zbMATH — the first resource for mathematics

Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. (English) Zbl 1133.68024
Summary: We investigate the average-case complexity of a generalization of the compact knapsack problem to arbitrary rings: given \(m\) (random) ring elements \(a_{1},\dots, a_{m} \in R\) and a (random) target value \(b \in R\), find coefficients \(x_{1},\dots, x_{m} \in S\) (where \(S\) is an appropriately chosen subset of \(R\)) such that \(\sum a_{i} x_{i} = b\). We consider compact versions of the generalized knapsack where the set \(S\) is large and the number of weights \(m\) is small. Most variants of this problem considered in the past (e.g., when \(R={\mathbb{Z}}\) is the ring of the integers) can be easily solved in polynomial time even in the worst case. We propose a new choice of the ring \(R\) and subset \(S\) that yields generalized compact knapsacks that are seemingly very hard to solve on the average, even for very small values of \(m\). Namely, we prove that for any unbounded function \(m = \omega (1)\) with arbitrarily slow growth rate, solving our generalized compact knapsack problems on the average is at least as hard as the worst-case instance of various approximation problems over cyclic lattices.
Specific worst-case lattice problems considered in this paper are the shortest independent vector problem SIVP and the guaranteed distance decoding problem GDD (a variant of the closest vector problem, CVP) for approximation factors \(n^{1+\varepsilon}\) almost linear in the dimension of the lattice.
Our results yield very efficient and provably secure one-way functions (based on worst-case complexity assumptions) with key size and time complexity almost linear in the security parameter \(n\). Previous constructions with similar security guarantees required quadratic key size and computation time. Our results can also be formulated as a connection between the worst-case and average-case complexity of various lattice problems over cyclic and quasi-cyclic lattices.

68Q17 Computational difficulty of problems (lower bounds, completeness, difficulty of approximation, etc.)
11H06 Lattices and convex bodies (number-theoretic aspects)
94A60 Cryptography
94B15 Cyclic codes
Full Text: DOI