A Note on the Concrete Hardness of the Shortest Independent Vector in Lattices

Divesh Aggarwal Department of Computer Science and Centre for Quantum Technologies, NUS dcsdiva@nus.edu.sg Eldon Chung Department of Computer Science, NUS eldon.chung@u.nus.edu.sg

Abstract

Blömer and Seifert [9] showed that $\mathsf{SIVP}_{2}$ is NP-hard to approximate by giving a reduction from $\mathsf{CVP}_{2}$ to $\mathsf{SIVP}_{2}$ for constant approximation factors as long as the $\mathsf{CVP}$ instance has a certain property. In order to formally define this requirement on the $\mathsf{CVP}$ instance, we introduce a new computational problem called the Gap Closest Vector Problem with Bounded Minima. We adapt the proof of [9] to show a reduction from the Gap Closest Vector Problem with Bounded Minima to $\mathsf{SIVP}$ for any $\ell_{p}$ norm for some constant approximation factor greater than $1$ .

In a recent result, Bennett, Golovnev and Stephens-Davidowitz [8] showed that under Gap-ETH, there is no $2^{o(n)}$ -time algorithm for approximating $\mathsf{CVP}_{p}$ up to some constant factor $\gamma\geq 1$ for any $1\leq p\leq\infty$ . We observe that the reduction in [8] can be viewed as a reduction from $\mathsf{Gap\text{-}3\text{-}SAT}$ to the Gap Closest Vector Problem with Bounded Minima. This, together with the above mentioned reduction, implies that, under Gap-ETH, there is no randomised $2^{o(n)}$ -time algorithm for approximating $\mathsf{SIVP}_{p}$ up to some constant factor $\gamma\geq 1$ for any $1\leq p\leq\infty$ .

^†^†journal: Journal of LaTeX Templates

1 Introduction

A lattice $\mathcal{L}\subset\mathbb{R}^{d}$ is the set of integer linear combinations

\mathcal{L}:=\mathcal{L}(\mathbf{B})=\{z_{1}\vec{b}_{1}+\cdots+z_{n}\vec{b}_{n}\ :\ z_{i}\in\mathbb{Z}\}

of linearly independent basis vectors $\mathbf{B}=(\vec{b}_{1},\ldots,\vec{b}_{n})\in\mathbb{R}^{d\times n}$ . We call $n$ the rank of the lattice $\mathcal{L}$ and $d$ the dimension or the ambient dimension of the lattice $\mathcal{L}$ .

For $i=1,\ldots,n$ , the $i^{th}$ successive minimum, denoted by $\lambda_{i}(\mathcal{L})$ , is the smallest $\ell$ such that there are $i$ non-zero linearly independent lattice vectors that have length at most $\ell$ .

The Shortest Independent Vector Problem ( $\mathsf{SIVP}$ ) takes as input a basis for a lattice $\mathcal{L}\subset\mathbb{R}^{d}$ and $r>0$ and asks us to decide whether the largest successive minima is at most $r$ , i.e., $\lambda_{n}(\mathcal{L})\leq r$ . Typically, we define length in terms of the $\ell_{p}$ norm for some $1\leq p\leq\infty$ , defined as

\|\vec{x}\|_{p}:=(|x_{1}|^{p}+|x_{2}|^{p}+\cdots+|x_{d}|^{p})^{1/p}

for finite $p$ and

\|\vec{x}\|_{\infty}:=\max|x_{i}|\;.

We will drop the subscript in $\|\vec{x}\|_{p}$ , when $p$ is clear from the context. We write $\mathsf{SIVP}_{p}$ for $\mathsf{SIVP}$ in the $\ell_{p}$ norm (and just $\mathsf{SIVP}$ when we do not wish to specify a norm).

Starting with the breakthrough work of Lenstra, Lenstra, and Lovász in 1982 [19], algorithms for solving lattice problems in both its exact and approximate forms have found innumerable applications, including factoring polynomials over the rationals [19], integer programming [18, 17, 11], cryptanalysis [27, 23, 16, 22], etc. More recently, many cryptographic primitives have been constructed whose security is based on the (worst-case) hardness of $\mathsf{SIVP}$ or closely related lattice problems [5, 26, 14, 24, 25]. In particular, the (worst-case) hardness of $\mathsf{SIVP}$ for $\text{poly}(n)$ approximation factors implies the existence of several fundamental cryptographic primitives like one-way functions, collision-resistant hash functions, etc (see, for example, [12], [4]). Such lattice-based cryptographic constructions are likely to be used on massive scales (e.g., as part of the TLS protocol) in the not-too-distant future [1, 7, 21].

Blömer and Seifert [9] showed that $\mathsf{SIVP}$ is NP-hard to approximate for any constant approximation factor. While their result is shown only for the Euclidean norm, their proofs can easily be extended to arbitrary norms. As is true for many other lattice problems, $\mathsf{SIVP}$ is believed to be hard to approximate up to polynomial factors in $n$ , the rank of the lattice. In particular, the best known algorithms for $\mathsf{SIVP}$ , even for $\text{poly}(n)$ approximation factors run in time exponential in $n$ [2, 3].

However, NP-hardness itself does not exclude the possibility of sub-exponential time algorithms since it merely shows that there does not exist a polynomial time algorithm unless P = NP.

To rule out such algorithms, we typically rely on a fine-grained complexity-theoretic hypothesis — such as the Strong Exponential Time Hypothesis (SETH), the Exponential Time Hypothesis (ETH), or the Gap-Exponential Time Hypothesis (Gap-ETH). These hypotheses were introduced in [15], and are by now quite standard in analyzing the concrete hardness of computational problems.

To that end, a few recent results have shown quantitative hardness for the Closest Vector Problem ( $\mathsf{CVP}_{p}$ ) [8, ABGS19], and the Shortest Vector Problem ( $\mathsf{SVP}_{p}$ ) [6] which are closely related. In particular, assuming SETH, [8, ABGS19] showed that there is no $2^{(1-\varepsilon)n}$ -time algorithm for $\mathsf{CVP}_{p}$ or $\mathsf{SVP}_{\infty}$ for any $\varepsilon>0$ and for $1\leq p\leq\infty$ such that $p$ is not an even integer. Under ETH, [8] showed that there is no $2^{o(n)}$ -time algorithm for $\mathsf{CVP}_{p}$ for any $1\leq p\leq\infty$ . Also, under Gap-ETH, [8] showed that there is no $2^{o(n)}$ -time algorithm for approximating $\mathsf{CVP}_{p}$ up to some constant factor $\gamma\geq 1$ for any $1\leq p\leq\infty$ . Similar, but slightly weaker, results were obtained for $\mathsf{SVP}_{p}$ in [6].

1.1 Our results and techniques.

Blömer and Seifert [9] showed that $\mathsf{SIVP}_{2}$ is NP-hard by giving a reduction from $\mathsf{CVP}_{2}$ to $\mathsf{SIVP}_{2}$ . This reduction can easily be extended to all $\ell_{p}$ norms, and increases the rank of the lattice by $1$ . Thus, combined with the SETH hardness result from [8, ABGS19], it implies the following observation.

Theorem 1.

Under the SETH, there is no $2^{(1-\varepsilon)n}$ -time algorithm for $\mathsf{SIVP}_{p}$ for any $\varepsilon>0$ and for all $p\geq 1$ such that $p$ is not an even integer.

A closer look at their reduction reveals that it cannot be extended to showing NP-hardness of approximate $\mathsf{SIVP}$ directly (even though $\mathsf{CVP}$ is known to be NP-hard for almost polynomial approximation factors). The reason for this is that for the lattice $\mathcal{L}$ , when given as a part of a $\mathsf{CVP}$ instance, $\lambda_{n}(\mathcal{L})$ might be much larger than the distance of the target from the lattice, in which case, an oracle for approximating $\mathsf{SIVP}$ up to a constant factor, does not tell anything about the distance of the target from the lattice.

To overcome this difficulty, it was shown in [9] that the $\mathsf{CVP}$ instance obtained from a reduction from the minimum label cover problem has a guarantee that for the CVP instance $(\mathcal{L},\mathbf{t})$ , $\lambda_{n}(\mathcal{L})$ is “not much larger” than the distance of $\mathbf{t}$ from $\mathcal{L}$ .

We introduce a new computational problem called the Gap Closest Vector Problem with Bounded Minima ( $\mathsf{GapCVP}^{\tau}$ ), which captures the above mentioned requirement on the CVP instance that $\lambda_{n}(\mathcal{L})$ has an upper bound depending on the parameter $\tau$ . We observe that the reduction from $\mathsf{Gap\text{-}3\text{-}SAT}$ to $\mathsf{GapCVP}$ in [8] (which implies hardness of $\mathsf{GapCVP}$ ) is actually a reduction from $\mathsf{Gap\text{-}3\text{-}SAT}$ to $\mathsf{GapCVP}^{\tau}$ for an appropriate choice of $\tau$ . We then show a reduction similar to [9] from $\mathsf{GapCVP}^{\tau}$ to $\mathsf{SIVP}$ , which implies the following result.

Theorem 2.

Under the (randomised) Gap Exponential Time Hypothesis, for any $p\geq 1$ , there exists $\gamma^{\prime}>1$ , $\varepsilon>0$ such that $\gamma^{\prime}$ - $\mathsf{SIVP}_{p}$ with rank $n$ is not solvable in $2^{\varepsilon n}$ time.

2 Preliminaries

2.1 Lattices

Let $\mathbb{R}^{n}$ be a real vector space, with an $\ell_{p}$ -norm on the vectors such that $\vec{v}\in\mathbb{R}^{n},\left\lVert\vec{v}\right\rVert_{p}^{p}:=\sum_{i=1}^{n}|\vec{v}_{i}|^{p}$ .

A lattice $\mathcal{L}\subset\mathbb{R}^{d}$ is the set of integer linear combinations

\mathcal{L}:=\mathcal{L}(\mathbf{B})=\{z_{1}\vec{b}_{1}+\cdots+z_{n}\vec{b}_{n}\ :\ z_{i}\in\mathbb{Z}\}

of linearly independent basis vectors $\mathbf{B}=(\vec{b}_{1},\ldots,\vec{b}_{n})\in\mathbb{R}^{d\times n}$ . We call $\mathbf{B}$ a basis of the lattice $\mathcal{L}$ , $n$ the rank of the lattice, and $d$ the dimension of the lattice $\mathcal{L}$ . If $n=d$ , then we say that the lattice is full-rank.

Since we wish to have inputs of bounded size, we assume that the coordinates of lattice vectors are rational numbers. Moreover, by appropriately scaling the lattice, we assume without loss of generality, that a $d$ -dimensional lattice $\mathcal{L}$ is generated by basis vectors from $\mathbb{Z}^{d}$ .

2.2 Successive Minima

For a lattice $\mathcal{L}$ of rank $n$ , for $1\leq i\leq n$ , we denote by $\lambda_{i}^{(p)}(\mathcal{L})$ the $i^{th}$ successive minimum which is the smallest $\ell$ such that there are $i$ linearly independent lattice vectors that have $\ell_{p}$ norm at most $\ell$ . More formally,

\lambda_{i}^{(p)}(\mathcal{L}):=\min\{r\ :\ \dim\left(\text{span}(\{\vec{y}\in\mathcal{L}\ :\ \|\vec{y}\|_{p}\leq r\})\right)\geq i\}\;.

We omit the superscript in $\lambda_{i}^{(p)}$ , when the norm is clear from the context.

Minkowski’s second theorem states the following with regards to the successive minima:

Theorem 3.

For any $p\geq 1$ , and for any full-rank lattice $\mathcal{L}$ we have that

\left(\prod_{i=1}^{n}\lambda_{i}(\mathcal{L})\right)^{\frac{1}{n}}\leq n^{\frac{1}{p}}(det(\mathcal{L}))^{\frac{1}{n}}

2.3 Computational problems

Gap-Closest Vector Problem ( $\gamma$ - $\mathsf{GapCVP}_{p}$ ): Given a lattice $\mathcal{L}$ , a target vector $\vec{t}\in\mathbb{Z}^{n}$ (which may or may not be in the lattice) and a value $r>0$ , output YES if there exists a vector $\vec{v}$ in the lattice such that $\left\lVert\vec{v}-\vec{t}\ \right\rVert_{p}\leq r$ (i.e. the closest vector in the lattice to the vector $\vec{t}$ has a distance less than $r$ to the target), and output NO if all the vectors in the lattice have distance greater than $\gamma\cdot r$ to the target.

Gap-Closest Vector Problem with Bounded Minima ( $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ ): Given a lattice $\mathcal{L}$ , a target vector $\vec{t}\in\mathbb{Z}^{n}$ (which may or may not be in the lattice) with the added guarantee that $\lambda_{n}(\mathcal{L})^{p}\leq\tau r^{p}$ , and a value $r$ output YES if there exists a vector $\vec{v}$ in the lattice such that $\left\lVert\vec{v}-\vec{t}\ \right\rVert_{p}\leq r$ (i.e. the closest vector in the lattice to the vector $\vec{t}$ has a distance less than $r$ to the target), and output NO if all the vectors in the lattice have distance greater than $\gamma\cdot r$ to the target.

Gap-Shortest Independent Vector Problem ( $\gamma$ - $\mathsf{SIVP}_{p}$ ): Given a lattice $\mathcal{L}$ , and value $r$ , output YES if there exists a set of linearly independent vectors $\{\vec{v}_{1},\vec{v}_{2},...,\vec{v}_{n}\}$ that are in $\mathcal{L}$ such that $\max_{i=1}^{n}\|\vec{v}_{i}\|_{p}\leq r$ , and output NO if for all such sets, $\max_{i=1}^{n}\|\vec{v}_{i}\|_{p}>\gamma r$ .

If we want to talk about the exact variant of these problems (i.e., $\gamma=1$ ), then we will omit the prefix $\gamma$ .

$\mathsf{k\text{-}SAT}$ : Given a boolean formula in conjunctive normal form over $n$ variables, i.e. as a conjunction of $m$ clauses where each clause is a disjunction of $k$ literals, decide if there is an assignment of the $n$ variables such that the boolean formula evaluates to true.

$(\delta,\>\varepsilon)$ - $\mathsf{Gap\text{-}k\text{-}SAT}$ : Given a boolean formula in conjunctive normal form with each clause having $k$ literals, and two parameters $0\leq\delta<\varepsilon\leq 1$ , output YES if there exists an assignment such that it satisfies at least $\varepsilon$ fraction of the clauses, and output NO if no assignment satisfies more than $\delta$ fraction of the clauses. For convenience at times the ( $\delta$ , $\varepsilon$ )-prefix may be omitted when it is clear from the context.

2.4 ETH, SETH and Gap-ETH-hardness

The following hypotheses were introduced in [15], and will be the basis of our hardness results.

Definition 1 (Exponential Time Hypothesis).

The Exponential Time Hypothesis (ETH) states that for every $k\geq 3$ there exists a constant $\varepsilon>0$ such that no algorithm solves $\mathsf{k\text{-}SAT}$ with $n$ variables in $2^{\varepsilon n}$ time.

Definition 2 (Strong Exponential Time Hypothesis).

The Strong Exponential Time Hypothesis (SETH) states that for all $\varepsilon>0$ , there exists a $k\geq 3$ such that no algorithm solves $\mathsf{k\text{-}SAT}$ with $n$ variables in $2^{(1-\varepsilon)n}$ time.

Additionally, [10] and [20] introduced a “gap” version of ETH. The following formulation is from [8].

Definition 3 (Gap Exponential Time Hypothesis).

There exist constants $\delta<1$ and $\varepsilon>0$ such that no algorithm solves $(\delta,1)$ - $\mathsf{Gap\text{-}3\text{-}SAT}$ with $n$ variables in $2^{\varepsilon n}$ time.

2.5 Gap-ETH-hardness of $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}2\text{-}SAT}$

Theorem 4 ([13]).

$\forall\delta,\varepsilon$ such that $0\leq\delta<\varepsilon\leq 1$ , there exists a a polynomial time reduction from $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}3\text{-}SAT}$ with $n$ variables and $m$ clauses to an instance of $(\frac{6+\delta}{10}$ , $\frac{6+\varepsilon}{10})$ - $\mathsf{Gap\text{-}2\text{-}SAT}$ , with $n+m$ variables and $10m$ clauses.

Additionally, Bennett et al. used Dinur’s result in [10] to derive the following result:

Theorem 5 ([8]).

$\forall\delta,\delta^{\prime}$ such that $0<\delta<\delta^{\prime}<1$ , there is a polynomial time-randomised reduction from a $(\delta,1)$ - $\mathsf{Gap\text{-}k\text{-}SAT}$ with $n$ variables and $m$ clauses, to instances of $(\delta^{\prime},1)$ - $\mathsf{Gap\text{-}k\text{-}SAT}$ with $n$ variables and $O(n)$ clauses.

This implies it is almost always possible to reduce the number of clauses in $(\delta,1)$ - $\mathsf{Gap\text{-}k\text{-}SAT}$ instances so that reductions that run linear in $m$ may also be considered linear in $n$ , so that Gap-ETH may still apply. However, since the reduction is randomised, existence of sub-exponential time algorithms that solve the resulting instances only imply the existence of randomised sub-exponential time algorithms for $(\delta,1)$ - $\mathsf{Gap\text{-}k\text{-}SAT}$ in the general case (i.e. when $m=\omega(n))$ .

3 Gap-ETH-hardness of approximating CVP_p with Bounded Minima

In the following, we show that the reduction from [8] is in fact a reduction from $\mathsf{Gap\text{-}2\text{-}SAT}$ to $\mathsf{GapCVP}_{p}^{\tau}$ .

Theorem 6 ([8]).

There exists a reduction from $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}2\text{-}SAT}$ with $n$ variables and $m$ clauses to $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ for any $p$ -norm, so that the rank of the lattice in the resulting instance is the same as the number of variables in the original instance,

\displaystyle\gamma=\left(\frac{\delta+(1-\delta)3^{p}}{\varepsilon+(1-\varepsilon)3^{p}}\right)^{\frac{1}{p}}\;,

and

\displaystyle\tau=\frac{2^{p}}{\varepsilon+(1-\varepsilon)3^{p}}

Proof.

We will provide their construction of the $\gamma$ - $\mathsf{GapCVP}$ instance, and show that it is actually a $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance. The target vector $\vec{t}$ was defined as:

\displaystyle t_{i}

\displaystyle=3-\eta_{i}

where $\eta_{i}$ denotes the number of negated literals in the $i^{th}$ clause, the distance $r$ was defined as $m^{\frac{1}{p}}(\varepsilon+(1-\varepsilon)3^{p})^{\frac{1}{p}}$ , and the set of basis (column) vectors $\{\vec{b}_{1},\vec{b}_{2},\dots,\vec{b}_{n}\}$ was defined as follows.

\displaystyle b_{i,j}

\displaystyle=\begin{cases}\ 2&\text{if }C_{i}\text{ contains }x_{j}\\ -2&\text{if }C_{i}\text{ contains }\neg x_{j}\\ \ 0&\text{otherwise}\end{cases}

Notice that here, $\vec{b}_{j}$ for $1\leq j\leq n$ is the column vector with $m$ co-ordinates $b_{1,j},\ldots,b_{m,j}$ .

In order to prove correctness, we need to show that the resulting instance is indeed an instance of $\mathsf{GapCVP}_{p}^{\tau}$ . For this, we bound $\lambda_{n}^{p}(\mathcal{L})$ . Clearly,

\lambda_{n}^{p}(\mathcal{L})\leq\max_{j=1^{n}}\|\vec{b}_{j}\|^{p}\leq 2^{p}m\;,

where we use the fact that each co-ordinate of a basis vector is either $0$ , $2$ , or $-2$ , and hence has absolute value at most $2$ . Thus,

\frac{\lambda_{n}^{p}(\mathcal{L})}{r^{p}}\leq\tau\;.

∎

4 Gap-ETH-hardness of approximating SIVP_p within a constant factor

We now present our main contribution, that is showing hardness of approximating $\gamma$ - $\mathsf{SIVP}_{p}$ within a constant factor $\gamma$ .

Theorem 7.

For any $p\geq 1$ , $\tau=\tau(n)>0$ with a polynomial size representation, and any $\gamma\geq 1$ , there exists an efficient reduction from $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ to $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ for any $\gamma^{\prime}\geq 1$ such that

{\gamma^{\prime}}^{p}<\frac{r^{p}+\gamma^{p}\alpha^{p}}{r^{p}+\alpha^{p}}\;,

where

\alpha^{p}=\max\left(r^{p}(\tau-1)\>,\>\frac{\gamma^{p}r^{p}}{2^{p}-1}\right)\;.

Moreover, the rank of the lattice in the $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ instance is equal to $n+1$ where $n$ is the rank $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance.

Proof.

Let $(\mathcal{L},\vec{t},r)$ denote the given $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance, where $\mathcal{L}$ is a rank $n$ lattice and $\vec{b}_{1},\vec{b}_{2},\ldots,\vec{b}_{n}$ are the basis vectors for $\mathcal{L}$ . We will construct a $\gamma^{\prime}$ - $\mathsf{SIVP}_{p}$ instance $(\mathcal{L}^{\prime},r^{\prime})$ . Let $\lambda_{n}=\lambda_{n}(\mathcal{L})$ , and $\lambda_{n+1}^{\prime}=\lambda_{n+1}^{\prime}(\mathcal{L}^{\prime})$ .

Given a basis for the $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance as $\vec{b}_{1},\vec{b}_{2},\dots,\vec{b}_{n}$ and the target vector $\vec{t}$ , the reduction constructs the basis $B^{\prime}$ for $\mathcal{L}^{\prime}$ given by the column vectors of the matrix

\displaystyle\begin{bmatrix}\vec{b}_{1}&\vec{b}_{2}&\ldots&\vec{b}_{n}&\vec{t}\\ 0&0&\ldots&0&\alpha\\ \end{bmatrix}\;.

Furthermore, the reduction chooses $r^{\prime}=(r^{p}+\alpha^{p})^{1/p}$ . This reduction clearly runs in polynomial time, provided that $\alpha$ does not need too many bits to be represented – polynomial in the size of the original instance. We now argue correctness of the reduction.

Let $\vec{v}$ be the vector closest to the target $\vec{t}$ , and let $\vec{v}_{1},\ldots,\vec{v}_{n}$ be a set of linearly independent vectors in $\mathcal{L}$ such that

\lambda_{n}=\max(\|\vec{v}_{1}\|,\ldots,\|\vec{v}_{n}\|)\;.

Notice that $\vec{v}_{1},\ldots,\vec{vv}_{n},(\vec{v}-\vec{t},\alpha)^{T}$ is a set of linearly independent vectors in $\mathcal{L}^{\prime}$ . Thus, if the $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance is a YES instance, then

\lambda_{n+1}^{\prime}\leq\max(\|\vec{v}_{1}\|,\ldots,\|\vec{v}_{n}\|,\|\vec{v}-\vec{t}\|)\leq\max(\lambda_{n},(r^{p}+\alpha^{p})^{1/p})\;.

Also, any set of linearly independent vectors must have at least one vector which, when written as an integer combination of vectors in $B^{\prime}$ , has a non-zero co-efficient for the last basis vector $(\vec{t},\alpha)^{T}$ . Let this vector be $\vec{x}$ . So, if the $\gamma$ - $\mathsf{GapCVP}_{p}^{\tau}$ instance is a NO instance, then if the coefficient of $(\vec{t},\alpha)^{T}$ in $\vec{x}$ is $1$ or $-1$ , then the length of the vector is at least $(\gamma^{p}\cdot r^{p}+\alpha^{p})^{1/p}$ , and if the coefficient has absolute value at least $2$ , then the $n+1$ -th coordinate, and hence $\|\vec{x}\|$ , is at least $2\alpha$ .

From this, we obtain that if the given instance is a YES instance, then

\lambda_{n+1}^{\prime p}\leq\max(r^{p}\cdot\tau,\;r^{p}+\alpha^{p})=r^{p}+\alpha^{p}\;,

and hence the reduction outputs YES. If the given instance is a NO instance, then

\lambda_{n+1}^{\prime p}\geq\min(\gamma^{p}r^{p}+\alpha^{p},\;2^{p}\alpha^{p})=\gamma^{p}r^{p}+\alpha^{p}\;,

and hence the reduction outputs NO. The correctness follows.

∎

Theorem 8.

Under the randomised Gap Exponential Time Hypothesis, there exists $\gamma^{\prime}>1$ , $\varepsilon>0$ such that $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ with rank $n$ is not solvable in $2^{\varepsilon n}$ time.

Proof.

This can be achieved by considering the instances throughout the chain of reductions from $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}3\text{-}SAT}$ to $(\delta^{\prime},\varepsilon^{\prime})$ - $\mathsf{Gap\text{-}2\text{-}SAT}$ to $\gamma$ - $\mathsf{GapCVP}^{\tau}_{p}$ and finally $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ .

In the original $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}3\text{-}SAT}$ instance with $n$ variables and $m$ clauses, we obtain a $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ with rank $n+m+1$ with high probability. Thus under the randomised Gap-ETH, there is no sub-exponential time algorithm for $\gamma^{\prime}$ - $\mathsf{GapSIVP}_{p}$ , for all $p\in[1,\infty)$ .

∎

References

ADPS [16] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum key exchange — A new hope. In USENIX Security Symposium, 2016.
ADRS [15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solving the Shortest Vector Problem in $2^{n}$ time via discrete Gaussian sampling. In STOC, 2015.
ADS [15] Divesh Aggarwal, Daniel Dadush, and Noah Stephens-Davidowitz. Solving the Closest Vector Problem in $2^{n}$ time— The discrete Gaussian strikes again! In FOCS, 2015.
Ajt [98] Miklos Ajtai. Worst-case complexity, average-case complexity and lattice problems. 1998.
Ajt [04] Miklós Ajtai. Generating hard instances of lattice problems. In Complexity of computations and proofs, volume 13 of Quad. Mat., pages 1–32. Dept. Math., Seconda Univ. Napoli, Caserta, 2004. Preliminary version in STOC’96.
AS [18] Divesh Aggarwal and Noah Stephens-Davidowitz. (gap/s) eth hardness of svp. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, pages 228–238. ACM, 2018.
BCD⁺ [16] Joppe W. Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Ananth Raghunathan, and Douglas Stebila. Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. In CCS, 2016.
BGS [17] Huck Bennett, Alexander Golovnev, and Noah Stephens-Davidowitz. On the quantitative hardness of CVP. In FOCS, 2017.
BS [99] Johannes Blömer and Jean-Pierre Seifert. On the complexity of computing short linearly independent vectors and short bases in a lattice. In Proceedings of the Thirty-first Annual ACM Symposium on Theory of Computing, STOC ’99, pages 711–720, New York, NY, USA, 1999. ACM.
Din [16] Irit Dinur. Mildly exponential reduction from gap 3sat to polynomial-gap label-cover. Electronic Colloquium on Computational Complexity (ECCC), 23:128, 2016.
DPV [11] Daniel Dadush, Chris Peikert, and Santosh Vempala. Enumerative lattice algorithms in any norm via M-ellipsoid coverings. In FOCS, 2011.
GGH [96] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Collision-free hashing from lattice problems. IACR Cryptology ePrint Archive, 1996:9, 1996.
GJS [76] M.R. Garey, D.S. Johnson, and L. Stockmeyer. Some simplified np-complete graph problems. Theoretical Computer Science, 1(3):237 – 267, 1976.
GPV [08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, 2008.
IP [01] Russell Impagliazzo and Ramamohan Paturi. On the complexity of k-sat. Journal of Computer and System Sciences, 62(2):367 – 375, 2001.
JS [98] Antoine Joux and Jacques Stern. Lattice reduction: A toolbox for the cryptanalyst. Journal of Cryptology, 11(3):161–185, 1998.
Kan [87] Ravi Kannan. Minkowski’s convex body theorem and integer programming. Math. Oper. Res., 12(3):415–440, 1987.
Len [83] H. W. Lenstra, Jr. Integer programming with a fixed number of variables. Math. Oper. Res., 8(4):538–548, 1983.
LLL [82] A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. Math. Ann., 261(4):515–534, 1982.
MR [17] Pasin Manurangsi and Prasad Raghavendra. A Birthday Repetition Theorem and Complexity of Approximating Dense CSPs. 80:78:1–78:15, 2017.
[21] NIST post-quantum standardization call for proposals.
NS [01] Phong Q Nguyen and Jacques Stern. The two faces of lattices in cryptology. In Cryptography and lattices, pages 146–180. Springer, 2001.
Odl [90] Andrew M Odlyzko. The rise and fall of knapsack cryptosystems. Cryptology and computational number theory, 42:75–88, 1990.
Pei [10] Chris Peikert. An efficient and parallel Gaussian sampler for lattices. In CRYPTO. 2010.
Pei [16] Chris Peikert. A decade of lattice cryptography. Foundations and Trends in Theoretical Computer Science, 10(4):283–424, 2016.
Reg [09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):Art. 34, 40, 2009.
Sha [84] Adi Shamir. A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem. IEEE Trans. Inform. Theory, 30(5):699–704, 1984.

A Note on the Concrete Hardness of the Shortest Independent Vector in Lattices

Abstract

1 Introduction

1.1 Our results and techniques.

Theorem 1.

Theorem 2.

2 Preliminaries

2.1 Lattices

2.2 Successive Minima

Theorem 3.

2.3 Computational problems

2.4 ETH, SETH and Gap-ETH-hardness

Definition 1 (Exponential Time Hypothesis).

Definition 2 (Strong Exponential Time Hypothesis).

Definition 3 (Gap Exponential Time Hypothesis).

2.5 Gap-ETH-hardness of (δ,ε)(\delta,\varepsilon)-𝖦𝖺𝗉​-​𝟤​-​𝖲𝖠𝖳\mathsf{Gap\text{-}2\text{-}SAT}

Theorem 4 ([13]).

Theorem 5 ([8]).

3 Gap-ETH-hardness of approximating CVPp with Bounded Minima

Theorem 6 ([8]).

Proof.

4 Gap-ETH-hardness of approximating SIVPp within a constant factor

Theorem 7.

Proof.

Theorem 8.

Proof.

References

2.5 Gap-ETH-hardness of $(\delta,\varepsilon)$ - $\mathsf{Gap\text{-}2\text{-}SAT}$

3 Gap-ETH-hardness of approximating CVP_p with Bounded Minima

4 Gap-ETH-hardness of approximating SIVP_p within a constant factor