There are thousands of NP-hard problems out there. Why have only lattice problems been applied to cryptography?
Asked
Active
Viewed 1,239 times
3 Answers
22
What makes a problem suitable for cryptography is slightly different than what makes a problem NP-hard.
What is required for cryptography is average-case hardness --- i.e., a randomly selected instance of a problem should be "hard" for an adversary to solve. However, random instances of some NP-hard problems (3SAT, e.g.) turn out to be easy with high probability.
Lattices are interesting as some of its average-case hard problems (ex. Shortest Integer Solution, SIS) allow a reduction to worst-case hard problems (ex. Shortest Independent Vector Problem, SIVP) --- i.e. solving a random instance of one problem is as hard as solving worst-case instance of another. No efficient quantum algorithms are known against these problems either.
Moreover, lattices have enough underlying algebraic structure which allows building cryptographic primitives (OWFs, Trapdoors, FHEs...) based on these hard problems --- see the survey by Peikert.
ckamath
- 5,488
- 2
- 25
- 42
5
See
- 1:stackoverflow
- 2:cs.stackexchange,
- 3:On the possibility of basing Cryptography on the assumption that P!=NP and
- (before Ajtai) 4:A Personal View of Average-Case Complexity (Impagliazzo 1995).
- 5:Average case complexity (Trevisan,Bogdanov)
It seems that this is an open problem : "if we can base cryptography in $P\not= NP$". Also as the previous poster wrote there are some other problems except lattices as : multivariate crypto (J.Patarin scheme) and problems based on codes (McEliece cryptosystem).
3
You might want to take a look at the Post-quantum Cryptography book by Bernstain, Dahmen, and Buchmann. There are more problems used in post-quantum crypto than just lattice problems:
- Security of symmetric primitives,
- problems from coding theory,
- the MQ problem, and quite recently
- problems of isogenies.
Some of the problems are NP-hard (which only refers to the worst-case as mentioned in the other answer), some are not. In any case, even for lattice-based cryptography we actually do not make use of the worst-case hardness in practice. Parameters in practice are never chosen such that the related worst-case instance is actually hard (at least I am not aware of any case).
mephisto
- 2,968
- 20
- 29