results for this problem for any constants $3\le q

Simulating Quantum Correlations with Finite Communication

Abstract: Assume Alice and Bob share some bipartite $d$-dimensional quantum state. A well-known result in quantum mechanics says that by performing two-outcome measurements, Alice and Bob can produce correlations that cannot be obtained locally, i.e., with shared randomness alone. We show that by using only two bits of communication, Alice and Bob can classically simulate any such correlations. All previous protocols for exact simulation required the communication to grow to infinity with the dimension $d$. Our protocol and analysis are based on a power series method, resembling Krivine's bound on Grothendieck's constant, and on the computation of volumes of spherical tetrahedra.

On the Complexity of Lattice Problems with Polynomial Approximation Factors

Abstract: Lattice problems are known to be hard to approximate to withinsub-polynomial factors. For larger approximation factors, such as \(\sqrt{n}\), lattice problems are known to be in complexity classes, such as NP ∩ coNP, and are hence unlikely to be NP-hard. Here, we survey known results in this area. We also discuss some related zero-knowledge protocols for lattice problems.

Better Gap-Hamming Lower Bounds via Better Round Elimination

Abstract: Gap Hamming Distance is a well-studied problem in communication complexity, in which Alice and Bob have to decide whether the Hamming distance between their respective n-bit inputs is less than n/2-sqrt(n) or greater than n/2+sqrt(n). We show that every k-round bounded-error communication protocol for this problem sends a message of at least Omega(n/(k^2\log k)) bits. This lower bound has an exponentially better dependence on the number of rounds than the previous best bound, due to Brody and Chakrabarti. Our communication lower bound implies strong space lower bounds on algorithms for a number of data stream computations, such as approximating the number of distinct elements in a stream. Subsequent to this result, the bound has been improved by some of us to the optimal Omega(n), independent of k, by using different techniques.

A Note on the Distribution of the Distance from a Lattice

Abstract: Let ℒ be an n-dimensional lattice, and let x be a point chosen uniformly from a large ball in ℝn . In this note we consider the distribution of the distance from x to ℒ, normalized by the largest possible such distance (i.e., the covering radius of ℒ). By definition, the support of this distribution is [0,1]. We show that there exists a universal constant α 2 that provides a natural “threshold” for this distribution in the following sense. For any e>0, there exists a δ>0 such that for any lattice, this distribution has mass at least δ on [α 2−e,1]; moreover, there exist lattices for which the distribution is tightly concentrated around α 2 (and so the mass on [α 2+e,1] can be arbitrarily small). We also provide several bounds on α 2 and its extension to other l p norms. We end with an application from the area of computational complexity. Namely, we show that α 2 is exactly the approximation factor of a certain natural $\mathsf{AM}$protocol for the Covering Radius Problem.

Bounded-Error Quantum State Identification and Exponential Separations in Communication Complexity

Abstract: We consider the following problem of bounded-error quantum state identification: Given either state $\alpha_0$ or state $\alpha_1$, we are required to output “0”, “1”, or “?” (“don't know"), such that conditioned on outputting “0” or “1”, our guess is correct with high probability The goal is to maximize the probability of not outputting “?” We prove the following direct product theorem: If we are given two such problems, with optimal probabilities $a$ and $b$, respectively, and the states in the first problem are pure, then the optimal probability for the joint bounded-error state identification problem is $O(ab)$ Our proof is based on semidefinite programming duality Using this result, we present two exponential separations in the simultaneous message passing model of communication complexity First, we describe a relation that can be computed with $O(\log n)$ classical bits of communication in the presence of shared randomness, but needs $\Omega(n^{1/3})$ communication if the parties don't share randomness, even if communication is quantum This shows the optimality of Yao's recent exponential simulation of shared-randomness protocols by quantum protocols without shared randomness Combined with an earlier separation in the other direction due to Bar-Yossef, Jayram, and Kerenidis, this shows that the quantum simultaneous message passing (SMP) model is incomparable with the classical shared-randomness SMP model Second, we describe a relation that can be computed with $O(\log n)$ classical bits of communication in the presence of shared entanglement, but needs $\Omega((n/\log n)^{1/3})$ communication if the parties share randomness but no entanglement, even if communication is quantum This is the first example in communication complexity of a situation where entanglement buys much more than quantum communication

No Strong Parallel Repetition with Entangled and Non-signaling Provers

Abstract: We consider one-round games between a classical verifier and two provers. One of the main questions in this area is the \emph{parallel repetition question}: If the game is played $\ell$ times in parallel, does the maximum winning probability decay exponentially in $\ell$? In the classical setting, this question was answered in the affirmative by Raz. More recently the question arose whether the decay is of the form $(1-\Theta(\eps))^\ell$ where $1-\eps$ is the value of the game and $\ell$ is the number of repetitions. This question is known as the \emph{strong parallel repetition question} and was motivated by its connections to the unique games conjecture. It was resolved by Raz who showed that strong parallel repetition does \emph{not} hold, even in the very special case of games known as XOR games. This opens the question whether strong parallel repetition holds in the case when the provers share entanglement. Evidence for this is provided by the behavior of XOR games, which have strong (in fact \emph{perfect}) parallel repetition, and by the recently proved strong parallel repetition of linear unique games. A similar question was open for games with so-called non-signaling provers. Here the best known parallel repetition theorem is due to Holenstein, and is of the form $(1-\Theta(\eps^2))^\ell$. We show that strong parallel repetition holds neither with entangled provers nor with non-signaling provers. In particular we obtain that Holenstein's bound is tight. Along the way we also provide a tight characterization of the asymptotic behavior of the entangled value under parallel repetition of unique games in terms of a semidefinite program.